Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones.
So let’s dive into the world of passwords, and look at what makes a password secure in practical terms.
Update: Read the FAQ (updated January 2011)
How to hack a password
The work involved in hacking passwords is very simple. There are 5 proven ways to do so:
- Asking: Amazingly the most common way to gain access to someone’s password is simply to ask for it (often in relation with something else). People often tell their passwords to colleagues, friends and family. Having a complex password policy isn’t going to change this.
- Guessing: This is the second most common method to access a person’s account. It turns out that most people choose a password that is easy to remember, and the easiest ones are those that are related to you as a person. Passwords like: your last name, your wife’s name, the name of your cat, the date of birth, your favorite flower etc. are all pretty common. This problem can only be solved by choosing a password with no relation to you as a person.
- Brute force attack: Very simple to do. A hacker simply attempts to sign-in using different passwords one at the time. If you password is “sun”, he will attempt to sign-in using “aaa, aab, aac, aad … sul, sum, sun (MATCH)“. The only thing that stops a brute force attack is higher complexity and longer passwords (which is why IT people want you to use just that).
- Common word attacks: A simple form of brute-force attacks, where the hacker attempt to sign-in using a list of common words. Instead of trying different combination of letters, the hacker tries different words e.g. “sum, summer, summit, sump, sun (MATCH)“.
- Dictionary attacks: Same concept as common word attacks – the only difference is that the hacker now uses the full dictionary of words (there are about 500,000 words in the English language).
When is a password secure?
You cannot protect against “asking” and “guessing”, but you can protect yourself from the other forms of attacks. A hacker will usually create an automated script or a program that does the work for him. He isn’t going to sit around manually trying 500,000 different words to see if one of them is your password.
The measure of security must then be “how many password requests can the automated program make – e.g. per second“. The actual number varies, but most web applications would not be capable of handling more than 100 sign-in requests per second.
This means it takes the following time to hack a simple password like “sun“:
- Brute-force: 3 minutes
- Common Word: 3 minutes
- Dictionary: 1 hour 20 minutes
Note: “sun” has 17,576 possible character combinations. 3 letters using the lowercase alphabet = 263
This is of course a highly insecure password, but how much time is enough for a password to be secure?
- a password that can be hacked in 1 minute is far too riksy
- 10 minutes – still far too risky
- 1 hour – still not good enough
- 1 day – now we are getting somewhere. The probability that a person will have a program running just to hack your account for an entire day is very little. Still, it is plausible.
- 1 month – this is something that only a dedicated attacker would do.
- 1 year – now we are moving from practical risk to theoretical risk. If you are NASA or CIA then it is unacceptable. For the rest of us, well – you do not have that kind of enemies, nor is your company data that interesting.
- 10 years – Now we are talking purely theoretical.
- A lifetime: 100 years – this is really the limit for most people. Who cares about their password being hacked after they have died? Still it is nice to know that you use a password that is “secure for life”
But let’s take a full swing at this. Let’s look at “100 year – secure for life”. It has good ring to it and it makes us feel safe. There is still the chance that the hacker gets lucky. That he accidently finds the right password after only 15 years instead of 100. It happens.
Let’s step that up too and go for the full high-end security level. I want a password that takes 1,000 years to crack– let’s call this “secure forever“. That ought to be good enough, right?
Making usable and secure passwords
Now that we have covered the basics, let’s look at some real examples, and see just how usable we can make a password, while still being “secure forever”.
Note: The examples below are based on 100 password request per second. The result is the approach that is the most effective way to hack that specific password – either being by the use of brute-force, common words or dictionary attacks.
First let’s look at the common 6 character password – using different methods:
In this example complexity clearly wins. Using a password with mixed case characters, numbers and symbols is far more secure than anything else. Using a simple word as your password is clearly useless.
Does that mean that the IT-departments and security companies is right? Nope, it just means that a 6 character password isn’t going to work. None can remember a password like “J4fS<2”, which evidently mean that it will be written on a post-it note.
To make usable passwords we need to look at them differently. First of all what you need is to use words you can remember, something simple and something you can type fast.
Like these:
Using more than one simple word as your password increases you security substantially (from 3 minutes to 2 months). But, by simply using 3 words instead of two, you suddenly got an extremely secure password.
It takes:
- 1,163,859 years using a brute-force method
- 2,537 years using a common word attack
- 39,637,240 years using a dictionary attack
It is 10 times more secure to use “this is fun” as your password, than “J4fS<2”.
If you want to be insanely secure; simply choose uncommon words as your password – like:
A usable and secure password is then not a complex one. It is one that you can remember – a simple password using 3+ words.
