### Introduction

``But not all passwords are like this'', I hear you say. ``It only takes one'' is my answer. One bad password and an account has been compromised. Once inside a system it is much easier for an attacker to do damage to the whole system. Your bad password could affect everyone on the system. Be nice to your colleagues - choose good passwords.

### Lies, Damn Lies and Statistics

Before going on to describe what makes a good password, I want to present some numbers on how difficult (or easy) it is to crack different classes of passwords. For some of these I have worked out the probability, for others (particularly where psychology factors are concerned) this is very difficult, so I have taken the average of some tests. This will be indicated for each password class with: theoretical = probabilty worked out on a ``cracker must do most work'' basis, empirical = average of tests done. These probabilities are arranged in the order a cracking program might search for them. Note that on average a password can be cracked in half of any time listed as theoretical.

For passwords on a UNIX system:

• Password based on own name or login name (theoretical) Very small fraction of a second. Never, ever do this!.
• Dictionary word, lower case only (theoretical) less than 4 seconds per language.
• Dictionary word, first letter (only) capitalised (theoretical) less than 4 seconds per language. Some password programs require at least one capital letter in any new password. Most people choose to capitalise the first letter and no others.
• Two shorter words together, lower case only (theoretical) less than 1 min 30 secs per language. This is a common way for people to ``get round'' a password program that does not allow dictionary words.
• Two shorter words, first letter of each word (only) may be capitalised (theoretical) less than 5 mins.
• Dictionary word with number at end or beginning (empirical) approximately 10 mins. These are the most common passwords on systems where the password program refuses to accept a password without at least one number or special character.
• Dictionary word with random capitalisation (theoretical) less than 16 mins. This case is only 2^8, or 256, times more complicated than a lowercase only dictionary word.
• Any combination of letters that is pronouncable (conforms to certain rules) (empirical) approximately 1 to 2 hours.
• Password based on a word with lower or uppercase letters and one or two numbers (empirical) approximately 1 to 2 days.
• Any combination of letters (lowercase only) (theoretical) less than 10 days.
• Any combination of letters (lower or uppercase) (theoretical) less than 100 days.

The program for Windows NT passwords can crack a password based on any combination of upper and lowercase letters and numbers in 24 hours on a Pentium III at 500 MHz. On a slightly faster machine the same program can find any allowable NT password in (on average) 20 days. Note: these numbers come from benchmarks that I did not run myself.

### How to Choose Good Passwords

There are two, competing, points of view from which a password can be ``good'':
• The password should be complicated enough to be difficult to crack.
• The password should be simple enough to remember without being written down.

The best suggestion for passwords is to think of a phrase or sentence (or get one from the middle of a book). Take the first letter of each word until you have 8 letters. Now, substitute 2 or more of these with numbers or special characters (use at least one character which is not a number or letter).