One of my assigned duties in The Hollar is to be the IT guy for the service. I maintain the network and all the computers when I have time. I also am the gate keeper for the email system. So it is inevitable that I sit down with every new employee and ask what he or she wants their new password to be. About 90% of all employees want the password to be something involving their EMT number. If the employee’s KY EMT number is 12345, then they will want their password to be “ky12345” or “emt12345” or some variant. I always tell them that, “Everyone picks that. You need to come up with something not so easy to guess.” All of them without fail act shocked or confused. “Really? Everyone does that?”
Yes. Everyone does that. As a matter of fact, if anyone wants to make an EMT’s life a living hell here is what you do. Find someone with an AOL account. Look up their state numbers, and then crack their account by typing in a few variants that include those numbers. If that doesn’t work, try the radio call sign. I guarantee that you will be able to crack at least one in three accounts with this system. Then start sending any kind of email you like to supervisors, spouses, girlfriends, and the like. Have fun. Be creative.
However, if what I have just written scares the pants off of you, you may want to keep reading. I am about to teach you several ways to maintain secure passwords whether you are a complete novice or a super-nerd. So don’t run off to AOL just yet to change your password. Stay tuned.
Before choosing a system to remember passwords, there is one golden rule to keep in mind. A system is only secure if it is realistic to maintain. Don’t come up with some complicated system that requires a $300 dongle and two keys that are to be unlocked at the same time in nuclear-silo fashion. Keep it cheap. Keep it simple. An iron clad security system won’t work if it is so complicated that you never use it.
The best password is one that has a completely random mixture of all possible characters from the ASCII character set. Non-computer folks may be confused by this, but it really isn’t that hard. There are 26 letters in the alphabet. But there are smaller case and upper case letters. So in the ASCII alphabet, there are actually 52 characters with both cases included. There are also ten possible digits from 0 to 9. That brings us up to 62 possible characters. Then there are various symbols and punctuation. All together there are 128 characters in the ASCII character set. Using the entire ASCII character set makes a password much more impervious to attack. Consider the following example:
Let’s say that we were going to pick a four-digit password only consisting of numbers. This is the common formula for a PIN number. If a number has four digits, there are 10,000 permutations. The possible numbers will range from 0000 to 9999. This only works in a base-10 system though. There are 10 possible entries to each digit: 0-9. If you want to know the number of possible permutations you take the number of possible entries and apply an exponent that is equal to the number of digits. A four-digit PIN number will have 10 possible entries (0-9) and we raise that to the power of 4 (four total digits) for a final formula of 104. This is the same thing as saying 10 times 10 times 10 times 10 which of course is 10,000. As far as computer security goes, that is pretty lame. A password cracking program could get through 10,000 permutations in the blink of an eye, so we need something a bit more robust.
Let’s up the ante a little bit and just use all lowercase letters. This is a common formula for people to create passwords. Since there are 26 letters, and we are only using lower case, each entry will contain one of 26 possible characters. The same formula as PIN numbers applies here. So the permutation formula for a four character, all lowercase password will be 264. Another way to look at this is 26 times 26 times 26 times 26 which equals 456976. In other words we have gone from just 10,000 possible permutations to almost a half a million simply by moving from numbers to letters because there are more characters in the equation.
But remember that there are 128 characters in the ACSII set. What happens to our number of permutations if we use letters, numbers, and symbols? The formula becomes 1284, or 128 times 128 times 128 times 128. Our number of possible permutations is now 268,435,456. Now we have over 268 million permutations. Which do you think is more secure? This is the reason that most security experts recommend a password that includes letters, numbers, and symbols. It just makes mathematical sense.
There is another reason to do this though. Many password cracking programs employ a technique called a “dictionary attack.” The program will start feeding words from the dictionary as passwords. These attacks usually include common names. So if the password to your banking website is the name of your dog, it can be cracked almost instantly. Let’s use a common dog name for an example: ‘rover’.