It is not just about passwords
One thing is to choose a secure and usable password. Another thing is to prevent the hacker from hacking password in the first place. This is a very simple thing to do.
All you need to do is to prevent automatic hacking scripts from working effectively. What you need to do is this:
- Add a time-delay between sign-in attempts. Instead of allowing people to sign-in again and again and again. Add a 5 second delay between each attempt.
It is short enough to not be noticeable (it takes longer than 5 seconds to realize that you have tried a wrong password, and to type in a new one). And, it forces the hacker to only be able make sign-in requests 1 every 5 seconds (instead of 100 times per second).
- Add a penalty period if a person has typed a wrong password more than – say – 10 times – of something like 1 hour. Again, this seriously disrupts the hacking script from working effectively.
A hacker can hack the password “alpine fun” in only 2 months if he is able to attack your server 100 times per second. But, with the penalty period and the 5 second delay, the same password can suddenly sustain an attack for 1,889 years.
Remember this the next time you are making web applications or discussing password policies. Passwords can be made both highly secure and user-friendly.
Interesting article on password security. More complex passwords may not necessarily be more secure.
87% Muscle, 100% Awesome 
‘More complex passwords may not necessarily be more secure.’ Actually this article does not say that. It in actual fact says more complex passwords will ALWAYS be more secure. It does however say that implementing sensible password policies within applications can make the 3-common-word-password as functionally secure during a normal human lifespan as the 6-random-characters-with-mixed-case,-symbols-and-numbers-password.
Another method to prevent hacking scripts is to increment the number of seconds between attempts by 1. Example:1st wrong attempt – 1 second2nd wrong attempt – 2 seconds…10th wrong attempt 10 seconds.. and so on.
A simple scheme for punishing crackers without unduly flogging clumsy users is to start with a 1-second delay the first try, 2 for the second, 4 for the third, and so on. Even somebody with a high fever, chills, and shaky hands will be able to get the password correct within a few minutes, but an automated cracker has a long wait. (Use a large integer to store the delay: with each error, left-shift it one place.)
dude, you didn’t put times for each method, you clearly chose the shortest times for the complex passwords, and the longest times for the longer-but-not-complex passwords.try comparing all with the same method otherwise you have introduced an extra variable making any results useless as this was they were not tested equally
oh, and also, who says you can’t remember "J4fS<2"?It is not hard to remember arbitrary strings of numbers, letters and symbols, especially as short as 6 characters.People remember pi into the thousands, and it takes less than 30 mins to learn the first 20 or so. 6 characters is too easier.try a 20 character string of random numbers, letters and symbols and see how secure that is.Also, with the random characters, you can only use brute force to crack it, whereas "this is fun" could be cracked with multiple methods.
Unfortunately this post is fundamentally flawed in many of the assertions and the original has been comprehensively debunked by myself and others in the application security space: http://www.troyhunt.com/2011/04/bad-passwords-are-not-fun-and-good.html
quick everybody add ‘this is fun’ to your dictionaries
Speed:You have to assume that the hacker has direct access to the hashed password file, so 100 tries a second is too low. I use 100 million a second as representative of a fast computer, but some are faster. On that basis, "THISISFUN" will be hacked in around 7.5 hours. Not enough.Complexity:Adding complexity by using all types of character is the cheapest way of strengthening your password. Time is money, right? Each time you type in a long password, you waste time. So choose a password that is long and strong enough, but don’t go bananas.Memorizing passwords:Check out my new App which helps you memorize strong passwords:www.passwordgear.com
I agree: Time is money. The avg person isn’t honestly going to spend time navigating algorithims or trying to remember what steps to take to make sure a hacker will take the longest to get their password. Most of the time, people are just trying to log in or create an account so that they can gain access to that site for whatever purpose. Just use a password management device (http://mylok.ii2p.com/) that uses one pin or a web based system (lastpass.com) that uses one strong password.One and done. Problem solved.
Oh yeah, exponential push-off! Sounds good, doubling the penalty time on every wrong try. Unless… well, it isn’t. Because it then shouts Denial-of-Service all over the place. Have some unfriendly person you want to play a trick on? Setup a script that tries to log into the system with that persons username but with a wrong password. With increasing waiting times you cann effectively lock that person out of hir account.Nono, make it a constant wait-time of 10 seconds. And best vary that randomly to thwart your unfriendly DoSer…
Fatal flaw in this analysis: you assume that a password like "J4fS<2" is impossible to remember, which is flat out wrong. I use a password like this, and I have never written it down anywhere. Six characters is not difficult to remember.And if a six character password made up of random letters and numbers takes 219 years to hack, then you’ve already admitted that it would be practically impossible for it to be hacked. So why do we care that "this is fun" is more secure, when both are completely secure for all practical purposes? A batter doesn’t get extra points for hitting the ball more meters out of the ball park. A home run is a home run.
