What makes a secure password?

« Other questions

What is the recommended format for a password?

I have just signed up for a council account and greeted with this message while trying to update the password.

‘Password must consist of letters and numbers only, contain at least one number and must be at least six characters in length. The password is case sensitive’.

No special characters, no recommendation of upper and lower case.

  • You must to post comments

A “secure” password is one that;

– Only you know
– Is unlikely to be guessed
– Is unlikely to be brute forced
– Is only utilised on one single system/service

With that said there should be no requirement to delve into the stupidity of disclosing such to third parties, random or otherwise. This should be self explainitory as to why it’s a bad idea. There’s no point having a password if other people know what it is. Or if it’s written on a post-it note stuck on the monitor.

Making a password difficult to guess is reasonably simple – Don’t use anything from your life – ie: birthdays, names, locations, something you can see whilst typing pass etc – as the password, or somehow related. This will make it difficult both for people who know you to guess, and for people who’ve followed the fifty mile wide digital trail you’ve most likely left littered with personal data ready to be assembled and entered into tools like the social engineering toolkit.

For unlikely to be brute forced, we must approach the subject of complexity. A more complex password doesn’t automagically lead to more entropy, and will just likely result in something difficult to remember. I typicallly refer to the XKCD method a this point: https://www.xkcd.com/936/

A “better” solution is to deploy a password manger. Then you only need to worry about one(preferably insanely complex) password to remember and the DataBase can worry about the secure storage/recall of all the others. Passwords like: +VMzPSq3vYjA4npd/iyGtQ/L+DDSpZYIwIcSJUmnL don’t fall over on being difficult to recall as you’ve no requirement to. The database holds it. It’s worthy to point out that some poorly constructed webforms can fall over with more complex passwords. Some don’t pass the special symbols(symbol/system dependant) over and try to utilise them – resulting in unexpected behaviour, the least destructive being setting a password you’re not expecting. Some won’t allow you set a secure password, limiting you to, say, 18chars. Some will accept a 80char password, but only store the 1’st 35 chars – With no warning.

I’m about as foilhat as they come, I’ll trust only that which has proven trustworthy. I put my faith in Keepass. Mostly because it’s open source. It’s easy to use, should be available for most platforms, can generate secure passowrds and even enter them into forms for you. Should you copy a password into the paste buffer then 15seconds later(adjustable) it’ll erase the content(so software can’t pull it out of buffer. Clipboard exposure is something oft overlooked)

Bare minimal you should look for with a password manager is being able to securely retain the data. Using outdated, known flawed crypto methods won’t provide any measure of protection. This is where open source is important. Even if you don’t code, others do and will poke thorugh it because they are bored. Things like weak crypto and backdoors tend to get shouted about loudly. If it doesn’t get fixed – it’s open source. Someone will fork it, call it something else then fix it.

By “securely retain” I also mean it won’t put other copies into other locations you are not in direct and sole control of. ie: “cloud backup”. To attack the p/w requires access to the DB. Even if the crypto is good, you’ve just put a copy somewhere where potentially tens of thousands of machines can all take a swing at it, at the same time. Distributed brute force. I don’t have any evidence that much of this goes on, but the potential is enough for me. Don’t allow it the chance. You can’t get burned. To assume you have a p/w that will take 12,000,000 yrs to get near, at 1000 guesses a second, then 10,000 machines doing 10,000 guesses per second(each machine trying something different to the others) will get there in less time than you’d think. Granted, clustering up 10,000 machines isn’t in the scope of most “home” users, but smaller clusters are definitely “economically feasible”. Considering the scope of “modern hardware” – esp bringing in the thousands of GPU cores commonly available for pre hash-calc then 10,000/second is a pretty low number. Even for “home users”. Don’t even need to be near mid-range “gaming rig” to pull off greater numbers. Also, with access, they can take all the time they need. And honestly, the “home” type of user shoudn’t be much of a concern anyway.

Password recycling – ie: using the same password in more than one system/service – is something that’s as disturbingly common as using passwords like “password” – and just as secure(lol, hacking team). Through password recycling getting one password gives access to multiple systems. In some cases, all of them.

  • coyote
    An excellent answer. I especially like you mentioning clipboard contents because that is indeed something that is mostly ignored; I would argue that most people aren’t even aware of it (it just works by magic). That you mention complexity and password managers is also great. I would add you might want to mention no dictionary words. You might also mention passphrases and in particular the fact they aren’t the same. Of course there is an exception with words but it’s in particular diceware (although I don’t know of any studies off hand with it I dimly recall it being sound). You’re absolutely right on the GPUs and even then in the past decades the passwords could be found by a dictionary attack (including incremental attacking) – with hardware that us old timers would find incredibly slow but still enjoy the nostalgia. Besides maybe these thoughts (those that are particularly relevant) this answer of yours can’t be much improved; you covered so much (maybe even to the extent of overwhelming the OP but it is a question which requires a complex answer, at least if you want to truly answer it).
  • You must to post comments

Using at least 2 upper-case letters, 2 lower-case letters, 2 numbers, and 2 special characters (except the common ones such as “!@#$”).
Never use whole words. Make the password as random as possible.
Avoid using personal information as part of your password.
The key to strong password construction comes down to a combination of length, complexity, and randomness. If you follow these basic principles, then it may be a very long time before the bad guys crack your password.

To save your time to come up with a strong password, you can search strong password generator on Google to create a random and strong password for you, here is one recommended:

To learn more about the password security, there is a helpful infographic for you:

  • You must to post comments
Showing 2 results
Your Answer

Please first to submit.