Thursday, March 19, 2020

How to pick a strong password

I posted this ten years ago, but it's still useful.  The only thing that I would add is that your password should be at least ten characters long, and preferably longer.  But you'll see that this doesn't make it hard to remember.

Originally posted 19 March 2010.

How to pick a strong password

There's a snarky saying among IT professionals, that users are an infinitely renewable source of security risk.

There's certainly a difference in motivations between users and IT security folks, which generates a lot of frustration in the latter group. IT needs to manage risk; users are supposed to get their jobs done (in other words, make money for the company). It's a truism that we say that security is everyone's job; users say security is IT's job. I mean, look who gets paid for it.

There's a quite interesting research paper out from Microsoft's Principle Security Researcher, that argues that this attitude on the part of users is rational:
We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot.
I work pretty hard to filter out irrelevant security news and advice here, because I think that there's something to that. The people who get jazzed about a daily dose of triple propeller head security news probably aren't regular readers here. The security industry in general does a poor job of filtering out the noise, which leads to the "boy who cried wolf" syndrome:
He offers the following as reasons why: 
  • Users understand, there is no assurance that heeding advice will protect them from attacks.
  • Users also know that each additional security measure adds cost.
  • Users perceive attacks to be rare. Not so with security advice; it’s a constant burden, thus costs more than an actual attack.
I (mostly) agree with the perception, although I think that attacks via passive downloaded malware (say, from advertisements that exploit vulnerable browsers) shouldn't be considered "rare".

IT also offers complicated advice. For example, this is typical for how to pick a secure password:
Password rules place the entire burden on the user. So, they understand the cost from having to abide by the following rules:
  • Length
  • Composition (e.g. digits, special characters)
  • Non-dictionary words (in any language).
  • Don’t write it down
  • Don’t share it with anyone
  • Change it often
  • Don’t re-use passwords across sites
As a public service, here's how to pick a very strong password that is easy for you to remember. Think of a sentence or a phrase that describes something about you that you will remember. For example:
I used to live on Pond St. when I was 6.
Now take the first letter from each word, preserving capitalization and punctuation:
That's one heck of a password right there, and is something that is easy to remember for you, and very hard to guess for an attacker. And it takes care of the first 5 bullet points listed above. Well done, you! And this is hard to argue with:
We have argued that the cost-benefit trade off for most security advice is simply unfavorable: users are offered too little benefit for too much cost. 
Better advice might produce a different outcome. This is better than the alternative hypothesis that users are irrational. This suggests that security advice that has compelling cost-benefit trade off has real chance of user adoption. However, the costs and benefits have to be those the user cares about, not those we think the user ought to care about. 
Anyone in IT really needs to read this. Anyone interested in security should take a read, too.

UPDATE 19 March 2010 13:44: Dr. Boli offers some (ahem) excellent security advice.


Divemedic said...

I use a password wallet. The one that I wanted to have would be usable across multiple platforms (desktop, tablet, cell phone) would allow the generation of strong passwords that would follow the rules of multiple systems (not all systems have the same rules: some don't allow symbols, others require them) and be intuitive. It would have to be seamless and inexpensive.

I went with LastPass. Not only does it do all of the above, it also locally encrypts the passwords. The company doesn't have access to my passwords.

Now every site I go to has a different password, they are all 12 characters or longer (although, oddly enough, several sites do not allow passwords longer than 10) and I only have to remember the one password it takes to unlock the wallet.

ASM826 said...

The other thing, in the world today, is to leave the passwords, or as Divemedic suggests, the LastPass password, in your will or otherwise where it can be found. Otherwise, all our on-line accounts will just be lost with no goodbyes when we die.

I also use LastPass. The only thing I don't have in LastPass is the banking passwords. They are unique and I just remember them.

jwl said...

An important feature of the password manager we use, 1Password, is the ability to keep track of the security questions along with the username and password.

Speaking of which: there's usually NO REASON AT ALL to tell the truth on security questions. The automated challenges are just looking for a character string to match; even when asked by a live human (e.g. calling a brokerage customer service line) they don't need to really make sense, then answer just has to be intelligible.

For instance, if a security question is "Who was your fourth grade teacher," you can make your answer "pineapple pizza." (Hi, Miguel...) That way there's no way to social-reverse-engineer the answer from your credit history, high school yearbook, etc.

The ability to keep these in 1Password together with the regular login, means, in essence, I don't have to remember all of my lies that I tell the security questions. :-)

Roy said...

I worked in the industry for 40 years (now retired). We had a saying: "If it were not for IT security, we would be on Mars by now."

A lot of the endless security crap makes perfect sense from an IT standpoint. If someone hacks your account at home, it's just a major inconvenience. On the other hand, if the company's intranet gets hacked, it can be a major corporate-wide disaster.

Ed Bonderenka said...

I worked for the American subsidiary of Hyundai, Mobis.
What a nightmare.
The rules were based on Koran law.
The security software was referred to as the M virus by the IT staff.
Nobody could get anything done anymore.
No Powerpoints.
People displayed pictures on there phones into a projector at meetings.
Every doc went into the M cloud, sometimes never to be seen again.
No pictures transferred from phone to PC.
No thumb drives.
No brains.

LSP said...

What an excellent infographic! May have to share it...

Kurt said...

My advice to users is much, much simpler.

Make up a random, but easily memorized and typable sentence. Make sure it doesn't have revealing details, such as your address, phone number, names of family members, SS number, etc.

Also, make sure that it has all of the spaces and punctuation that you'd normally use for a sentence.

Finally, make sure it's at least 20 characters long.

Put it in your password vault.


KurtP said...

What I don't understand(probably cost) is why computers don't use the clock to time passwords.
Everyone would have a different time to spell anything.

It could take me .05 seconds to type Borepatch, and you .037 to type it.
Anything almost instantaneous would be kick automatically.

Kurt said...

@KurtP - This is one of the biometric measures that is being used. Back in the Puget Sound area there is/was a company that purported to do this: Measure keystroke timing as a way to identify people uniquely. I can't remember the name of the company off the top of my head, but they started at least in the early-to-mid 2000s.

Here's a Wikipedia article on the concept:

The Real Kurt