I wrote this article on one of my blogs recently and have had some good feedback so I thought I would share it with the community here.
You’ve probably heard it a thousand times – strong passwords are the foundation of good security. The problem is that those randomly generated strong passwords are way too hard to remember, right?
One of the major characteristics of a strong password is length. That’s just common sense. For example, if you had to open a lock that had a two digit pin number you are going to get it in no more than 100 tries – because it has to be a number between 00 and 99. If it was an 8 digit pin then it’s going to take a much longer time to try all 100,000,000 combinations.
So now we know that bigger really is better when it comes to passwords. The next question is… how do we make a strong password that is easy to remember, and how do we know how strong it is? Okay, so that’s two questions!
Grammar Is Your Friend
The good news is that strong passwords don’t actually have to be random or difficult to remember. Just a little bit of punctuation will do wonders. In this demonstration I’m going to refer to one of my favourite tools – GRC’s Password Haystacks (we’ll call it GRC for short) – to determine how strong the password is. Whilst the GRC tool isn’t accurate down to the hour, the month or even the century, it will give us a good bit of guidance as to whether our password is going to be difficult for man, woman or machine to guess.
I’m going to start with a simple longish password: slapthemonkey
GRC tells me that it would take about 9.85 months to guess that password on a computer that can do around 100 billion guesses per second. Not too shabby, but if they’re going to guess it I want it to be more of a ‘deep thought‘ scenario where the only people who will find out the answer will be their very distant descendants – in around 7.5 million years or more!
In order to make my password as hard to calculate as the meaning of life, the universe and everything I just need to add some punctuation.
My new ultra strong password is: Slap.The.Monkey
Wasn’t that easy? All I did was put capitals at the start of each word and some dots between them. GRC now tells me that, using the computer that can do around 100 billion guesses per second, it will now take around 2.81 hundred million centuries to guess my password.
So now there’s no excuse for having nasty passwords that are easy to guess. Just use a few words, something inane, fun or even some song lyrics that you will remember easily. Here are some of my favourites – see if you can guess where they came from…
Pocket.Full.Of.Crackers (7.66 hundred billion trillion centuries to guess)
And.I.Liked.It (3.31 million centuries to guess)
Caught.In.A.Landslide (1.06 hundred million trillion centuries to guess)
Hang On Just A Minute!
One of the golden rules of passwords is that you should never use the same password in more than one place. That could be a problem if we weren’t so darn clever. We can make our fun passwords unique and still make them different everywhere AND easy to remember. How about we add the name of the site at the end. For example, if we wanted to use our original password for our Gmail account then it becomes:
So now we have a strong password that is unique for each site we access, virtually impossible to guess and yet easy to remember. The ultra important thing to remember here though is that we never want to tell anyone our ‘base’ password (Slap.The.Monkey) else we’ll give them a very good clue as to what our password is at the various places we log in.
If we wanted to be really clever, we might decide that the last part will always be appended via a + instead of a dot.
I hope you enjoyed this little romp through strong password land – if I can convince just one person to stop using ‘password’ or ’12345′ as a password then my work is done here!