This Tip of the Week is about Selecting a Safe Internet Password.
There are three severe mistakes with Internet passwords. Avoid all of them.
First, your password is not stored safely. It is written on a post-it. Which is hidden in the drawer of your desk.
The second problem is using one and the same password for several purposes. You should not.
By using an encrypted digital password vault you catch two birds with one single stone because you can easily and safely handle a multitude of passwords for different webpages.
I have addressed this issue in my last week`s Tip of the Week, here. We use an encrypted digital password vault, either on a USB thumb drive or on your smartphone.
Now to the most problematic issue with passwords.
What Poor Password Selection is
You may think that a common phrase and its initials are a safe password. Letters are exchanged by numbers to make it safer.
For example: “I pledge allegiance to the flag” becomes “ipa2tf.”
This password is NOT safe, despite what password checkers say.
But which passwords are safe and which ones are not?
Here is the “silver bullet” solution: the eternal rules for picking a good password
- I pick passwords that I can recall at least for 10 seconds. Otherwise it takes too much time to enter them correctly. That means that common words must be used.
- A long passphrase from common words is much better than a short password that consists of coined weird special characters.
- I separate the words from each other, by special characters such as punctuations, letters or numbers
- “Not good enough!” That is what the “create new password” software tells us. That software is wrong. Password checkers are crap.
Examples for secure passphrases:
And here comes some evidence that backs up my password rules
Science has spent some effort on password security over the past decade. A good write-up is found on Wikipedia, here https://en.wikipedia.org/wiki/Password_strength
I don`t expect you to read and understand all information in this article. The most important fact is that password security increases linearly by its length L, but only logarithmically by the number N of possible symbols to be used.
Example 1: one of the lowest password securities is given by a 4-digit PIN number, e.g. “1234” (L=4, N=10).
Example 2: A 4-digit password from lower case Latin alphabet characters “a” – “z” (L=4, N=26) is only (4/4 * Log(26)/Log(10)) = 1 * 1.41 = 1.41 times safer than a 4-digit PIN number.
Example 3: A 10-digit PIN number is (10/4 * Log(10)/Log(10)) = 2.5 * 1 = 2.5 times safer than a 4-digit PIN number.
Example 4: A 10-digit password from lower case Latin alphabet characters “a” – “z” (L=10, N=26) is (10/4 * Log(26)/Log(10)) = 2.5 * 1.41 = 3.53 times safer than a 4-digit PIN number.
Result: increasing the length from 4 to 10 digits increases password security by a factor of 2.5, while increasing the number N of possible symbols to be used from 10 to 26 increases password security only by a factor of 1.41.
This is the basis for rule 2: “A long passphrase with common words is much better than a short password that consists of coined unusual characters”.
Why using familiar phrases for passwords
Sentences or parts of them are easy to remember. That’s why.
I pick passwords that I can recall at least for a time of 10 seconds. 10 seconds is enough time from reading a password from my encrypted password vault to entering it into a password window in my Internet browser.
Why separating the words from each other by other characters
This makes it difficult for pattern recognition algorithms to generate the sentences. While entire sample sentences can be retrieved from the Internet, it is very time consuming to generate all possible variations of it, using from one to all words of a sentence, plus an unknown number of characters that are separating these words.
Password cracking software gives up after a pre-determined number of hacks without success.
Why password checkers are crap
The culprit who invented the known standard way to create a password is Bill Burr, a former manager at the National Institute of Standards and Technology (NIST). In 2003, Burr drafted an eight-page guide on how to create secure passwords creatively called the “NIST Special Publication 800-63. Appendix A.” This became the document that dictated password requirements on everything from email accounts to login pages to your online banking portal.
Bill Burr’s rules are: create a password with at least so many characters, so many numbers, so many special characters, and maybe an uppercase letter.
All nonsense. Bill Burr is admitting that his password rules are useless. He is also very sorry.
“Much of what I did I now regret,” Bill Burr told The Wall Street Journal, admitting that his research into passwords mostly came from a white paper written in the 1980s, well before the web was even invented. “In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”
The only problem is that Bill Burr didn’t really know much about how passwords worked back in 2003, when he wrote the manual. He certainly wasn’t a security expert. And now the retired 72-year-old bureaucrat wants to apologize.
Your websites can still be hacked
Yes, you will never be entirely safe. Even if you use safe passwords.
Increase your safety further by:
- not saving your passwords in Internet browsers’ auto-filling lists,
- locking your computer with a password protected auto-screensaver,
- locking your smartphone with a PIN,
- use prepaid credit cards for online purchases (we will show you how to do this in another Tip of the Week),
- changing passwords at least every other year or immediately after you have given your password to someone else (yes, this happens every now and then).
If you do all this, you have done more than 99.99% of all Internet users. And that is what counts: don’t be the slowest member of the herd, those get eaten by the lions.
- Use a secure digital password vault software, such as KeePass, on your smartphone or on a portable USB thumb drive
- Use phrases as long passwords that consist of words that are separated by special characters
- Never re-use one passphrase of one website for another website
- Don’t trust password checkers
Martin “pick a safe password” Schweiger