We live our lives online and on computers — We do our work digitally, communicate with students electronically, store research in the cloud and submit papers through the web. So while we’re thinking about that, here’s a fact for you: In October 2017 there were thirteen major breaches of popular online services resulting in a total 57,370,222 breached accounts. We learned a national security defence contractor had their security compromised. Their logins and passwords were ‘admin’ and ‘guest.’
Passwords are our first line defence against a breach. We need to get them right.
Understand How Passwords Work
At heart, passwords are nothing more than a possibility space. It’s one combination of letters, numbers and other characters that, if correctly entered, allow access. So if you were to create a password of just one letter, in lower case, it would mean that you had a possibility space of twenty-six possible passwords. But if we added one more letter (for a two character long password), then each character has twenty-six possibilities, multiplied to form a possibility space of one-thousand, two hundred and ninety-six possible passwords. Lengthen that to eight characters, and we’ve 208,827,064,576 possibilities!
Or do we? That depends. If you used an actual word, that’s a much smaller number. Checking our Scrabble dictionary, we see only 29,718 eight letter words in English. We’ve cut our possibility space down to well under a percent of the original. So if I tell my password guessing program to search for actual English words first, I can get your password in a fraction of the time. Faster still if you used ‘password,’ since that’s the first word I’ll tell my program to guess.
This is why you’re asked for longer passwords, why you’re told not to use actual words, and why you’re also required to use uppercase and lowercase letters along with numbers and special characters. (If we included uppercase and lowercase letters along with numbers, the same eight character password is 1045 times more effective.)
How to Select a Password
Here’s a problem: We easily remember words. Though ‘mailroom’ is easy to remember’; ’Hlu!R1pw’ is a lot trickier, though the latter is a lot more secure. Although for a secure password, we want it to be thirteen characters or more. So unless you can remember ‘IsInspw!2tmig’ off the top of your head, we need a system.
But actually, I already used a system. I can remember that password without a hitch. I used The Schneier System, named for famed security researcher Bruce Schneier.
Here’s how it works: Take a phrase you can remember. Say, “I said I need strong pass words! 2nd time make it good’. Then, reduce it down to the first letter of each word, getting “IsInspw!2tmig’. Provided your phrase has a numeral in it and some punctuation, it works very well.
Or, could you remember the phrase ‘deniable vineyard overcrowd giant footbath’? Because that’s forty-two characters long, making it incredibly secure. Phrases like these are used in The Munroe Method, suggested by cartoonist Randall Munroe in his comic strip XKCD. Simply put, take five random words (keeping them randomised is essential so that you can’t predict common words more often) and then just ramming them together with a space in between.
Now, neither of these systems are perfect. Some letters are more likely to start a word than others, affecting the Schneier Scheme. The Munroe method could theoretically be detected and accounted for by an attack. To have a perfect password, you’d want it to be wholly randomised. But you could never remember it, then, right?
The Perfect Password: Using Password Managers
You have too many passwords to remember. How many accounts do you have that need a password? At least two, maybe three computer logins? Email addresses? Bank password? How many accounts could you have?
I have six-hundred and twenty-five accounts with a password. Nobody can remember six-hundred and twenty-five different passwords. That’s a huge problem, because if I’ve discovered one of your passwords, then for every other account you have I have an excellent first guess at your password. Re-using passwords is one of the worst things you can do.
You need a program to remember them for you: A password manager. It’s a personal, strongly encrypted vault for as many passwords as you need, so all you ever need is one password: The one you use to unlock the vault. (Use one of the techniques above to make that one strong!) The program can randomly generate every other password, so you can make every password unguessable.
Which one should you use? Well, what’s important to you? LastPass is cloud-based and very convenient, but it’s also the dominant player in the space and has been the subject of a lot of attacks. KeePass is free, but there’s no official mobile version. 1Password is insanely fully featured, but it’s best on Mac. Codebook is probably the most secure despite its obscurity. Take a look at all of them and choose one based on your needs. Don’t worry too much; any password manager is better than none.
Get This Right
There’s a lot of efforts to get rid of passwords. Some you may even already have access to, like TouchID on your phone. And to be honest, if these help you, great! Use them! (But know their limits.)
But for the vast majority of your accounts, passwords will be your primary method of security. You owe it to yourself, and to anyone whose information you’re responsible for, to get this stuff right. Ideally, use a password manager. But if you can’t do that for whatever reason, at least find a system that produces complex, different passwords for every site. It matters.