Choosing Good Passwords

http://www.eng.ed.ac.uk/docs/passwords/

Introduction

Most people choose bad passwords. That's life. What do I mean by ``bad passwords''? I mean passwords that are easily guessed. How easily guessed? Very.

To throw some numbers into this: Left to their own devices, most people choose a word from their own language as a password. Most people have a vocabulary of around 40,000 words, but being generous by an order of magnitude let's say they are choosing from a range of 400,000 words. People who crack passwords know this, of course, and they have programs which check for word-based passwords. I have a program that can check 100,000 UNIX passwords per second, running on an ordinary desktop PC current as of July 2000. If you have a word based password, it can find it in about 4 seconds, max, or in 2 seconds on average. That's how bad dictionary based passwords are. If your password is on a Windows system, I have another program that will check over 1,000,000 Windows passwords per second if run on the same machine. You may be thinking about choosing your password from another language. Don't. I have dictionaries for all European languages and most other major languages in the world - any cracker will too.

``But not all passwords are like this'', I hear you say. ``It only takes one'' is my answer. One bad password and an account has been compromised. Once inside a system it is much easier for an attacker to do damage to the whole system. Your bad password could affect everyone on the system. Be nice to your colleagues - choose good passwords.

Lies, Damn Lies and Statistics

Before going on to describe what makes a good password, I want to present some numbers on how difficult (or easy) it is to crack different classes of passwords. For some of these I have worked out the probability, for others (particularly where psychology factors are concerned) this is very difficult, so I have taken the average of some tests. This will be indicated for each password class with: theoretical = probabilty worked out on a ``cracker must do most work'' basis, empirical = average of tests done. These probabilities are arranged in the order a cracking program might search for them. Note that on average a password can be cracked in half of any time listed as theoretical.

For passwords on a UNIX system:

The program for Windows NT passwords can crack a password based on any combination of upper and lowercase letters and numbers in 24 hours on a Pentium III at 500 MHz. On a slightly faster machine the same program can find any allowable NT password in (on average) 20 days. Note: these numbers come from benchmarks that I did not run myself.

How to Choose Good Passwords

There are two, competing, points of view from which a password can be ``good'':

The best suggestion for passwords is to think of a phrase or sentence (or get one from the middle of a book). Take the first letter of each word until you have 8 letters. Now, substitute 2 or more of these with numbers or special characters (use at least one character which is not a number or letter).

As an example, let us say I chose the sentence: ``As if by magic, the shopkeeper appeared''. After taking the first letters I have: ``aibmtsa''. This only has 7 letters, but I'll use this fact later to add another character. This is easy enough to remember but is not based on a word. This is still not a very secure password, however, since it is only based on letters (crackable on average in 5 days for a UNIX password and 5.5 hours for a Windows one - based on the best of my knowledge so far). To make the password tougher, I'll capitalise some letters and put some symbols in where I can remember them. In this password, I will use the number 8 instead of m for magic since 8 is a number assosciated with magic in Terry Pratchet's Discworld novels. This may seem a little obscure, but consider: I will remember it and it is an obscure link for others to make - this is perfect for passwords. I will also change the last ``a'' to ``@'' (because they look like each other), capitalise the ``s'' (since the Shopkeeper was a person), and use a ``,'' where the comma is in the original sentence (I wouldn't just use a period at the end of your password - this is too easily guessed). All told, I end up with: ``aib8,tS@'' - a password which I can remember, but should be difficult to crack.

About this document ...

Choosing Good Passwords

This document was generated using the LaTeX2HTML translator Version 98.1p1 release (March 2nd, 1998)

Copyright 1993, 1994, 1995, 1996, 1997, Nikos Drakos, Computer Based Learning Unit, University of Leeds.

The command line arguments were: latex2html -split +0 -local_icons passwords.tex.

The translation was initiated by Colin Higgs on 2000-07-14


Colin Higgs 2000-07-14