Guidelines for strong online passwords

It’s the age-old problem that everyone faces – keeping online passwords safe. Passwords are vulnerable to brute force attacks and on the end point from key logging and phishing attacks.

Password-cracking software can quickly cycle through a range of dictionary words and combinations of these words and numeric characters, in order to guess a password. A criminal conducting a dictionary attack using an average-speed PC, could crack passwords such as “MySecret”, “BankEntry”, “MyBank9”, “RomeSky”, all in less than a minute. Other combinations of words, such as “RedCircle”, “DavePhone”, and “NeverKnow”, can all be cracked in much less than an hour. You can test your own passwords here.

Password cracking criminals know that most people add numbers only at the end of their passwords, and generally use upper case characters only at the beginning of words. So for example, “James1964”, “AliceJ19”, “Beach200”, can all be cracked in a few hours.

Criminals are also aware of the technique many people use, in replacing “E” with “3”, “S” with “$”, “l” with “1”, etc. So for example, “b3ach202”, “homeba$e”, and “1unch500”, are all cracked within an hour.

Spelling words backwards is also a technique known to password crackers. For example, spelling the word “secret” backwards and adding a couple of numbers such as “terces80”, is easily cracked in a few minutes.

Passwords are strengthened by making them longer and by avoiding dictionary words. So, for example:
“JaJwuth2” would take about 15 hours to crack
“JaJwuth2f” would take almost a month to crack
“JaJwuth2fa” would take about 5 years to crack
“JaJwuth2fapow” would only be cracked after millions of years (according to this site)

Note however, that the above estimates are based on today’s average-speed PC. There is a technique described below on how you can create and remember a difficult-to-crack password such as “JaJwuth2fapow”.

News this past weekend, is that the latest version of the password-cracking tool Hashcat, can now crack much longer passwords based on dictionary words. Simply extending the password length by combining more dictionary words is no longer secure.

Here are some guidelines for making your passwords stronger:
1. Use different passwords for different websites. In this way, if one of your passwords is compromised, it only affects one website. Using many complex passwords is only practical with the help of password manager software. You should ensure your password manager is protected against key logging attacks or else it may simply be a convenient organising tool for a key logging criminal.
2. Avoid dictionary words, people’s names and company names.
3. Use a combination of: (a) Upper and lower case characters (avoiding upper case only on the first character), (b) Numeric characters, but not only at the end, and (c) Non-alphanumeric characters (such as “$%^&*”).
4. Replacing “E” with “3”, “S” with “$”, and “l” with “1”, etc. does not add much to complexity.
5. Ensure your passwords are at least 9-12 characters long.
6. Install anti-key logging and anti-phishing software on the end point to protect passwords entered entered into all websites, not only banking passwords.
7. One technique of creating a complex password that you can remember, is to take the first characters of the words of a song or rhyme you know. So for example, “Jack and Jill went up the hill to fetch a pail of water” becomes the password “JaJwuth2fapow” which currently would be very difficult to crack.

9 thoughts on “Guidelines for strong online passwords

  1. 123db (@123db_GEEK) August 27, 2013 at 8:52 am Reply

    With the developments in graphic card processing, I would recommend people start using pass phrases rather than passwords when possible. A 34 character phrase is going to be good for the next 3 years!

    I would also recommend not suggesting that passwords are safe for millions of years, because its not practically true. A password created in 1970, that was, using current technology, safe for a million years can now be broken in a matter of hours. the million years has become less than a day in only 40 years.

  2. jamesmckey August 27, 2013 at 1:36 pm Reply

    What are your thoughts on password managers to use? I’ve seen Lifehacker give some advice on ones to use but the big weak point seems to be in synchronizing between your desktop and mobile browser and app use (for instance, I have a complex password on my desktop for LinkedIn using SuperGenPass but it’s too cumbersome to use or lookup on my iPhone).

  3. dwaterson August 27, 2013 at 2:50 pm Reply

    @jamesmckey You are right in highlighting the need for a password manager to work across platform – PC and mobile. It needs to store the passwords in the cloud to achieve this. Specific anti-key logging protection is also important. There are no password managers available at the moment which satisfies these requirements, but I am aware of one that is currently under development – watch this space.

    In the absence of an ideal password manager, I have used and heard good reports of LastPass. It did have an IE vulnerability which they recently announced was plugged.
    http://www.zdnet.com/lastpass-plugs-ie-add-on-vulnerability-7000019579/

    • jamesmckey August 27, 2013 at 9:28 pm Reply

      Yep, I’ve heard of LastPass as an option. And IE would be no worry for me, I only use it when I have to for internal corporate sites and have no desire to save passwords in it 🙂

  4. tamarathompsontt4 August 28, 2013 at 7:22 am Reply

    Good content Dave, thanks! When do you think Biometric devices will replace passwords on personal hardware?

    • dwaterson August 28, 2013 at 1:57 pm Reply

      Hi Tamara. Biometric has not really taken off as many predicted. Fingerprint readers on laptops for example, have not really had much traction. The problem with biometric information is that it needs to be converted into an electronic representation early on in the channel, and from that point on, it is vulnerable to attack. Once compromised it is inconvenient to change one’s fingerprint, or iris, or other biometric data. In contrast, when passwords are compromised we simply choose another. Until we can solve those issues with biometrics, passwords will be with us for a while. Biometrics have their use for physical entry such as the eye scanners at customs, however the issue above need to be solved before they will overtake passwords for online/remote usage.

  5. tamarathompsontt4 August 28, 2013 at 7:25 am Reply

    Good content Dave, thanks! When do you think biometric devices will replace passwords on personal harrware?

  6. John April 25, 2014 at 8:03 pm Reply

    Is there antikeylogging software in Linux?

    • dwaterson April 25, 2014 at 8:11 pm Reply

      I’m not aware of any John. There is less need due to lower number of users than other OSs, hence less attacks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: