Password stength is important

This article explains some myths about passwords:

http://tidbits.com/article/13651

It talks about how long passwords should be, and the dangers of different types of passwords and using the same password for everything.

One interesting site they link to is this cartoon:

http://xkcd.com/936/

What this indicates is that a seemingly difficult password (Tr0ub4dor&3) is actually very easy for a computer to guess. On the other hand, you would think that a password made up of ordinary words joined together (correcthorsebatterystaple) would be easy to guess – not so! The first can be cracked in 3 days, the second in 550 years. (But note that is with current technology. In five years time, as computers get faster, that 550 years might be down to a few days.)

If you would like an estimate of how long it would take to crack a password, try this site:

http://dl.dropbox.com/u/209/zxcvbn/test/index.html

When you type in a password, it will show you the strength of the password (the entropy) and how long it would take to crack with current technology. For both, a bigger number is better.

The examples show that a seemingly-complicated, but short, password like “zxcvbn”, the bottom row of the keyboard, can be cracked in a fraction of a second.

Tr0ub4dor&3 can be cracked in 22 hours.

correcthorsebatterystaple will take 65 years to crack. (But remember that computers are getting faster all the time.)

Add some special characters and digits into the latter “coRrecth0rseba++ery9.23.2007staple$”, and it becomes 118 million years.

So what can you do to get stronger passwords and still be able to remember them?

1. Make it long, but easy to remember. A string of ordinary but unrelated words is a good starting point. The longer the better.

2. Add some upper case, preferably not at the start of the words. Maybe the end, or the second letter, or whatever.

3. Include some punctuation characters and digits. Think about substituting for existing letters, eg, + for t or 3 for e, or just adding punctuation symbols.

4. Check your password’s strength on the site above. If the entropy figure is less than 50, make it longer or more difficult.

5. Use different passwords for each site you visit. This can be difficult to remember unless you have some system to remember them. One I recommend to my clients is to have a little book at home in which you write down the website address, your username and your password. Keep it in a bottom drawer somewhere, out of sight, and remember to always update it.

Another system is to pick a good password as above, then add something about the website to make it unique, say, something from the domain name.

Let’s look at a simple example password. Say you start with “vanillaicecreamisgreat”. This is 22 characters long and will only take 4 days to crack.

Make some letters upper case. If you make the first letter in each word upper case “VanillaIcecreamIsGreat”, it will take 3 months to crack. If you instead make the second letter in each word upper case “vAnillaiCecreamiSgReat”, it will take 7 years to crack.

Or better, add some punctuation symbols “Vanilla#Icecream#Is#Great”. This will take 66 million years to crack.

As for making passwords unique for each site, you can use something about the site to include in the password. So for example, you might use the last letter of the main part of the domain name. For netbank.com.au, that would be “k”. You could insert this between the first and second words and add another punctuation character “Vanilla#k#Icecream#Is#Great”. This will take 480 million years to crack.

You can see from this that even small changes can make your password much more difficult to crack. And that unique passwords that you can remember are reasonably easy to make up.