Answer: You can't.

Strong_password_tips.jpgPassword_tips_to_avoid.jpg

We all know not to use names, birthdays, anniversaries or something associated with our favourite sports team in a password. We also know not to use a common base word such as Password, but we still do; due to the strict requirements that are often imposed on us. Workplace's or website's that ask you to create a minimumeight character password with “at least one uppercase character, one lowercase character, and one digit” make it harder, not easier to remember passwords.

Hard to remember passwords are no use, or they make us lazy. Our oncecomplex passwords quickly become Password1, Password2, Password3 etc. Or in the case of creating acomplex password it’s hard to remember so they get written down and lost, or used for multiple logins. 

Those of us with password vaults need the best password of all to secure that data. Of course vaults have many layers of encryption in place, but they can still get hacked. Remember, there is no such thing as an unbreakable password and cracking tools are becoming more powerful every year. 

HOW ARE PASSWORDS CRACKED?

There are many cracking tools available, the most popular include Cain and Abel, John the Ripperand Hashcat. Most of these packages use a mixture of cracking strategies but the most common ways are brute force and dictionary attacks. Other types of methods used include pattern checking, cryptanalysis and word list substitution,these willusually be attempted before brute force.;

Brute force refers to the use of algorithms to try numerous combinations until it gets the right one. This means that as the password length increases the amount of time to find the correct password increases, minimising the chance that it will be cracked.

A dictionary attack is based on trying all strings in a pre-arranged listing, typically derived from a list of words such as in a dictionary. Dictionary attacks succeed because people have a tendency to choose short passwords that are ordinary words or common passwords like Welcome123.

Lists of common passwords are widely available and can make password attacks very efficient. 

HOW DO I CREATE A STRONG PASSWORD?

As mentioned, no password is unbreakable but we must do everything we can to thwart the crackers. The key to password security is randomness. To speak in terms of randomness we are talking about methods which have been tested and determined to be truly random, such as rolling a dice or tossing a coin. Note that a computer-generated coin toss or dice roll is not truly random unless we know the way in which the input data was reached.

Unfortunately, humans are predictable. If a password requires both upper and lower case letters, the upper case letters almost always appear at the beginning or end of the word, and special characters usually at the end. ‘Randomly’ selected words are biased by personal preferences or regional differences in word choices. This is understandable as people strive to find a password that is easy to remember, but hard to crack.

Due to our predictable natures the schemes we come up with to create passwords are coded into password cracking tools. A good password is limited not only by what a human can remember, but what a human can create. Predictability is exploited in password cracking tools.

IF HUMANS ARENT RANDOM, HOW CAN I CREATE A TRULY RANDOM PASSWORD?

The best method for creating a truly random password is by using the Diceware Solution.Diceware was created in 1995 by Arnold Reinhold to help people create strong passphrases for the popular encryption program PGP. Reinhold created a list of 7776 short words or sequences which are chosen at random by rolling a dice. Five dice are rolled then the corresponding word is found on the Diceware list eg 15643 = Calf. This is done a number of times to create a passphrase. We rolled:

15643 = Calf

22545 = Delhi

14563 = booth

33216 = holly

66545 = 76th

And created the five word passphrase Calf Delhi booth holly 76th, remembered with the mnemonic I bought a calf in a Delhi booth with Holly in ‘76. Intentionally use the passphrase many times in the first fortnight to memorise it.

Using Diceware, a passphrase rather than a password is selected. Each word adds 12.9 bits of entropy to the passphrase; entropy being the measure of the randomness of a system. Entropy is measured in bits to keep it short and relates to the method used to randomly select your passphrase. The more bits of entropy a password has, the harder it is to crack.

It's true that password crackers know about Diceware but the security comes from the genuine randomness of manually rolling the dice. There are 7776 words in the Diceware list creating a huge number of possible combinations. The Diceware method is deemed secure even if an attacker knows that you used Diceware to pick your passphrase, knows how many words are in your passphrase and know the word list you used. The more Diceware words randomly selected and used in your passphrase, the more secure it is.

HOW LONG WOULD IT TAKE TO CRACK A DICEWARE PASSPHRASE?

> A six word passphrase may be breakable by an organisation with a very large budget like a country’s security agency;

> Seven word passphrases are currently unbreakable with any known technology and should be quite secure until 2030;

> Eight word passphrases will remain completely secure until at least 2050.

Using a 5 word Diceware passphrase alone you will get 64 bits of entropy. If you add in something from your own scheme such as iH2D (I have two dogs) so your password now looks like Calf iH2D Delhi booth Holly 76th, you have added 10 bits of entropy. 74 bits of entropy would take about 500 million years to crack at one million guesses per second, using current technology.

This cartoon by XKCB is a brilliant explanation of password strength:

password_strength.png

You can view the entire Diceware list here and Diceware FAQshere.

IS THERE A WAY TO CREATE A STRONG PASSWORD WITHOUT USING DICEWARE?

There are other ways of choosing a more secure password. By combining a few of the elements from the images above, Tips for Creating a Strong Password and Things to Avoid when Creating a Password, you can still create a strong password that is easy to remember.Here's an example:


Current password

Charlotte1995Italy (daughters name/ birth date/ favourite holiday)

Use spaces

Charlotte 1995 Italy

Lie

Brian 1995 Italy

Lie more

Brian 1805 Mars

Use longer phrases

Brian 1805 Mars and Russia

Charlotte1995Italy has tunred into Brian 1805 Mars and Russia which should be easy for you to remember but difficult to crack.

WHAT CAN A BUSINESS DO TO MAKE SURE STAFF HAVE STRONG PASSWORDS?

Password security is paramount in today's landscape where cybercrime is on the rise. If only one password is your organisation is breached the attacker could have your entire network at their disposal. Businesses should be vigilant about password security and education should be a priority. You can book a Password Audit with our security team or call us on 1300 865 865.

Author