A lot of websites opt for the recommended NIST system of requiring 8 characters with at least one uppercase, at least one lowercase, at least one number and at least one special character. Using this system, it would mean a password would look something like ‘Pas$w0rd’. This is still not secure. As stated earlier, passwords will always be broken. They are often broken through either guessing (social engineering), malware (keylogging) or brute force.
If a password uses numbers (0-9), uppercase (A-Z), lowercase (a-z) and special characters (!”£ etc), there are 95 possible choices for a one character password. If the password is two characters long there are 9025 possible choices and for three characters there are 857375 possible choices (and so on with the equation being expressed as 95^n (with n being the number of characters in the password)).
As a species, humans make terrible choices for passwords. Even if a person chooses a ‘random’ password, we have bias towards certain letters and numbers. This is called letter frequency and can easily be seen in the game Scrabble. There are more letter E (12) then Q (1). Nobody wants to get the Q or the Z. In addition humans are notoriously bad at remembering random strings of letters and numbers, so we either write it down (which is a very bad idea for a password) or we make it easy to remember.
Both have the same amount of entropy but it would take less than 6 hours to guess either password with Gosney’s machine. As such, neither is secure.
Because you can’t change the option of accepted characters, you can secure your password through the amount of characters used on your password. This is where the 95^n comes in and that means 95 multiplied by itself however many characters are in your password. That means the password entropy on a eight character password is worked out by;
This equates to 6.63 quadrillion different possible passwords. A more secure password would be at least 20 characters long (95^20) and would equate to 10.24 decillion possible different passwords. For reference:
Using Gosney’s machine on a twenty character password could potentially take up to 9,277,379,140 years to crack just a single password…
Well great, it will take over 9 billion years for someone to crack my password, but my password isn’t the only one out there. My password is secured by someone else and that someone else may not (probably not) as vigilant as me and as such my password is only as secure as their password.
Now because my security is only as good as the weakest link in the chain, industry practice states to have a different password for every site. Which is a great idea, but I doubt I can remember a single twenty character password, let alone a different twenty character for every single site I’m registered on.
A password manager is a piece of software which stores all the secure passwords in an encrypted database which can only be accessed with the correct password (which should still be twenty characters or more). This may seem like a weak part of the plan having all the secure passwords stored in a single place secured with a single password, however this can be further overcome with the addition of Two-Factor Authentication (2FA). This is where a hardware device is used to authenticate that you are the correct holder of the account and you’re authorised access.
This ensures that all your passwords are secure, encrypted and still easy for you to access. Granted even this isn’t 100% secure, but it’s as close as we can get.
My little trick for a completely random password that’s easy to remember? Get a dictionary and open it to a random page. Close your eyes and stick your finger on the page…. closest word is chosen. Do this 4 or 5 more times. That’s your password….
And because someone said it a lot better then me…
Jayson is the Senior Vice President of Customer Experience at Private Internet Access. With a long history as an engineer with experience working in communications and electronics warfare in the British Army, he has worked on both sides of the proverbial fence. A staunce advocate of open source technology, Jayson is not adverse to hard work to achieve a goal. He enjoys drinking mead, amazing vodka and good conversation about sustainability and beekeeping.