The Problem of Effective and Usable Strong Passwords
by William Ben Bellamy Jr.
Note that in this article the word "password" is used for both singular words (strings) and phrases that are used as a password.
This article will focus on the following points:
- How are passwords attacked.
- What makes a password strong.
- Suggestions for building effectively strong passwords.
Problem Statement
Typically, we each have dozens of passwords that we use regularly. Passwords help to protect the confidentiality, integrity, and availability of the systems and services we rely on.
For the past few decades we have been indoctrinated to think that each system requires a password that is:
- Unique.
- At least eight characters long.
- Composed from several character sets.
- Changed regularly.
Compounding the problem is that each system/service that requires password authentication can enforce different requirements.
This is not sustainable. It forces the typical person to cut corners and look for "easy" passwords which leads to writing passwords onto paper near their systems, and using easily guessable words and phrases.
I propose that a practical and sustainable solution involves taking into account the techniques that password attacks (cracking) employ, and avoiding those techniques in order to produce passwords that are unlikely to be guessed.
How Passwords Work
When you type in your password, which is simply a string of characters, your system immediately calculates the hash value of that string.
A hash value is produced by an algorithm that accepts any type or amount of material and outputs a fixed length value that uniquely represents the input material, but that cannot be reversed to find the original input material. It then sends the hash value to another system as proof that you are who you say you are - someone with permissions to access that system or service.
That system - and network - only ever sees the hash value of your password, never the actual password.
The back-end system compares the hash value you provided with its own stored copy of your password's hash value. If the two match, it can be assumed that you typed the correct password and have some degree of authorization on that system. If they do not match, then the correct password was not provided and no access is granted.
How Passwords Are Cracked
An attacker who has access to the password hash for an account/service will attempt to "crack" the hash value in order to learn the original password that was used to create that hash value and consequently have access to that protected resource or system.
There are two main approaches to cracking passwords: online and offline:
- Offline cracking generates the hash value of each password candidate and compares it to the hash value being cracked. Tools include John the Ripper, Hashcat, and rainbow tables.
- Online cracking submits generated hash values of password candidates to an online system in real-time until access is granted. Tools include THC Hydra.
Passwords usually are represented by their "hash value."
A hash is a mathematical function that accepts any amount or type of material and produces a fixed length value that identifies the input material - both the content and the order - and which is computationally infeasible to reverse the process to determine a password given its hash value. If any portion of that material is changed, the fresh hash will be dramatically different from the previous. Also, it is mathematically infeasible to reverse a hash back to its original input. So a hash is like an absolutely precise fingerprint of the original material.
"Password cracking" is the process of working through a word list, and taking each word and hashing it in the same way that an unknown password was hashed. The two hashes are then compared and, if they match, you now know the original password. If they do not match, you try the next word in your list.
In addition, "rules" are applied to each word from your list.
These rules describe how the initial word should be modified, manipulated, or in some way changed. These changes are intended to test variations on a word in ways that a person is likely to modify a common word in order to harden their password. The language used for rules is rather obscure and difficult to master. So most crackers will rely on existing rule sets rather than fine-tune them for a specific target. The actual word list, however, is often created with a specific target in mind.
These manipulations include, along with many, many more:
- Changing letter case.
- Appending numerals or spaces.
- Prepending numerals.
- Inserting special characters.
In this way, a single word from a word list can be morphed into hundreds of variations, most of which the attacker might never think of.
What Makes a Password "Strong?"
There are at least four factors that we can easily control that determine how strong a password is.
1.) The number of characters making up the password. The more the better. Each additional character astronomically multiples the number of guesses required. Eventually the attacker will reach a point of diminishing returns and terminate the attack.
2.) The size of character sets. A character set is a collection of related characters. For example, uppercase English letters, lowercase English letters, Arabic numerals, Roman numerals, special characters, and so on.
The more character sets we use in a password, the stronger it will be.
It takes ten symbols to represent the Arabic numerals 0-9. It takes 26 symbols to represent the lowercase English alphabet. So, in general, it is better to use larger character sets, and several of them.
- Alpha uppercase and lowercase = 52 (a-z and A-Z)
- Numerals = 10 (0-9)
- Roman Numerals = 3 characters in 4 combinations and 1-4 symbols (I-X) (there is no zero)
- Typable special characters = ~32
- Alt-characters - extended ASCII = ~129-255 (www.alt-codes.net)
- Unicode - astronomical count, but often impractical to type. (Unicode Charts)
So the size of a character space composed of upper and lower alpha, numerals, and special characters combined is ~94 potential characters.
3.) Length of the password. It is that simple, yet extremely powerful. The longer the better. Every additional character dramatically increases the number of possible character combinations (complexity), making it increasingly computationally infeasible to successfully crack/guess.
4.) Frequency of change. A password is effective only for as long as it takes to crack/guess it. The previous steps will increase the time necessary to crack/guess your password to the point it is no longer feasible for an attacker to continue.
A Suggested Solution
The following suggestions will help create effectively strong passwords.
You can use some or all of these to build a password. Remember that the key to an effectively strong password is the length of the string and the size of the character space.
Assuming your password is effectively attack-resistant to the point it is unlikely to be cracked, you can consider using a single password on many systems, and for a long time. And in any case, if it is cracked, the information about you on one system usually does point to the other systems you use.
General Suggestions
- Use all the character sets you can. This increases the overall character space size.
