21st Century Passwords

Almost all computer security instructions, whether it is a help page on Facebook, corporate regulations or part of the “… for dummies” series, urge us to use strong passwords at all times. As time passes this advice has become standard, even though the whole notion of a “good” password has steadily changed. It’s no longer worth referring back to the advice of the ‘90s when coming up with a password – so let’s think again about how to create strong and reliable passwords!

passwords_title

Why do we need this nonsense?

Passwords combining letters, figures and special characters first began to be used to protect computer accounts or local documents and archives. Even when encrypted, these could still be physically accessed by a perpetrator, prompting the risk that someone could merely keep entering passwords until the correct “key” was found. This method, called bruteforcing, was highly efficient with short passwords. The more diverse and longer the password is, the more time it takes to perform the exhaustive search. Passwords of 4-5 characters give way to a perpetrator in a few seconds, though each new character increases the time needed tenfold. The same applies to a combination of letters, symbols and numbers – including these characters greatly reduces the chance of bruteforcing a password.

Of course, there’s a catch – if a password appears to be simply a word, even a long and exotic one, it is easy to find. Just try every word in the dictionary – there are not that many words in the world. An extra figure in the password significantly increases the complexity. That is why experts have recommended using the combinations of letters, figures and other characters – yet, in addition to being harder to guess, it’s also harder to keep in mind.

If a password appears to be simply a word, even a long and exotic one, it is easy to find.

Today the situation is mixed: many online services block any possibility of bruteforce, though there are some cases when it is still possible. Moreover, botnets of infected computers give hackers significant computing power, which can be used to crack passwords faster.

The realities of the new age

Today almost everybody uses dozens of web services and each service demands a password. Simply sticking to a single password is risky, since compromising the password for one site could open the door to your entire online life. However, only very talented people can recall a unique combination like Xp89$ABG-faw?6 for every site they visit. How can we choose a password that is both secure and convenient.

The perfect password recipe

The most important rule for today’s passwords is that it must be long. You can add some characters, though you need not make it gibberish. Use a clear phrase that is easy for you to remember and make a few changes to thwart a simple dictionary attack. ThereIsNothingEitherGood0Bad – is recognizable, isn’t it? It is much easier to remember a code phrase and a couple of modifications than a set of senseless characters. Be careful, though, Shakespeare and other classics are not the best choice for a code phrase. It is better to think up your own phrase that is easy to remember. Use one phrase for one service.

When choosing the length and complexity of your phrase, keep a few things in mind: the value of the data under protection, the likely frequency of entering the password, and the potential need to type on a mobile device.* These factors influence the complexity of modifications. For instance, EitherGood0Bad is perfect for a free music service, but for your main mailbox or online banking service you should invent something like There1sNothingEitherGood0BadButThinkingMakes1tSo1603. We are noting once again, passwords must be different for different services and based on various code phrases.

This creates another challenge – some services limit the password length, so it is better to avoid using such services. 

*If you create a 10-character password using letters from the Latin alphabet, figures and special characters, the number of combinations for a bruteforce attack would be 2.8*1018. A password of only four widespread English words would give you 1.6*1017 variants, which isn’t much less. And if you include five words, it is easy to increase the number of variants to 3.2*1021. Common words turn out to be more efficient than unmemorable rubbish.

A modern method

Although code phrases are significantly easier to use than a mish-mash of characters, it’s still important to keep each password unique. According to a password survey, an average Internet user has five different accounts. Each account should have its own password, which can easily test the user’s memory. Some users have much more than five accounts – and this is a real challenge for any brain. For these cases a specific application category was invented – it is called password storage. There is a module of this kind included in Kaspersky PURE. This module contains a database with user account information for all possible web sites, resources, etc. This table is carefully encrypted with powerful algorithms, so the owner only needs to come up with one very strong password to access that table. Simply keep that one firmly in mind, and your computer will take care of the rest.

Send to Kindle