Saturday, May 26, 2018

Passwords, part one

Lets talk about passwords.
The Daily Mail ran a recent article on computer security. Lack of computer security changed the course of history via Wikileaks and the Clinton campaign's amateurish approach to security.

According to the Daily Mail, the five most common failings are:

Failure to enable two-factor authentication (2FA). Most major online services, from Amazon to Apple, today support 2FA.

Failure to encrypt your internet traffic. A virtual private network (VPN) service encrypts digital communications, making it hard for hackers to intercept them.

Failure to tighten up your password security. This is easier than it sounds, and the danger is real: Hackers often steal a login and password from one site and try to use it on others.

Failure to monitor your devices' behind-the-scenes activities. Many computer programs and mobile apps keep running even when they are not actively in use.

Opening any hyperlinks or attachments in emails that are suspicious.

So, what is a "strong" password...a really strong one?

It is long. The majority (about two-thirds) of passwords are at the minimum length. Another 20% are only one character longer.

Assuming 26 commonly used characters (lower case letters) eight characters poses 2e11 combinations. Adding two more characters increases the number of combinations that must be tried by a factor of 676. Adding three more characters increases it by a factor of 17,576. That is, it will take a computer program 17 thousand times longer to solve it.

Avoid vowels
There are five vowels and twenty-one consonances. People typically choose words or names and vowels will be grossly over-represented. Take those phrases/names/addresses and remove the vowels. It will be just as memorable and tougher to break.

Capital letters
Use some capital letters but don't use them in the lead position.

Most people are conditioned to use cap letters to start sentences or at the start of a proper noun. Programmers trying to break passwords know this. Use at least three cap letters and make none of them the first character.

Using the lead character as a capital letter only increases the number of tries from 2.0e11 to 2.2e11...hardly worth the effort. "Sprinkling" several cap letters through the password increases an eight character password from 2.2e11 to 5.3e13, a 256 fold increase.

Use some numbers. Avoid strings of 4 sequential digits or strings of two because many people use dates (eg, I was married in '87 or 1987). Use at least two numbers and sprinkle them in the password.

A mix of lower case, upper case and numbers yields an eight character "strength" of 2.2e14...slightly stronger than a 10 character password.

Special characters
The most commonly used "special" characters are used almost as much as a typical consonant. Hardly a bulletproof security measure. Avoid "!", ".", "@", and "#", "-", "$", "*" and "+". What is left?

“ % & ‘ ( ) , / : ; < > [ \ ] ^ ` { | } ~ I took the liberty of "graying out" the other special characters that appear behind numbers and are thus most likely to be high runners.

According to this article, most passwords only use a single, special character. Those that use a double typically use the same character twice and have them back-to-back. Use at least two different special characters and separate them.

So, how much does it help to use special characters?

If you use at least two more characters than the minimum, at least three upper case sprinkled through the password, three numbers, and two "low-runner" special will take a hacker a minimum of 94 million times longer to break your password. The thing is that hackers use smart programs that concentrate their search using patterns that most people use....patterns that you will now avoid. Your passwords will be lurking in the last corner they look.

As a final note, use different passwords for different sites. Yes, I know it is a pain in the butt. All of your effort can fail if a hacker drills into an unsecured site and steals your one, perfect, universal password.

Write them on a 3X5 card and lock it in your safe or put it in your Bible next to your favorite verse.


  1. Using a secured password application like Lastpass or Keepass can make using strong passwords much more convenient.

  2. Military trained... I also change my passwords every 90 days... sigh

  3. Another easy to use special character that is not listed is _ an underscore. Some people use foreign currency symbols, like those for the Pound, Euro, and Yen. The drawback with them is that they are not available on all devices or as easily.


Readers who are willing to comment make this a better blog. Civil dialog is a valuable thing.