- Build a password that is at least 16 characters in length - preferably more than 24 (more on how to make that usable and practical towards the end).
The Detailed Steps
- Decide on more than two core words/strings that will make up your password.
Select words/strings that together give you at least 16 to 24 or more characters. When choosing these words, try to have the first word begin with a lowercase letter greater than "m". That way, if the word list is sorted, about the first half of the word list will be processed needlessly.
Consider the following:
- An obscure word you would like to learn to spell.
- The name of a plant, insect, location, star, element.
- A favorite song title or phrase, a short portion from a poem, scripture.
- Include a random string at some point.
Consider:
- Random keystrokes.
- A car license plate number or portion happen to see (i.e., YEO-862)
- Keyboard geometry.
- Product serial number.
- A MAC network address.
- The year of your favorite movie.
- Include spaces as delimiters between the words.
For extra strength, use two or more characters (space, underscore, hyphen...) as mixed delimiters.
- Include an "Alt" character.
This is very powerful since it is seldom in a password cracker's rules set, and it expands the character space astronomically. You will need to research how to enter Alt characters on your particular system. (One way to make entering Alt and Unicode characters easier is to, in some very secure way, save your full password and simply copy and paste it when needed.)
- Even better, include an obscure Unicode character.
Again, you will need to research how to enter Unicode characters on your particular system.
- Use geeking.
Geeking is the practice of exchanging regular characters for others of similar shape or sound. When using geeking, do not use the first opportunity, or all opportunities. For example, if you could geek five characters, then actually only geek two. Below are just a few examples:
0 - O 7 - T @ - a Vv - w Nn - m $ - S / - l ( - cIn addition, you can use the core portion of a password over and over and simply increment one character, the salt:
- Increment for each new password. For example, left to right across the shifted top row of numerals (~ to +). This is much more powerful than simply incriminating a numeral.
- Increment through the alphabet (a, b, c...) rather than numerically.
Things Not to Include in Building a Password
- Unaltered dictionary words, even in combination.
- Regional terms ("go cats", "go cards").
- Simple misspelled words (hackorz).
- Nomenclature (leet, script kitty).
An Example
In this example, note that I am not using all of the possible suggestions.
Use those that will help create a long and complex string that frustrates the techniques attackers use to crack/guess passwords.
- Choose Three Core Words: Let's use "mood hack coffee". In this case, "mood hack" is a phrase with meaning, and coffee is (sort of) unrelated. This also starts with an "m" or beyond.
- Add a Random String (keyboard geometry): "[poi". This give me "mood hack [poi coffee".
- Mixed Letter Case: "mood Hack [poi Coffee". Here I change only two letters to uppercase.
- Geeking: "nnood Ha(k [poi Coffee". Now I change "m" to "nn" giving me an extra character along with geeking, and is also later than "m" in the alphabet. I also change "c" to "(".
- Include Numerals: "nnood Ha(k [poi C0ffee". Simply a "o" to an "0". Again geeking, but for the purpose of including at least one numeral.
- Large String Length (more than 16): is now 22.
- Use More Than One Character Set: Here I have uppercase, lowercase, special characters, numerals. That is a character space of ~94 characters.
- Then for Good Measure, I Append Two Spaces: "nnood Ha(k [poi C0ffee". This gives me 24 characters. That means that this password is one out of ~94 to the power of 24 (divided by two if you want to account for the average number of guesses) possible combinations. That is a really big number of guesses on average to discover this password.
How to Remember a Strong Password
So far, great.
We have the information for developing a functionally strong password, one that is crack/guess-resistant. But, now we have to remember that long string of characters. Regardless of how effective a password is, if it is not easy to remember and use, it won't remain effective.
Fortunately, there is no real difference between the words and phrases we have already learned as language and those that are contrived for use as passwords. So to "learn" these stronger passwords, simply use the techniques we used to memorize all of the words and phrases we already know.
1.) Keep the length relatively short: 24-32 characters. Balance the number or words with their aggregate length. For example, two short words and one long word, or two long words and one short word. I find that less than 33 characters is comfortable as long as there is a meaning underneath that makes sense to me.
2.) Make the component words memorable. The password needs to be thought of as a single idea rather than a bunch of keystrokes.
In the example "nnood Ha(k [poi C0ffee", the core idea is "Mood hack with coffee". "Mood" uses "nn". "Hack" uses "(". "[poi" is just easy to type filler. "Coffee" simply uses a zero. Then end with two spaces. And spaces used as delimiters. Just a few tweaks on three words that constitute a meaningful phrase.
3.) Muscle memory. Open an editor and type your new password over and over until your fingers are comfortable with the movements that are used. Start slow and deliberate, and increase the speed as you are comfortable. The key is that after a short while you will stop thinking about the individual characters you are typing and begin to understand them as a few words, and finally as one movement.
For example, type the following:
Notice how your mind and fingers know commonly typed material as a single movement (each word is a single movement).
You do not think about each letter or the order of letters, you simply think about the word. It is the same as playing a musical instrument. Your hands know how to play an "F" chord rather than getting each finger to a particular place on your instrument. A "G" major scale is one long movement rather than a bunch of delicate movements.
So practice typing your new password until it is more automatic than deliberate.
Conclusion
This approach, or some variation on it, should allow you to consider using a single password on several systems, and for a longer time. That is because if your password hash is stolen, the attacker is unlikely to crack/guess such a long complex password.
This approach should also help make longer more complex passwords memorable and usable.