The perfect password: is there such a thing, and how to choose it?
This week as I’ve been going hands-on with the ultra-secure Blackphone, there’s one thing that’s really stuck out in my mind: passwords, and if there is such thing as a “perfect password”.
We use passwords for a lot more than most think. Every day I wake up and check my email. Doing so requires that I enter a password. I head over to Pocketnow and login with another password to publish my daily article. I then share that article with various social media networks, each with a different password.
When I check my phone I have to input a PIN (which is another kind of password). When I head out to my day job, my key fob has already passed a token to my car, unlocking the doors and waiting for me to push the “On” button. When I arrive at the office, I have to input a code to get into the building or use my ID badge with an RFID embedded inside it – another kind of password. I login to my computer with another password, then RDP into three other computers, each with its own password.
When I check my bank account, I have to use another password. When I use my debit card (attached to the same account) I use another password (yet another PIN).
When I connect to any wireless access points, I have to (hopefully!) enter another password – for each one.
I’m sure I’ve missed some passwords in this list, but it begs the question: is there such thing as a perfect password? And if so, how do we go about choosing such a thing?
The Silver Unicorn
As a mild-mannered webmaster by day, I’m tasked with ensuring that data stays secure, servers stay operational, and all the users that lock themselves out of their accounts get their passwords reset and their accounts unlocked in a timely fashion. It’s a thankless job, but someone’s got to do it.
The company has standardized on what kind of password they feel is “secure”, which mirrors the policies that a good portion of the industry uses. You’re probably familiar with it:
- Must contain at least one uppercase letter
- Must contain at least one lowercase letter
- Must contain at least one number
- Must be at least 8 characters long
- Cannot use a pattern (such as 1234 or abcd)
- Cannot reuse a previous password
- Cannot contain any part of your username
- Should not be used on any other site
- Should contain at least one special character (as long as it’s not too special)
- Vowel substitution (replacing vowels with numbers) can be an easy way to make a password “more secure”
Passwords modeled after these “magic rules” remind me of an episode of The IT Crowd, where Moss learns the new telephone number for emergency services:
You recognize those rules, I’m sure. They may be worded differently, but most sites and services are going to use some variation on them.
They’re a pile of nonsense.
Strict rules like these are based on sound reasoning, but they all boil down to trying to foil bots (automated programs) from applying brute-force to eventually access your account. “Delay” may be a better word than “foil”.
We live in a day when bots can be run across a distributed network of zombie PCs that have been infected with malware, or even from a dozen off-the-shelf computers run in a dorm room or even a closet.
Using password rules like these, it’s not a matter of if your account will be compromised, but when.
“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.” – XKCD
I’ve gotten so used to sites requiring some combination of the “magic rules” that my passwords usually conform out of necessity more than anything else. Unfortunately, we’re doing it wrong.
For example, four random words strung together with no caps, no numbers, and no special characters, at 1,000 guesses per second, will take around 550 years to break. Again, it’s not impossible, just highly improbable – and a password like that is much easier for me to remember. My pseudo-random string of eleven characters that comply with the “magic rules”, however, will only take 3 days at the same rate of 1,000 guesses per second.
The irony is what happened just the other day: I created a password that was “too secure”. The site didn’t allow me to use special characters, and it couldn’t be longer than 12 characters long.
Just how secure is that? We can figure it out with a little math!
- 26 lowercase letters in the US alphabet
- 26 uppercase letters in the US alphabet
- 10 numerals (zero through nine)
- 12 character maximum length
Who wants to do the math and calculate how complex that password can be? At 1,000 guesses per second, how long will it take before any password on that site is broken? I don’t want to spoil your fun, so head down to the comments and share your 1337 skills with us!
Would you trust a site with those rules knowing that it’s only that secure?
Some people want to turn to biometrics as the proverbial “silver bullet”, after all, who else has your eyes, your DNA, your fingerprint, or a microchip embedded under your skin?
Most biometric systems don’t use your actual fingerprint or iris scan to validate you. Instead, they scan data-points and put together a model of your “unique” attributes based on an algorithm – an algorithm that can be hacked to make the security subsystem think it’s reading your biometric data, but instead is just being fed a line of digital data that represents what the scanner should have seen – but didn’t.
Subcutaneous chips can be replicated, they’re just a serial number after all, and look at how secure Social Security Numbers are in the USA – those are just serial numbers for people, and they’re bought and sold like candy.
In the webcomic referenced above, the password “correcthorsebatterystaple” is significantly more secure than “Tr0ub4dor&3”. So, what is the secret formula for making a really secure password?
- What we need to be doing is creating passwords that are long. The longer the better!
- Don’t reuse passwords, since when one site is compromised, any other site that uses the same username and password is automatically compromised, too.
- Always use 2-step verification whenever possible. These systems are a little more trouble to setup and use, but require significantly more effort to compromise.
- Be careful with password managers with one password to protect all the others (and in the darkness bind them!).
- Be careful with your password recovery questions. With a little research, it’s not too hard for a determined person to find out what your high school mascot was, or your first car, or your mother’s maiden name, or your dad’s middle name, or the name of your first pet. One friend of mine came up with a set of lies to answer those questions. Even if someone got all his personal information, they still wouldn’t be able to break into his accounts.
While there may not be such a thing as the “perfect” password, there is certainly a better way to go about creating one. And know you know how to do it.
Image credit: Java Shock