Guess This Password: I Dare You....

When's the last time you forgot a password? How about the last time you almost remembered a password but forgot some small piece of it? Knew basically what it was but you'd made it so complex, possibly because of the rules being enforced, that you almost wrote it down but didn't but now wished you had?

password_strength

Highly secure passwords shouldn't be this hard. It is possible to create hacker-resistant passwords that are easy to remember. But I still wouldn't change them on a Friday....

Let's get started.

How-To

Like in the XKCD strip above, we can string unrelated but memorable words together and create a mental picture. We can also take a lengthy phrase and extract the initial letters of each word to produce a password, like "When in the course of human events it becomes necessary" could become "witcoheibn". In either case, the likelihood of a human just randomly guessing either password is pretty slim

Toss in some uppercase letters or digits if required by the web site(s) or by the security tier you're creating this password for.

Why do these passwords work, though? Why is this better than just using my birthday, or my pet's name or my favorite sports team?

That comes down to the ability of a computer to make a lot of guesses extremely quickly.

A Little Theory

Hackers generally get hold of files of passwords in encrypted form, which means they can't actually see what your password is. They can only see some jumble of characters that your password was turned into.

Think of the encryption process as a one-way machine that  you can feed a password into and out the other side comes some altered text. Whenever you feed the same thing in, you get the same thing out. But at no time can you take the thing you got out and feed it back through to get the thing you started with. It doesn't work that way.

So there's no way to take your encrypted password, feed it back through the encrypter, and get back the string of characters you typed to produce it.

Got it?

Good.

Move Along, Not Worth The Effort

So all the hacker has to work with is the ciphertext, which is the fancy cryptographer's term for the encrypted password. The thing you type is called plaintext. Don't worry, there won't be a test.

They also have access to the encrypter. So what they do is take a dictionary and start feeding words through it, using a computer program, to see what ciphertext results from each word they feed in. The program compares these ciphertext strings against the entries in the password file looking for matches. If it finds one, they know what the password (plaintext) was that created that ciphertext, and voila! They know your password. After checking just the words, they'll start wrapping them in numbers using common patterns.

So if your password is a dictionary word, or is closely related to a dictionary word, they'll find it pretty quickly.

If they don't come up with a match for you, they have to do what's called a brute force search. They now have to build up plaintext strings one by one and push them through the encrypter hoping for a match. They'll start with "a", proceed to "b", and then to "c" and so on, adding characters as needed until they find a match or get tired and quit. And that is the goal of our passwords above -- to make our passwords resistant to dictionary searches and so lengthy that they also resist quick brute force searches so that the hackers give up and move on.

Hackers aren't going away. Like protecting your home from burglars, all you can do is provide enough security around your digital life to deter them and encourage them to go look for an easier target elsewhere.

"PrincessBadFrogBreath" or the lyrics to your favorite song. Take your pick; either is likely a security upgrade.

Does this approach look like something you could implement today and make your passwords more secure?

Thanks to XKCD for the strip above -- if you don't read XKCD, give it a look today.