Times are changing. Those bad guys who would break into your device now have advanced algorithms and so much computing power, they can easily outsmart your most devious passwords. Nevertheless, there is one thing you can do to ensure the quality of your chosen password—one you rely on.
The Holy Grail is Still Unreachable for Most
First, some technical background.
It's true that we'd all be better off getting away from passwords. There are still people, today, who use passwords like “123456” and “password.” I've been reading articles for years about the panacea of using 3-factor authentication: 1 )Something you know, 2) Something you are (retina, fingerprint) and 3) Something you possess (a fob or chipped card). And yet, people are still creating passwords and using them daily. Most of them are woefully weak. 2-factor authentication is just now picking up steam, but not everyone uses it.
One thing we've been promoting for years here at TMO is a great app called 1Password from AgileBits software. 1Password allows you to log on with one password/phrase and then allow the app to create high quality, complex passwords of a very long length, something that you could never memorize. And they're kept in encrypted form on your computer or mobile device.
Again, that's another article, beyond the scope of what we're discussing here. So are any OS restrictions on how often a password can be tried. And so. In those cases when, for whatever reason, you have to create a password yourself, the challenge is to construct it so that it is very difficult for a computer to brute force guess.
Password Length
It turns out that there is one technique we as human beings still have at our disposal that can make a password extremely hard for a computer to guess. The article that describes this is “Password Security: Complexity vs. Length.” It's from December, 2015, so the thinking there is still relevant.
In a nutshell, encryption experts refer to the entropy of a password. It's a measure of the password's disorder (complexity), that is, how difficult it is to hack. The formula for the entropy is:
log(C) / log(2) * L
Where C is the size of the character set and L is the length of the password. Mathematically, the length (L) in this equation is more dominant than the complexity of the password. You're familiar with complexity: using upper and lower case letters and special characters in addition to numbers. As a result, if you want to do just one thing to make your password harder to guess, expand it from the typical 8 characters to 12 or more.
Substituting symbols no longer works. For example, changing “Son” to “S0n.” It does nothing to increase the size of the character set, and modern hacking algorithms, I am told, take that substitution technique into account.
One way to create a longer password is to create a passphrase instead of a single word. For example, astronomers remember the spectral class of stars (O,B,A,F,G,K,M) with a mnemonic. So you could create a mnemonic- based passphrase “OhBeAFineGirlAndKissMe.” That's 22 characters!
But there's one remaining problem. Modern supercomputer cracking algorithms have, in their databases, in addition to all the world's dictionaries, all the song lyrics ever written, all the popular mottos and slogans, book and movie titles, famous sayings and movie quotes. And so while a long password is great, you also want to steer away from whole, recognizable words contained in the passphrase.
The article I cited above ends with this advice. Passwords should be both long and complex.
Lengthy – Short length passwords are relatively easy to break, so the idea is to create lengthier ones for added security and to make them less predictable. So what is the desired or required length? A 2010 Georgia Tech Research Institute (GTRI) study told how a 12-character random password could satisfy a minimum length requirement to defeat code breaking and cracking software, said Joshua Davis, a research scientist at GTRI. Richard Boyd, a senior researcher at GTRI says, “Eight-character passwords are insufficient now … and if you restrict your characters to only alphabetic letters, it can be cracked in minutes.” In any case, to be on the safe side, a password length of 12 characters or more should be adopted.
Strong and complex – Strong passwords are still key. Security experts agree that upper and lowercase alphanumerical characters are good practices for increasing passwords strength and making it capable of resisting guessing and brute-force attacks. In order to add complexity without compromising ease-of-use, users could modify passphrases by inserting spaces, punctuation and misspellings.
Eventually, we'll all get away from short, human readable passwords. Tools to suggest or auto-create long, complex passwords and store them in encrypted form are available. But this article is long enough, and so that discussion must await another day.
In the meantime, just remember: If you must to create a password on the fly for any purpose, make it long, at least 12 characters. More is better. That's the only tool you have left to give yourself a fighting chance against a hacker's supercomputer.