« An Interface with Carpet | Main | Marketing is about measuring »

How secure is your password?

There has been a lot of discussion as of late about passwords, and in particular what makes a good one. I'll start with my previous view of what makes a good password for end users. It's probably similar to password policies that most readers are familiar with:

  • Minimum of six characters
  • A lowercase letter
  • An uppercase letter
  • A number
  • A special character (like !&@^)
  • Can't be the same as the username

Assuming random combinations this results in 8.4E73 (84,000 with 70 additional zeroes after it) combinations. If we assume one thousand guesses per second by a computer, we're talking about trillions of years to guess the password. Your password sounds secure.

I've never been a fan of frequent forced resets of passwords, primarily because the password is more likely to be written down, which immediately eliminates any sort of security that a password provides, as it can be copied without the user's knowledge. The alternate is that the user will create a variation of their previous password, which is easily defeatable if the previous password is already compromised.

The problem is that we don't remember random combinations well, so often we'll rely on a word to allow us to remember our password. Looking at a password dictionary results in about 1.7 million common passwords, add in another 170,000 standard words in the Oxford English Dictionary, and you have 2 million passwords. Figuring every word has 100 variations such as 's' being replaced by '5' and there are still 200 million easily calculated passwords. That's about 55 hours of a computer guessing at 1,000 guesses per second.

Your word-based password is insecure.

There is a lot of talk about not having dictionary words. This does two things:

First, it does make the password much much harder to crack, as we're back up to 8.4E73 combinations. Second, it makes the password impossible to remember, requiring the use of password managers, such as 1Password.

In light of this, I've started to talk with clients about a new policy:

xkcd: Password StrengthImage via xkcd

  • Minimum of 15 characters
  • Minimum of four words
  • Easy to remember

Having four easily remembered words results in a 8.5E20 different word combinations. We're back to talking about trillions of years to guess the password. That's assuming that there aren't upper case, special characters, or numbers. We're also able to remember four words.

The workflow I suggest for long passwords is to think of four words that aren't initially related and put them together in a sentence. There are tools online to help you create the word list

Once you have a long password, you need to practice it several times before you actually change it. This helps commit it to memory. Open a text editor, turn off your monitor, and type your password and hit return. Do this five times then turn on your monitor. If they're all the same, change your password. If you have variation, repeat the process until there isn't a variation.

Now you have a secure password. Provided you don't write it down or tell it to someone.

- Jon Thompson


TrackBack URL for this entry:

Listed below are links to weblogs that reference How secure is your password?:


The comments to this entry are closed.

« An Interface with Carpet | Main | Marketing is about measuring »

Technorati Bookmark: How secure is your password?

This site is intended for informational and conversational purposes, not to provide specific legal, investment, or tax advice.  Articles and opinions posted here are those of the author(s). Links to and from other sites are for informational purposes and are not an endorsement by this site’s sponsor.