Dave McCourt thinks some thoughts...

Choosing a secure password strategy

Posted in: Articles

Passwords, passwords, passwords. Everything needs a password these days. Most of us can’t remember what we did yesterday never mind remembering lots of complicated passwords for a variety of websites. Which is why a lot of people use the same simple password over and over again for everything. Unfortunately this is a really, really bad idea because if your details are stolen, your entire online life is at risk.

Hackers try to steal passwords from websites so they can use them to login to other websites. For example if they can steal millions of passwords, as they did from LinkedIn, there’s a chance that a few people use the same password for Paypal, Amazon or their bank.

Most websites encrypt passwords in their databases which means they can’t be read or understood easily. For example mypassword when encrypted in a typical way is converted to 34819d7beeabb9260a5c854bc85b3e44. It is possible to decrypt this to make it readable but it is hard and time consuming to do. Hackers are lazy so instead they look to steal password lists known as rainbow tables and use these. It’s quite easy for a hacker to try 1,000 password guesses a second on a website login system. If you have a common password that others may have and this is in a rainbow table, you are at risk of being hacked or having your data stolen.

Many websites and security ‘experts’ advise using a combination of letters, numbers and symbols. We perceive complicated looking passwords as well, complicated and therefore harder. The fact of the matter is $%*£@ means the same to a computer as 12345. Computers don’t find symbols more difficult but humans do. There is a famous comic on XCKD that ridicules this approach: we tend to make passwords easy for computers and hard for people, instead of the other way round.

So what is a good approach to choosing a password?

Passwords are only secure if they are long and unique. Length is the really, really important factor here. 10 characters is a good minimum to choose but the longer the better. The down side to this is it makes it hard for people to remember them.

I find a good strategy is to think of a phrase that is easily memorised and to add a simple identifier for each website at the end (or the beginning if you prefer). This probably sounds more complicated than it is. For example:

in 1992 i went to reading

Can be reduced as follows:

i92iwtr

Then I can add an identifier for each site I use, for example Facebook:

i92iwtr-FACE

Or for Twitter:

i92iwtr-TWIT

In this approach I’ve used lowercase, numbers, symbols and uppercase characters, which ensures I satisfy most websites’ restrictions on creating a password.

It is surprising how easy it is to get into a rhythm of using this method. You are essentially remembering just one password with an easy suffix each time. Can’t remember the suffix you need to use? Just look at what site you’re accessing.

Out of 70 or so passwords I have, I do have a few duplicates because some sites have the same starting letters. I’m not worried about this as if I ever was hacked, only two sites at most would be compromised.

Is there a worry that if the method was found out, then all of the others would be found out? In theory yes but the risk is very minimal because as we discussed above, most hackers use rainbow tables to compare known passwords – they’re not interested in finding out how each individual thought of a password.

Also once your password is encrypted and stored in a database it is random and hard to figure out. For example the two passwords above look like this:

367f7038fc116dfc08b9a7e7cd800d89

f4fbbd29fcab4d46a381dda3ca9dc590

It’s clear that there is no casual relationship between them and you wouldn’t know by looking at them that they shared 66% of the same characters.

Having a secure password is only part of the story: if your password isn’t encrypted and stored securely by the site you’re using then you are definitely more exposed. If any site ever sends your password to you as is via a password reminder email, then you should close your account straight away and ask for your data to be deleted. They clearly don’t know anything about security (Waterstones and Tescos, I’m thinking about you).