Keep Your Private Data Private – Good Password Practices Part 1

This is the second post in a series of posts on keeping your private data private.  The series was inspired by the Jennifer Lawrence (et al) nude photo scandal.  Then literally while I was writing this blog post, this happened.  I’m stlll not sure but what happened, but the short version is change your gmail password.

Password best practices boil down to three things: preventing hackers from guessing your password, preventing them from stealing it in plain text, and limiting the damage if they do either one.  This blog post is about protecting yourself from the first one of them.

Note: if at any point in this article, you find yourself saying “give me a break” or your eyes start rolling into the back of your head due to boredom, just skip to my next blog post where I talk about password managers.

Preventing hackers from guessing your password

Proper password systems do not store your password in plain text; they store it in encrypted format.  (Although this blog post says that half of internet sites do store them in plain text. There’s literally nothing you can do to protect against that.  No matter how good your password is; if they steal the password file and your password is in plain text — you’re toast.)  When you enter your password to login to something, they encrypt what you typed and compare the encrypted result to the stored encrypted result.  If they match, then you’re authenticated. This means that if a site is hacked and their password database is compromised, the hacker will not have direct access to your password.

They do have a couple of techniques they can use to guess your password, however.  The first is called a brute force attack against the website.  The only thing they need to do this is your user name, which they may have obtained via a variety of methods.  If they have that, they simply try to login to the system as your user name again and again, guessing at various passwords each time until they get it right.  A good website would have brute force detection and would notice this and shut down the account.  But that doesn’t stop hackers from trying this method.

If they are able to gain access to the actual password file/database, they can try a different brute force attack that would be undetectable and will always result in them guessing some password of some account, because there are always people who use really bad passwords. They can use software that uses the same one-way encryption system the website uses.  They can try millions of combinations of different passwords until they find one whose encrypted version matches your stored encrypted password, and voila!  

Like the website brute force method above, they usually start with words they store in a dictionary file, which include ridiculous passwords like Password and 12345 (which people still use, believe it or not), and include every common word in dictionaries in multiple languages.  They also know to append or prepend numbers around the word, such as Password1 or KittyCat57.  It takes them a few milliseconds to try everything from Kittycat1 to Kittycat99, experimenting with capitalizing each letter, etc.  They’ve got nothing but time and super powerful computers at their disposal.  They might not guess your account, but you can bet that they will guess a bunch of accounts.  (Which is why you should change your password as soon as you hear that a company you use has been compromised.)  And, yes, they know about all the variations of dictionary words as well. They know Password is also spelled Pa$$word, Passw0rd, P@ssword, etc.  So variations on dictionary words are also bad ideas for a password.

So the key here is to use a password that is hard to guess randomly.  Such a password is said to have good entropy.  This is a mathematical term that I won’t go into great detail here, but suffice it to say that having good entropy is a factor of two things: the number of characters you use (e.g. a 12-character password), and the number of different types of characters you use (e.g. Upper/lower case, numbers, special characters).  It’s a partnership.  Long passwords are key, but not if they’re composed of all 9s (e.g. 999999999999).  Having an upper and lower case letter, a number, and a special character is good, but 1a8# would be guessed in seconds.  If you want to learn more about entropy, here’s a great blog post. I will say that those who understand entropy seem to prefer longer passwords over more complex passwords, as you will see below.

It’s important to say that this means any of the following are out:

•    Any word in any dictionary in any language (including Klingon and LOTR Elvish.”You shall not password” is no good either.)

•    Variations on dictionary words (e.g. Pa$$word or $uperman)

•    Any phrase or number associated with you (e.g. your name, birthday, or address)  This matters more in an attack targeting you specifically.

•    Any string that is just numbers (e.g. 438939) unless it’s really long, like 40 characters

You need a long, seemingly random string of characters that is also easy to remember. If you have to look at the sticky on your monitor every time you enter it, you did it wrong.  They key is to get a really good password that is hard to guess randomly and then stick with it.  (No, I am not a fan of “change your password every month” policies. It would make much more sense for them to enforce entropy via software, and force you to make a good password and then let you keep it.)

One method is referred to in this xkcd comic and is commonly referred to as correct horse battery staple (see the comic for why).  The practice is to select four completely random words that have nothing to do with each other that you can make a story out of, and use the entire phrase as your password.  Again, the real key is to use words that have nothing to do with each other.  “Mommy of four babies” is bad, “Mommy Electric tomato coffee” is good.   Think of a story that helps you remember them in order and you’re all set.  Think of a mommy that likes electrically warmed tomatoes in her coffee.  Yuck. But you’ll never forget it.  The phrase I used above gets an entropy score of 131 and a score of Very Strong (perhaps overkill) at this password checker!  That’s what you’re looking for.  Some password systems will not allow you to use it because it’s too long, or that it doesn’t contain any capital characters, numbers or special characters.  Therefore, I’m not a big fan of this method by itself. But it definitely scores high in the entropy department because the phrases are so long.  (This is why I said entropy folks prefer longer, simple passwords over shorter, more complex passwords.)

Another method is to make up a much longer silly sentence or phrase and then make an acronym (technically an initialism) of that phrase, while turning some of the initials into numbers or special characters. The phrase should not be a common phrase like “I like walks in the park,” but “I like to pay $ for hash on Sundays” is good, and it becomes “1l2p$#oS”.  (The more random the phrase, the harder it will be to guess.  The less random the phrase, the easier it will be to remember. You need a balance.)  Now you have a nine-character password that contains upper and lower case letters, two numbers, and two special characters.  If you really have to early on, you could write down the sentence version of the password and refer to that, without writing the actual password down anywhere.  Then after you’ve committed it to muscle memory you can either discard or securely store that sentence.  This has been my personal favorite way to create passwords for years.  However, running the password above into the same password checker gives me an entropy score of only 36, saying it is a “reasonable” password, but that skilled hackers might be able to guess it. I had to add five more random characters before it would say that the password was strong.

So I’d say that combining correct horse battery staple with the initialism method would make a pretty strong, hard to guess password.  So “I like to pay $ for hash on Sundays” becomes “Stephen likes to pay $ for hash on Sundays,” which becomes  “Stephen12p$4#oS” or “Stephen12p$4#oSundays” if you want to go crazy.

Eyes rollling over yet? If so, go to my next blog post where I talk about password managers.

It should go without saying, but you should not use any of the passwords you read in this article, nor should you use any password that you run through a password checker. You never know who may be running that site; they could be using it to grab passwords.  Use those sites to enter examples of passwords like the password you will use, not the actual one you will use.)

----- Signature and Disclaimer -----

Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Evangelist at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.