We all worry about passwords although some people are at the “all-for-one and one-for-all” end of the spectrum where a pet’s name or even “password1” is fine and others use only unique, multiple complex, randomized alphanumeric strings with mixed case character sets and symbols. Either way, your password can be cracked.
How long it takes to crack depends on the other aspects of security enabled on the site with which you entrust your data. If the site forces you to use a complex password, you might imagine you are more secure, but how many characters does it allow? Even short random strings may be no more secure than a word in the dictionary. There are numerous password strength-tests online and many sites assess the password you choose when you sign up and force you to choose something they consider stronger if your initial choice is too weak.
Protection against dictionary and brute-force attacks on passwords often hinges on either a second authentication measure – a keypad widget from your bank, say, or the need to authenticate with a PIN sent by text to your registered phone. Additionally, many sites will lock you out after a number of failed login attempts. But, if a cracker knows your email address and you used an anniversary (perhaps shared on Facebook), a beloved pet name (whose photos you upload regularly to Flickr) or your mother’s actual unmarried surname you could be opening up your account to a much easier attack.
Some time ago, I devised a password-generation protocol that chemists, or anyone else, could use to devise complex but memorable passwords. Think of a molecule, Taxol, the anticancer drug, say. It has the molecular formula C47H51NO14. You could make that your password, but it wouldn’t be a long shot for a cracker to create a dictionary of chemical formulae. So, to make it tougher you could have a personal algorithm to obfuscate the formula. You could apply other mixers to get a relatively strong password that would be easy to remember.
The password testers look for complexity, what one might scientifically refer to as the password’s entropy, its “randomness” or apparent disorder. A password like “B41ON15H74Cd” looks complex and one strength test tells me it is “very strong”. However, everyone reading this now knows that algorithm, so I’d avoid that approach.
However, if you don’t choose a long and surreal passphrase and instead choose a film title, a song lyric or a well-known phrase, “Another one bites the dust” would fit all three descriptions, for instance, then according to a new study by Joseph Bonneau and Ekaterina Shutova of Cambridge University you are still leaving yourself wide open to attack.
There are repeated attempts to circumvent the password problem, such as the OpenID initiative and the yet to launch OneID concept. But, there are thousands if not millions of systems within which the username-password combination for logging in is entrenched. So, what is the best way to choose a password that you can remember?
It’s hard to say, my advice is to pick 5 to 6 words string them together in a random-seeming order (so no well-known phrases) swap out a few characters for numbers and symbols (avoiding 1337) and then maybe reverse the letters in one of the words. Now, memorise this, don’t write it down but use it as the master password for an offline software password locker that can generate 20-character, complex, random, mixed-case alphanumeric strings with symbols for each site with which you register. Oh and if it’s an option use multi-factor authentication for the master login. Whatever you do, just don’t pick 123456 or password1 as your master key.