Passwords have long been a source of bafflement — and amusement — to me, and as often happens when confronted with a puzzle, I’ve been doing some research.
Some of it I already know: There are 26 letters in the (English) alphabet (52, if you consider case-sensitivity), 10 single-digit numbers, and approximately 32 punctuation characters on the standard English computer keyboard. That’s 94 characters all total.
Some of it requires a bit of math: Consider now a single character, that may be any one of those 94 characters, combined with another single character, that may also be any one of those 94 characters, and you even up with 8836 possible combinations of those two unknown characters.
Some of it gets a bit mind-boggling: Since a standard password is a minimum of 8 characters in length, you end up with 6,095,689,385,410,000 (that’s over 6 quadrillion) possible combinations of characters making up each 8-digit password. That’s not even taking longer passwords into consideration!
So which of those 6 quadrillion combinations of characters make the best — and worst — passwords?
And what makes a password secure — or insecure — in the first place?
By their very nature, passwords must be stored. How does any system know whether or not you are using the correct password? They compare it to the previously stored data!
That storage may take place locally, on your own PC, such as in the case of login data or passwords saved in browsers, or on servers, such as in the case of online services, etc.
Various forms of encryption or encoding are generally used to store passwords, and even to mask them on your screen as you type them in. I’m sure you’re familiar with these strings of asterisks of which I speak.
Ultimately, what is encrypted can be decrypted, and what is encoded can be decoded; regardless, the effort to avoid plain-text storage is a good thought.
There’s also the fact that we may store our own passwords not only in our brains — a fairly secure location right up until we experience memory-loss — but often many times on paper or electronically.
All of these methods of storage have implications on the security of our passwords.
By now, many of us have been victims of various large-scale security breaches involving passwords having been lost, stolen, hacked, or otherwise compromised.
There is little that we can do as individuals to protect against such breaches except to refrain from re-using the same password(s) in multiple places (for multiple services) and to change our password as quickly as possible after becoming aware of such a breach.
There is similarly very little that we can do to prevent brute force cracking attempts, which is a method characterized by trial and error attempts to provide the correct password.
Most — if not all — services try to prevent brute force attacks by limiting the number of attempts that can be made within a span of time, and/or by forcing a password reset.
Despite all of these measures, passwords are not infallible; the good news is that there are methods of creating strong passwords that are less easily cracked than others.
Hallmarks of Insecure Passwords
To create a good password, it is important to understand what makes a bad password.
A bad, or insecure, password is one that can be either guessed (usually because it contains widely-known personal information) or easily cracked (usually because it is one of the many “lazy” passwords, or comprised mostly of dictionary-words).
Yes, that’s right, all this time that you (and everybody else) have been using “qwerty”, “password” and “12345678” as your password, it has been a disaster waiting to happen.
Similarly, using any of the following as your password (or even a part of your password) is not at all recommended:
– Names or Nicknames
– Phone Numbers/ID Numbers/Etc.
– Dictionary Words
– Anything “Easy” or “Simple” (“Guessable”)
It used to be that my Dad would say that “theraininspainfallsmainlyontheplain” was a good password (but not to use that one, because it was his.)
These days, even this password (with it’s above-average length) is not recommended, due to it’s composition of dictionary words, as well as it being a known phrase.
(Hopefully he doesn’t use it anymore; in fact, hopefully he never used it in the first place!)
Creating Strong Passwords
With all the “don’ts” that we have just covered, what remains, that can be used to create a strong password?
Passwords should be composed of a combination of the following:
2. Uppercase Letters
3. Lowercase Letters
5. Special Characters (Punctuation, Etc.)
The password “memffphis.3j8D-99”, for example, is a mostly random password that fulfills the recommendations. (But don’t use this one; it’s mine.)
The problem with this example is that it means nothing, and so is hard to remember.
As a compromise, recent recommendations have been to employ the following formula:
1. Choose an event, goal, or thought, that is significant to you (and no one else, hopefully).
2. Turn it into a sentence or phrase with a minimum of eight words; include punctuation and numbers if at all possible.
3. Use the first letter of each word as your password, and include punctuation.
With this method, you can easily come up with a seemingly random string of letters, numbers and punctuation as your password. At the same time, due to it having meaning to you, it is easily memorized.
Let’s look at some examples.
When I was 12 I got my first puppy; it was exciting! = wIw12Igmfp;iwe
My day job involves lots & lots of emailing. = mDJil&loe
If there are a dozen cookies, can I eat half? = itr12c,cIe6
As you can see, creating passwords does not have to be a chore. In fact, using this method, you can end up having a lot of fun!
Are Passwords On Their Way Out?
There is a lot of speculation about whether or not passwords will still be around in the years to come.
Many people predict that passwords are soon to be replaced with bio-metrics, such as fingerprint and retina scans, facial recognition, voice recognition, brain-waves, etc.
I’m with the crowd that believes that such changes are still a while off — not only because most of us will need eased into such a transition, but also because there are still a number of security and logistical issues surrounding such changes.
In any case, if and when the changes come, they’ll surely have their own set of issues to be worked out.
In the meantime, we’ll do the best we can with the system we have in place!
If I’ve learned anything at all over the course of this particular batch of research, it’s that a surprising number of people still use a single, easily-guessable password across a variety of platforms.
I hope that if nothing else, you now have some ideas that you can employ the next time you need to set a new password; ideas that will help you to come up with a strong password that will be easy for you to remember.