‘Rover’ is a common name for dogs so a dictionary attack would uncover it almost instantly. But let’s look at it from a purely mathematical standpoint. The password ‘rover’ is in all lowercase, having only 26 possible characters spanning 5 digits. So the permutation formula would be 265 which gives us 11,881,376 possible permutations. Over eleven million isn’t bad, but what happens when we add just one number to the mix? What would it be for ‘rover8’? All lowercase and numbers gives us 36 possible characters in 6 digits. 366 gives us 2,176,782,336 permutations. So in adding one number to the password we went from just under 12 million permutations to over 2 billion. This is why so many people suggest adding a number to the mix. You get a lot of bang for your buck that way, and it usually thwarts a dictionary attack. What happens if we put a capital letter somewhere in there? The password ‘roVer8’ has 62 possible characters (26 lowercase + 26 uppercase + 10 numbers) in 6 digits. 626 gives us 56,800,235,584 possible permutations without even adding more digits. But let’s say we go hog-wild and use the entire ASCII character set for six places. The formula would be 1286 or 618,475,290,624. That’s over 618 billion permutations. Just to give you some scope, here is a chart of the progression of a password that contains six places:
Six Character Password
All lowercase letters = 308,915,776 permutations
Upper and lowercase = 19,770,609,664 permutations
Upper and lowercase with numbers = 56,800,235,584 permutations
Complete ASCII character set = 618,475,290,624 permutations
So it is pretty easy to tell that using more characters can quickly make it impossible for anyone to crack a password. However, a new problem presents itself: how will you remember a password that is filled with complete gibberish from the entire ASCII character set? The trick is to create a system that makes sense to you, but creates something that would seem like gibberish to anyone else. There are many techniques for this which will be discussed here.
There is one method I like to call the ‘Dissected Old Phone Number’ technique that involves searching your mind for an old phone number from your past. The phone number from your childhood home or an old girlfriend/boyfriend works great. For instance, let’s say you used to have an old girlfriend in Dallas, whose phone number was 214-123-4567. We can mash this number up with a couple of words that are meaningful to us to make a fairly strong password. Let’s say that you met your very first girlfriend on the beach, and your current girlfriend goes to Baylor University. You could mash all the information up into a password such as ‘214beach123baylor4567’. You could even write down a prompt for this password incase you forgot it. Something like “Banking Password = Girlfriend Mashup” might be enough to jog your memory and would still be secure even if someone else read it. Add symbols and uppercase letters if it is easy to remember.
Abbreviations for industry specific things work great to produce seemingly random text. Let’s say you wanted to use the same phone number with some text that looked a bit more random. Perhaps you work on an ambulance and your protocols come from the University of Louisville Medical Center. You could make a password such as ‘COPDUoL4567’. You could write yourself a prompt for this password such as “Breathing Diff – Med Direction – Last 4 Old Girlfriend” and put that in your wallet. If your wallet was stolen, no one would have a clue what that meant and the resulting password would have 52,036,560,683,837,093,888 permutations.
Another good practice is to have a different password for each website that you access. This can prove difficult and time consuming unless you have a system. The trick is to create a formula for yourself that can be applied to any website or email address to create a specific password for that account. An example formula would be:
3rd and 4th Letter – Last 4 Phone # – Capital 1st and 2nd Letter – Symbols for Phone Prefix
Let’s apply this formula to ‘yahoo.com’. The third and fourth letter in ‘yahoo’ are ‘ho’. The last four digits of our old phone # are ‘4567’. The capitalized 1st and 2nd letters in ‘yahoo’ are ‘YA’. The last part of the formula is ‘Symbols for Phone Prefix’. Let’s say the phone prefix was ‘237’. The symbols above the letters ‘237’ are @, #, and & respectively. So if we put that all together, our password for ‘yahoo.com’ would be ‘ho4567YA@#&’ which means something to you, but would be complete gibberish to anyone else. This would generate a new password for each site you visit. For instance, your ‘google.com’ password would be ‘og4567GO@#&’. Since the phone number is only known to you, you could keep this formula out in the open and not worry about who was able to see it. Come up with your own formula and some cryptic, off-the-wall memory prompts and tape it to the bottom of your monitor. Something like “3rd 4th + Suffix + CAP 1st 2nd + Symbol Prefix” taped to the bottom of your monitor would mean nothing to anyone but yourself, but would provide you with an individual password for each website you visit that has 19,342,813,113,834,066,795,298,816 permutations.
