Password Security

Everyday we use passwords to access personal information and services online - to check our email, to purchase goods, for banking, etc. Passwords are the key that unlocks access to this huge pool of sensitive information - but, how secure are the passwords you are using?

Considering the information that can be accessed online, a large number of people risk having these services hacked due to using passwords that are far too easy to crack. A recent security breach at a company that makes MySpace and Facebook applications, allowed security firm Imperva to analyse 32 million user passwords and identify the most commonly used passwords. Their results found that most users had chosen passwords that were extremely easy to crack. The most common password was '123456', with other simple passwords like 'abc123' and even 'Password' also in the top ten.

Even a novice hacker can potentially guess passwords this weak, without having to use any cracking software. So we need to make sure we use 'strong' passwords.
So what is a strong password? Two main attributes greatly increase the strength of a password: length and randomness.

Length - Opinions vary about how long a strong password should be, with lengths of 6-9 and 8-12 characters regularly suggested. But it should NEVER be less than 6 characters, and preferably higher - I would suggest you never use a password of less than 8 characters, if possible. To give you an example of how much impact length can have on password strength, a 6 character password of just lower-case characters can be cracked in minutes by password cracking software, whereas a 12 character password can potentially take a few thousand years to crack!

Randomness - What you're looking to do here is add complexity to make the password even harder to guess. The first rule of randomness is: No dictionary words in any language! Cracking software regularly uses dictionary attacks to guess passwords based on proper words, so do not use them. You also need to avoid sequences of repeated characters, e.g 22222, or zzzzz, etc, and just relying on simple letter substitutions, such as replacing the letter 'a' with '@'. The password 'P@ssword' is no more secure than 'Password'.

The most common excuse people give for using weak passwords, is that more complicated passwords are too hard to remember. There are many mnemonic devices for helping you remember your passwords, but here's an example based around using a pass phrase - think of a simple sentence that you can remember, e.g. i walk my dog every day and twice on sunday. If we take the first letter of each word, this gives us an 10 character string: iwmdedatos. Already that's fairly random, but let's capitalise every other letter, and replace the 'e', 'a' and 'o' with a '3', a '@', and a '0', we then get: iWmD3d@T0s. If we now add 2 additional numbers in the middle to increase the string to 12 characters in length we end up with: iWmD319d@T0s. This final result was run through a password checker and got a complexity rating of 'very strong'. By using a series of different pass phrases, and adopting you own sequence of changes (capitalisations, letter and symbol substitutions, etc) you make to each, you can generate some very different passwords. And, as long as you remember the pass phrase, you will be able to remember the password.