Picking a perfect password

Pivot Points is a monthly column by EuroScientist writer David Bradley.

We all worry about passwords although some people are at the “all-for-one and one-for-all” end of the spectrum where a pet’s name or even “password1” is fine and others use only unique, multiple complex, randomized alphanumeric strings with mixed case character sets and symbols. Either way, your password can be cracked.

How long it takes to crack depends on the other aspects of security enabled on the site with which you entrust your data. If the site forces you to use a complex password, you might imagine you are more secure, but how many characters does it allow? Even short random strings may be no more secure than a word in the dictionary. There are numerous password strength-tests online and many sites assess the password you choose when you sign up and force you to choose something they consider stronger if your initial choice is too weak.

Protection against dictionary and brute-force attacks on passwords often hinges on either a second authentication measure – a keypad widget from your bank, say, or the need to authenticate with a PIN sent by text to your registered phone. Additionally, many sites will lock you out after a number of failed login attempts. But, if a cracker knows your email address and you used an anniversary (perhaps shared on Facebook), a beloved pet name (whose photos you upload regularly to Flickr) or your mother’s actual unmarried surname you could be opening up your account to a much easier attack.

Some time ago, I devised a password-generation protocol that chemists, or anyone else, could use to devise complex but memorable passwords. Think of a molecule, Taxol, the anticancer drug, say. It has the molecular formula C47H51NO14. You could make that your password, but it wouldn’t be a long shot for a cracker to create a dictionary of chemical formulae. So, to make it tougher you could have a personal algorithm to obfuscate the formula. You could apply other mixers to get a relatively strong password that would be easy to remember.

The password testers look for complexity, what one might scientifically refer to as the password’s entropy, its “randomness” or apparent disorder. A password like “B41ON15H74Cd” looks complex and one strength test tells me it is “very strong”. However, everyone reading this now knows that algorithm, so I’d avoid that approach.

But, here’s a thing… “abcdefghijklmnopqrstuvwxyz” doesn’t look like a strong password but a random search would take 780 quintillion years to find it according to one test. Remove one letter and add a pseudorandom non-alphanumeric character somewhere in the string and it could be even tougher. E.g. “abcdefgijklmno%pqrstuvwxyz” would take 108 septillion years. Easy to remember…almost…but you would need something similar but not the same for all your other sites. And, a system devised by Microsoft that precludes more than a set number of users having the same password on a system could make that increasingly difficult for the unimaginative.

So, what about leet speak or passphrases? An XKCD cartoon lampooned passwords. It suggested that the common way to come up with passwords was to pick a memorable word, convert it to so-called leet-speak (1337, the “elite” hacker pseudo-code) so that, for instance, you might use Tr)ub4d0r&3. This would be fairly easy to remember but an analysis reveals it to have only 28 bits of entropy, so would take a mere three days to guess at a rate of 1000 guesses per second. Moreover it uses “1337”, the very language crackers and hackers adore and so is the first substitution they embed in cracking software! Much better, the cartoon claimed would be to visualise an odd scene – a horse describing a staple on a battery and a person confirming the validity of that scenario, thus: “correcthorsebatterystaple” would be your memorable passphrase. The entropy is 44 bit and that would take 550 years to guess.


However, if you don’t choose a long and surreal passphrase and instead choose a film title, a song lyric or a well-known phrase, “Another one bites the dust” would fit all three descriptions, for instance, then according to a new study by Joseph Bonneau and Ekaterina Shutova of Cambridge University you are still leaving yourself wide open to attack.

There are repeated attempts to circumvent the password problem, such as the OpenID initiative and the yet to launch OneID concept. But, there are thousands if not millions of systems within which the username-password combination for logging in is entrenched. So, what is the best way to choose a password that you can remember?

It’s hard to say, my advice is to pick 5 to 6 words string them together in a random-seeming order (so no well-known phrases) swap out a few characters for numbers and symbols (avoiding 1337) and then maybe reverse the letters in one of the words. Now, memorise this, don’t write it down but use it as the master password for an offline software password locker that can generate 20-character, complex, random, mixed-case alphanumeric strings with symbols for each site with which you register. Oh and if it’s an option use multi-factor authentication for the master login. Whatever you do, just don’t pick 123456 or password1 as your master key.

David Bradley
Latest posts by David Bradley (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.