Major password breaches are so common they’re becoming like storms and traffic jams: One day you hear about tens of thousands of Twitter users compromised or several million at LinkedIn, the next it might be upwards of 50 million at Evernote or LivingSocial.
But despite their fallibility, passwords won’t be replaced any time soon. Two-factor authentication technologies using our mobile devices and even biometrics can help keep us secure, but so far none are foolproof, and precious few are even convenient.
How can we make our passwords more hack-resistant and manage all the passwords we need?
Entropy is your new best friend
Most attackers don’t break passwords by going to Gmail or Facebook and making guesses; that’s slow, and most services block access after a few failed attempts. However, if attackers steal account data through a security hole, they can make thousands, millions, or even billions of guesses per second offline using their own computers. If that sounds outlandish, consider that Stricture Consulting Group last year showed off a small computer cluster made from off-the-shelf components that could test as many as 350 billion passwords per second. Some password-cracking operations harness hundreds (or thousands) of computers via botnets or legitimate cloud-computing platforms, while others just use everyday PCs. They’re fast too.
The quality of a password doesn’t matter if a service stores your password as plain text and an attacker steals it. (Don’t laugh: it happens.) If passwords are encrypted, however, size and randomness are two factors that determine a password’s strength or entropy — basically, a measure of the possible combinations a password can have.
“The higher the entropy, the longer it will take, on average, for a brute-force attack to succeed,” noted Joe Kissel, author of the ebook Take Control of Your Passwords. So, all things being equal, you want a high-entropy password.”
The benefit of a password’s size is obvious: More characters means more possible combinations. The benefit of randomness is less subtle. A password like YesThisIsMyGreatNewRandomPassphrase wins points for size — 36 characters! — but loses points for randomness, since it’s just upper- and lower-case letters. (It’s also less random because it’s in English: Attackers try to take advantage of common letter patterns.)
Something like *5FRRcr62{d~OkP!{AKaxzevQZb6L{~S1F~b would be more secure — it’s both big and highly random. Unfortunately, it’s almost impossible for most people to remember…but it’s easy for a computer to remember.
Ways to make strong, memorable passwords
There’s no magic formula for making passwords both very strong and easy to remember. However, here are some ideas:
Size matters — In statistical terms, memorable passwords aren’t very random, but you can make them stronger with sheer size. These days, I consider 14 to 15 characters a minimum for a random password. For a password based on words or phrases, a realistic minimum might be 20 characters. When in doubt, go big.
Use combined terms — Grouping a three to five unrelated words together can be a great basis for a long password. Something like TurquoiseGullGrapeDiner creates a sizable password (23 characters) but only requires you remember four things.
Use groups of symbols and numbers — The example above won’t work if a system requires numbers or symbols. However, if you accent it with a small group of special characters, like (3*^, it can be used almost anywhere as TurquoiseGullGrape(3*^Diner. Here’s the trick: Come up with two or three sequences of symbols and numbers like that, then re-use them to both add entropy to your longer passwords and meet password requirements. Just consider symbols carefully: diacriticals and symbols (like €, ™ þ «) might be easy on a computer keyboard, but on phones even shifting between upper and lower case can be annoying.
Avoid 1337 speak — Don’t use common symbol substitutions like @ for a, 3 for E, 5 for S, [) for D, etc. Those are some of the first things password crackers attempt — and remember they can attempt millions (or billions) of combinations per second.
Improve entropy with random passwords — Several services like Random.org and WhatsMyIP.org will generate random passwords of any length, with options to avoid similar-looking characters (like 1 and I). These are hard to remember, but if you use a password management system (see below) you might not care.
Never reuse passwords — It’s tempting to make a single strong password and use it everywhere. Don’t do it. When attackers steal passwords, they often get information like names, email addresses, billing details, and even security questions or password hints along with them. If attackers crack your password on one service they can quickly try the same password with your name or email address on other services. If you never reuse passwords, damage from a cracked password is already contained.
Managing passwords
Making a strong password for every service means most of us will be swimming in passwords—and we’ll never remember them all.
… An ounce of prevention — say, 16 random characters — can be worth a pound of cure.
The password managers above (and others) are available for most desktop and mobile operating systems, and can synchronize passwords between phones, tablets, and computers (1Password relies on Dropbox, for instance). That’s tremendously handy if you create a website password on your PC, then need it later on your iPad.
“If you’re going to use a password manager, it makes sense to pick something that will sync securely across all your devices,” noted Kissel. “Usually syncing involves the cloud, although some sync directly over Wi-Fi. As long as the data is encrypted, which it always is, cloud-based syncing isn’t riskier, but it is more convenient because your devices don’t have to be on the same network.”
Trusting password managers can have drawbacks. For instance, LastPass stores everything in the cloud, which is great until you don’t have Internet access or the service goes down. Similarly, a software incompatibility could make your passwords inaccessible — maybe on just one device, but maybe everywhere.
The upshot is that you will almost certainly need to memorize a handful of passwords. The most likely candidates are:
- Your computers and devices
- Your password manager
- Critical online services (like email, Google account, Apple ID)
- Online banking
- Sync services (like Dropbox)
- Social media
Not all of these apply to everyone. Most people will only need to memorize four or five passwords. Almost everything else can be trusted to a password manager.
Finally, consider recording your most important passwords on paper in a safe place. That’s not a notepad next to your keyboard, but perhaps a safety deposit box or an obscure location in your home (like, inside a CD of Aerosmith’s Greatest Hits). The list isn’t so much for you, but for anyone you might need to access your devices or accounts in an emergency.
Better safe than sorry
These steps may seem like overkill. Why would an attacker care about your Pinterest account or Facebook page or email? Unless someone wants to besmirch your online reputation, they probably don’t. However, even our seemingly innocuous accounts can be stepping stones to PayPal, Amazon, iTunes, credit cards, bank accounts, and identity theft — and those are precisely what serious attackers want. With so much of our day-to-day lives now online and password breaches becoming so commonplace, an ounce of prevention — say, 16 random characters — can be worth a pound of cure.