Why is it important to have a different password for every website you go to? Well in a perfect world we would not have to worry about such things. But this is not a perfect world. Websites should not have a copy of your password in their database. The way a properly implemented password system is supposed to work is that your password is typed into the computer, and that text is sent through an encryption process. After encryption there should be a bunch of text that looks like gibberish. This gibberish is stored in the database as the result of your encrypted password. The real password should not be stored in the database and should only be known to you. Not even the site administrator should be able to recreate your password. When you log back in, your password is again encrypted and the result is matched against the gibberish stored in the database. If it matches, then you are allowed entry. This is how a website password is supposed to work.
However, as I have said, this is not a perfect world. Sometimes websites will store your raw and unencrypted password on a database. Let’s imagine for one moment that I am an unscrupulous person working on the admin team for a large website that stores raw passwords on their database. I would be able to print a list of email addresses and the passwords that matched and walk away with these. I could then see that johnsmith@google.com had a password of ‘password’ and then take that info to other places around the net. “Hey,” I might think to myself, “I wonder if his National City bank account has the same password…well look at that.” You get the idea. It’s best to have a different password everywhere you go.
This may seem a bit paranoid and nerdy, but statistics don’t lie. I recently read that as many as one in six people has been the victim of some sort of identity theft. The solution to this problem is very simple and easy to implement. If you wouldn’t walk down a dark alley at 3 o’clock in the morning with a 50 dollar bill taped to your forehead, why would you make your email password ‘emt12345’? Take some basic precautions to keep yourself from getting robbed whether you are sitting in front a computer or not.
Buck,
I love it and agree. If you want to find out how to make the most perfect passwords in the world go here. https://www.grc.com/passwords.htm
Completely 256 bit encrypted password generated by the security Guru Steve Gibson. I will tell you that anything important in my life has the 64 bit random ASCII characters on it.
I think you should rename this article from Nerd to Paranoid but everyone should be paranoid about security.
Chris M.
I should have sent a shout out to the great Steve Gibson who is my personal hero and the source (the spewing fire hydrant really) of all my security knowledge. If I was in a basement trying to defuse a bomb. And five industry experts and twelve textbooks told me to cut the green wire, and I had my snippers on that green wire, and Steve Gibson ran down the stairs and said, “Hold everything, you need to cut the red wire!” well, I would be cutting the red wire without hesitation. That’s all I’m saying. He is a bad-ass. http://twit.tv/sn
Have fun. Be creative.
You write this after explaining that you are telling this to people who haven’t the imagination to come up with an idea for a password.
A password cracking program could get through 10,000 permutations in the blink of an eye, so we need something a bit more robust.
There also needs to be some responsibility on the part of those maintaining the system. There need to be limits on the number of attempts before having to interrupt attempts. Whether this involves locking the account, giving password hints, or something else, should be something that the user has the ability to decide when the account is set up.
Another security guy worth paying attention to is Bruce Schneier.
Unfortunately the designers of websites sometimes make completely boneheaded and dumbfounded security moves. For instance, why on earth would you ever limit the size of a password someone can use on your site? I see this all the time. For instance: “Password must be between 6 and 12 characters.” That’s just going to be sent through an encryption program and come out as a hash that is the same length no matter how many characters you entered. The key is that they want to reduce the amount of support phone calls, so they make you use less characters so that less will forget and call.
The designers are messing up. Security is not their goal. Low cost and less work is. And they make mistakes. So it is up to us to own our own security. Sad, but true.