Saturday, June 19, 2010

Creating a Secure Password

I had once had my Runescape id hacked. It wasn't the might thing of the password cracker stuffs but I just gave my password away for some greed that was popular at that time in Runescape. Well I never got my ID back but I did learnt a lesson; play as you like, don't get in to the greeds and don't talk to strangers. Thats the moral of the story.

Now lets get to the title 'Creating a Secure Password'. Actually no password is secure. I am telling you every damn passwords can be cracked. Even the google's. Yes that's true, it can really be done.


A normal password consists of alphabets and digits. With capital and small alphabets with digits, the password could be made of 26+26+10= 62 characters. Also add the 32 characters(', !, @, #, $, %, ^, &.....) we have 94 characters, plus the white-space character makes it 95. For a simple two character password, we have as many as 95*95 = 9025 combination. For password of 6 characters, we have 95*95*95*95*95*95=735,091,890,625 combination.

For a computer which is capable of testing a million passwords each second, a 6 character password could take as much as 204 hours. If we have a computer ten times as powerful, testing 10 million combinations a second , we will still need over 20 hours for a 6 character password, and by simply increasing the number of characters by one to 7, we increase the time required by as much as 100 times.  If you can last longer then you can wait to see 1.7 billion years for a 12 digit password to be cracked by a computer. Even all of the computers in the world networked together would need a couple of hundred years to crack it. Of course this is a theoretical maximum, and you can expect with such a crude brute force attack to achieve success in significantly less time. A real algorithm would take a more probabilistic approach with will check more commonly occuring combination first.

Choosing secure Password
As the time required guessing a password increases exponentially as the number of symbols in the password increase, we are only buying ourselves enough time for an extra character or two. How about we improve the odds?

The goals when creating a secure password should be to create a password which:
* Is long (at least 8 characters, 12 or more recommended)
* Does not use a dictionary word.
* Is mixed-case
* Contains at least one digit.
* Contains at least one non-alphanumeric character.

While this will create a password difficult to crack, it will also make it difficult to remember. There is no point on choosing a secure password if you can't remember it or have to write it down and keep in your table. It is hard to say what is the lesson here, whether you should memorize your password better, or choose an easier to remember, but comparatively less secure password.

A good way is to create a complicated password based on some memory trick. Instead of remembering the password, you could associate it with something easy to remember in itself- no not your personal data!. For example:
n<7Plc8c could be memorised as "no less than 7 People like chocol8 cake"
The sentence doesn't really make sense, but might just make it easier to remember! Alternatively you can take a meaningful phrase and make it into a complicated password.

Multiple password Problem?
Another common flaw in most people's password policy is to use the same password for all their accounts. For one you can choose different passwords for more important accounts such as online banking and lesser important ones. This way, even if password of your less secure websites are cracked, your important ones will remain safe.

Another thing you can do is to choose a base password and modify it depending on the website you are using. If your password is "X@deR5" you can create a Facebook password of "FX@deR5b" or something similar. If maintain the same password then it will be easier to remember. However it may be easier to guess for someone who know your trick unless you tell.

Passwords are fragile little things holding our online life and the security of our organizations together. They are the short character sequences that lie between us and total destruction. Keeping a secure password is very important, and it is equally important to understand how you might be at risk. I hope that this post has been of help.

Some parts refrenced from a local book.

2 comments:

  1. That's the reason why I stick to one password.

    ReplyDelete
  2. One password is multiple accounts is very unsecure. If the password of your one account is hacked then all your other accounts can be hacked too...
    Re-think about it

    ReplyDelete