Interesting article to start a discussion. In my view more complexity in analysing the subject is needed. Following the article one of the best passwords would be something like "zzz zzzz zz zz", using the article’s assumption that a hacker starts at "a", going to "aa" etc. A smart hacker reading this article would then simply start at "zzz zzzz zz zz" and immediately crack the password.I would like to see some answers or comments on that (its not my domain knowledge). I suspect that it will be something like sorting or compressing. The time needed depends on the context and on the input
"this is fun" as a passwordBut is spacebar allowed in password field?
For password safety, simply shift your fingers over one key. say, if my password was password it would be [sddeptf <—— simply unguessable
I think you IT guys are missing the point. The article is about making user friendly passwords that are secure. Being able to remember your password is 95% of getting it right. Complex password are to hard for some people to remember. Where I work we have to use uppercase, lowercase, numbers and at least one symbol. It’s changed once a month and you are locked out after 10 attempts. Some of my co-workers write their passwords down. OK let try this with just a couple changes. The target password is "this is fun", lets add some uppercase but not the first letter how about the last letter "thiS is fuN", now add some numbers "th1S 1s fuN", and a symbol would be good to "th1S_1s_fuN". It’s just like the standard password "P@ssw0rd" easy to remember but hard the hack. With a couple of changes you can make a simple word or phrase into a strong password. Letting the right people in is just as important as keeping the wrong people out.p.s. I think the spacebar is not allowed but the underscore is
The entropy of an English word is actually not that high. I blogged about this a while ago here:http://blogs.hitachi-id.com/blogs/idan/2009/06/30/pass-phrases-the-illusion-of-security/The bottom line is that short phrases consisting of English words are actually fairly easy for a password guessing program to cover, if the attacker has the hash database. The example of J4fS<2 (or whatever) actually has much more entropy than "this is fun".Sorry – nice idea, but it happens to not work out given word frequencies in English.– Idan
sporadicism-random.blogspot.com
so what if i bought 30 or so ancient computers for around 600 bucks and formed a bank? divide your password cracking time by 30. very easy to do.
Yeah buthow do you change the script on the password if the program or website isn’t yours?
I’d say, "Ju-sti-n-Bi-eb-er" is a super secure password then. 🙂
Really interesting blogpost! I actually didn’t know that space gained so much more security. I’ll now go change my password 😉
Superb! Have you seen the xkcd comic on this? Exactly that, just making the same point in an awesome way. The only problem is that so many services require you to use uppercase, symbols, and/or numbers. So I just add one of the above as necessary. Thanks! Definitely going to pass this on.
thanks for posting this. changing my password isn’t fun, of course, but having a lot to think about while I do it is fun.
I totally agree with this idea. Pass phrases are much easier to remember and can be made difficult to hack. There are 2 issues I see that have to be overcome. First, keep the user from writing down the password. You would be surprised how many people do this. Just about everyone I know that is non-technical does this. Also as you age, you are less able to memorize. So Asking a 50 year old person to memorize j4fs<2 is ridiculous. He/She will write it down.The second issue is the one of most irritation for me personally. No one can agree on a standard for passwords. I don’t mind having to memorize a complex password, but I detest having to memorize multiple levels of passwords. For instance Fidelity does not allow complex passwords. You can only use numbers and letters. Bank of America is another offender in this category. Both are financial institutions, and isn’t it the financial industry that so harps on security. So I must create several passwords with varying security that I can remember.Pass phrases are definitely the way to go in my opinion.
Then do’nt have to make 3-4 different passwords in weird combinations, now you can make one that is so simple 🙂
Hmm… Interesting. In theory, you should be able to construct a "perfectly secure password combination" and then vary it depending on the login. For instance, your password on a-example.com could be one combination, while b-example.com could a the same combination but where you push every letter and number in your password with 1.Anyways, incredible article. Looking forward to testing this and implementing it in my logins. 🙂
Hmm.. This is very interesting, especially since it’s become a trend for many websites and Apps to require for instance "both letters and numbers" or maybe "Only a-z letters allows", which is pretty weird, as it actually doesn’t help the user to generate a good password.
I still think that something new needs to come up – I constanly forget my password with big letters, numbers etc. It just get’s too messed up with all the request to have a simple password that it kind of ignores me.
Very informative article – looking forward to read more. I see you’re interested in Fitness – take a look on our blog, if you could feel like posting an article please let us know.