• 
• Deutsch/English
• Homepage
• Contact
• Accessibility
• License
• zeitform

• Instructions
  • E-Mail Programs and Security
  • Configuring PGP (Windows)
  • Configuring GnuPG (Mac OS X)
  • Thawte Web of Trust Personal Certificate
  • Access Control for Webservers
  • Secure Passwords
• Literature
• Technical Information

Secure Passwords

Secure passwords do not exist. There are only insecure passwords.

Convenience

Humans tend to forget things easier, if there is no relation to their reality. This might be the reason why so many people use insecure passwords to provide security for data which is not meant to be seen or to be used by others. For the following consideration it does not matter whether we talk about a secret diary as a text file, the login to a discussion forum, a UNIX account, the Windows 2000 machine in the office or financial data – online banking or custody account.

In all cases (and even more) passwords are used to allow authorized people to access information and keep unauthorized outside. If passwords are missused by unauthorized people the damage can be of unlimited amount, be it of financial or of non-financial nature (image loss, data loss). There are no limits.

Dictionary Attacks

Every word listed in dictionaries are insecure, no matter which language you choose. It should be clear that english words or words of the mother tongue of the victim (if known) are more insecure than words e.g. in Somali. In the internet you may find dictionaries most qualified to feed an application for brute-forceing passwords by testing one word after the other.

Despite there might be more security by varying the cases (where applicable) it is not really a handicap. In the end even "umBreLlA" can be disclosed in an appropriate amount of time.

An english dictionary contains around 150.000 words. If you add deviants to upper and lower cases you might reach about 15 million words. But just a few seconds are necessary to brute-force the password.

In 2002 a list of 10.000 accounts of an existing server were analyzed. After just 30 minutes 30% of the passwords were disclosed (see Passwords: the weakest link?).

Personal Data

Well beloved as well as insecure is the use of personal data for passwords – forenames and surnames, birthdays, telephone numbers, characters of films or books, hobbies, affections of the user, his partner, a family member et al. Even more than words out of dictionaries these words make sense and are more or less easily guessed.

In a survey in 2001 between 1200 british clerks it was ascertained that almost half of the interviewees used their names, names of their pets or family members as passwords. Others applied names like Darth Vader or Homer Simpson (see Homeland Insecurity).

Strings of Pattern

Favored passwords are strings with pattern like "qwerty" or "12345" which are easily typed. These passwords are insecure because they are well known (there are even dictionaries with these pattern strings).

Brute-Force Attacks

Modern computers are powerful. At the moment affordable systems are able to test over 10 million keys of e.g. the encryption algorithm RC5 (which is said to be secure) in a second. If you confront this number with passwords of a length of 6 characters (with upper and lower case) you easily can calculate the time it takes to brute-force a password:

52 possible characters to the power of 6 characters length = about 20 billion combinations
20 billion / 10 million = 2000 seconds = about half an hour

Two consequences derive from this simple calculation:

• short passwords are insecure
• passwords out of a small pool of characters (e.g. just numbers or just lower cases) are more insecure than those out of a great pool (e.g. numbers and characters and special characters)

Conclusion

Recapitulatory, passwords should feature the following attributes to achieve an acceptable dimension of security:

• Passwords should be long (at least 8 characters)
• Passwords should contain combinations of letters/numbers/special characters
• Passwords should not make any noticeable sense

The following methods will help you to find passwords with an adequate security, which can be remembered easier than a random string of letters:

• Connecting two words (with a mixture of upper and lower case) with a special character
  (e.g. "4aT&hOme", "b1G#seCreT", "zEIt+f0rM")
• The first letters of a sentence in conjuction with special characters and numbers
  (e.g. "Spau2rP!" for "Some people are unable to remember passwords!")
• Meaningless words which consist of speakable syllables, ideally combined with special characters and numbers
  (e.g. "dOsil?Ar0n")

Note: Never use one of these examples as password! Find your own!

Why even this is not sufficient...

Complicate passwords are more difficult to remember than simple ones. Even if there is a great temptation to annotate passwords and store them in the purse or fix them to the monitor you better store them only (!) in your brain. Even though you choose your password wisely, it saves others a lot of effort if they can read your password from a note attached to your monitor and a lot of affliction can derive of loosing your purse into unknown hands with login information to company data.

Another favorite way of spreading passwords is the multiple use of one password for various accounts. If the operator of a discussion board knows your password, he could hope – provided that he owns sufficient criminal energy – that you are using this password for your company account as well. Therefore, passwords should be used just once and should be changed frequently.

Also note, that passwords are sometimes sent unencrypted via the internet or company networks. They can be wiretapped on the whole line of communication. Never use those passwords twice!

Passwords never should be committed to friends neighter as a backup against oblivion nor for casual co-usage. Trust no one!