Safe and Easy Passwords

I was reading something by a friend of mine about an easy way to remember a large number of passwords. I had some comments on it but I was writing a bit too much to fit in a comment box so I’ve moved it here instead.

The basic idea is that because it’s inadvisable to use the same password across multiple networks because, possibly amongst other things, if someone knows one of your passwords then they have access to everything you do online! So it was suggested that you pick something memorable, for instance you might be a proud supporter of Liverpool F.C., so you take the word “liverpool” and prepend the first letter of whatever service the password is for to that. For example:

Twitter: tliverpool
Facebook: fliverpool
Identica: iliverpool
Gmail: gliverpool
Jabber: jliverpool
And so on…

Now, while in principle this might be an easy way to remember passwords, there are some problems with it, so I’d like to add a bit more.

I hope you knew, before reading this, that using a password like “123″, “anne” or “password” is one of the most inane things you could do, security-wise. You might as well set your password to “hackme” which, ironically, is probably less likely to be guessed than one of the former.

The point here is that one method of cracking passwords involves trying common n00bish passwords like those mentioned above as well as trying words from a dictionary or word list. Therefore names of people, places or any word that might be in a dictionary or word list is not a good idea for a password, so it might have been a good idea to get a bit more creative than just “liverpool“. A misspelling such as “liverpuwl” is less likely to be guessed using a dictionary. Of course, much better would be to use something that’s not a word at all like “oadqfxlv“, but that’s much harder to remember!

Websites usually recommend that your password be a random sequence of uppercase and lowercase letters, numbers and symbols that’s between 6 and 12 characters long. But why? Well it certainly rules out a dictionary check for one thing, but this’ll probably make it even harder to remember! So here’s another little piece of advice. Try writing in 1337 (leet speek) by replacing letters with other characters that look similar. For example, do you see how
|_1\/£|?00|_ = LIVERPOOL ?
Maybe that wasn’t the easiest of examples but I think you get how 0Oo could be mixed up? Obviously you don’t have to go as extreme as that; something like

L1v3r~P0o|

is good. That has uppercase and lowercase letters, numbers, and symbols and I doubt anybody would guess it! If your OS supports it you know how to do it on your OS, you could even try adding special characters such as ò and ó in liverpòól. Just don’t get too carried away, I can’t guarantee that whatever service you use will support the characters you choose.

I didn’t mention yet why it’s required that your password be within a certain length range, even though this is much more important than using numbers and letters in different cases. Another method of password cracking is the brute force method. The attacker tries every possible combination of letters, numbers and special characters until they find one that works. For example, they might try “a“. If that doesn’t work they’ll try “b” and then “c” and so on until “z“. If none of those worked they’ll try “aa“, “ab“, “ac” and so on until they eventually get it. Of course if you tried doing this by typing in the combinations yourself it could take you forever but doing repetitive tasks is something computers are exceptionally good at and it would probably take a computer only a few seconds to crack a 3 letter password with this method.

Brute Force example

Obviously adding characters that are unlikely to be tried can help but what helps more is the length of the password string because each character increases the time taken to crack it exponentially. For the same computer that cracked your 3 character password in a matter of seconds, a 6 character password would take more than a week to crack, and an 8 character password could take a few years, almost a century in fact, so it’s considered pretty safe. Just hope nobody’s got a lot of time and farm of multi-threading brute force cracker computers aimed at you and it’s all cool.

But if a longer password is better then why is there a limit on the maximum length? Why don’t they just say 6 or more? Well, every time you enter your password to be checked by whatever service it is you’re authenticating to, it uses that as a keyword to decrypt the encrypted passcode for your username and check that it matches. This uses up some system resources. Obviously when you log in to your own personal computer you don’t cripple it with the overwhelming task of authenticating a single user, that’s ok. Even if your password is long it shouldn’t take any noticeable amount of time to check it. However, imagine over 9000 users trying to authenticate to a server all at once, and they all have passwords with 30+ characters, now that will slow things down. In summary, be considerate of the service that has to do the work of checking your password.

The last thing I’d like to say is that it’s probably a good idea to have more than just a single character difference in passwords used for different services, otherwise it’s too easy to guess if people are guessing with a password of yours that they’ve cracked or guessed from somewhere else. So your final set of passwords might now look something like this:

Twitter L1v3rT~rP0o|
Facebook L1v3rF~bP0o|
Identica L1v3rI~aP0o|
Google Mail   L1v3rG~lP0o|
Jabber L1v3rJ~rP0o|
And so on…

That looks really complicated to someone who doesn’t know what they’re looking at, but it’s nigh uncrackable and for you, who has combined a keyword for something you’ll easily remember with some 1337, a few extra characters and some changes depending on the service, you should have a safe system of easy to remember passwords, congratulations!

Wow, what a long post this turned out to be. Oh well, your reward for reading all of this can be knowing more, how’s that sound? If there’s anything you think needs more explaining or that you disagree with, or any comments in general, as usual, feel free to comment below, it is encouraged!