Choosing Passwords

Choosing Random Passwords

My mom's web site was just hacked, replaced with a virus-spewing redirect. How? They guessed her password (which was "ladybug") then changed it on her. She should have picked a long random password, like "xkh9czixb3".

How do you remember dozens of passwords like "xkh9czixb3"? You can't. Write them down. For each, write down what it's for, what the username is, and what the password is. Preferably on two separate pieces of paper, in case one gets lost. Be sure you can read your handwriting. You don't get any security against people who can read the paper that way, but at least you have security against everyone who can't. It also prevents you from forgetting a site's password, then typing in every password you know trying to guess what it was. Another possibility (besides paper) is to store your passwords encrypted on your computer. I haven't looked into this much. Password Safe is one tool for doing this.

How do you pick a really random password?

If a password is required to use characters that are just letters and numbers, case insensitive, then a character can be chosen by a pair of dice and the table below. For example, if I roll a 5 and a 2, I look up "52 z" in the table, which tells me to add the character "z" to my password. Be careful to shake the dice well between each roll. Be careful not to sort the numbers before reading them.

11 a	12 b	13 c	14 d	15 e	16 f
21 g	22 h	23 i	24 j	25 k	26 l
31 m	32 n	33 o	34 p	35 q	36 r
41 s	42 t	43 u	44 v	45 w	46 x
51 y	52 z	53 0	54 1	55 2	56 3
61 4	62 5	63 6	64 7	65 8	66 9

If a password is case sensitive and may contain funny characters, well, I recommend avoiding the funny characters. Why? For example: I recently changed my HostSave password to */!@a3'". The password changer accepted that. However, when I tried to log on, it wouldn't let me. It let me ask what my password was, so I asked. */!@a3'", it said. I tried it again and it wouldn't let me log on. So I had to write customer support and have them change my password to something that worked. Their site has changed recently, it's more thorough about explaining its password restrictions, but it still gives no clue why my password didn't work. (Then I switched to PowWeb because they, unlike HostSave, do online spam filtering. Now I only have to download 12 messages a day instead of 300.) (Hostsave should not be able to tell me my password, because they shouldn't be storing it. Yikes. They should store just a hash of my password.)

So. Suppose a password is case sensitive and may contain funny characters. You can choose the characters, one at a time, by flipping 6 coins per character. Line up the coins before reading them. I included * and ! because I know HostSave accepts those, but you may wish to use other funny characters, or even just reflip the coins if they say to use a funny character.

HHHHHH 0	HHHHHT 1	HHHHTH 2	HHHHTT 3	HHHTHH 4	HHHTHT 5	HHHTTH 6	HHHTTT 7
HHTHHH 8	HHTHHT 9	HHTHTH a	HHTHTT b	HHTTHH c	HHTTHT d	HHTTTH e	HHTTTT f
HTHHHH g	HTHHHT h	HTHHTH i	HTHHTT j	HTHTHH k	HTHTHT l	HTHTTH m	HTHTTT n
HTTHHH o	HTTHHT p	HTTHTH q	HTTHTT r	HTTTHH s	HTTTHT t	HTTTTH u	HTTTTT v
THHHHH w	THHHHT x	THHHTH y	THHHTT z	THHTHH A	THHTHT B	THHTTH C	THHTTT D
THTHHH E	THTHHT F	THTHTH G	THTHTT H	THTTHH I	THTTHT J	THTTTH K	THTTTT L
TTHHHH M	TTHHHT N	TTHHTH O	TTHHTT P	TTHTHH Q	TTHTHT R	TTHTTH S	TTHTTT T
TTTHHH U	TTTHHT V	TTTHTH W	TTTHTT X	TTTTHH Y	TTTTHT Z	TTTTTH *	TTTTTT !

How good is your password? This question really is, how long does an attacker have to work to guess your password? Trying 100,000 passwords (for example all English words and names) takes a few seconds of computing time. Let's say 1 second per 50,000 passwords. So guessing a password that is an English word (like "ladybug") can be done in 2 seconds. Here's a table of how good a random password is:

length	digits + lowercase letters		digits + lower + upper + two symbols
	possibilities	time	possibilities	time
1 character	36	0 seconds	64	0 seconds
2 characters	1,296	0 seconds	4,096	0.1 seconds
3 characters	46,656	1 second	262,144	5 seconds
4 characters	1,679,616	34 second	16,777,216	6 minutes
5 characters	60,466,176	20 minutes	1.074x10⁹	5.9 hours
6 characters	2.176x10⁹	12 hours	6.872x10¹⁰	16 days
7 characters	7.836x10¹⁰	18 days	4.398x10¹²	2.78 years
8 characters	2.821x10¹²	2 years	2.815x10¹⁴	178 years
9 characters	1.016x10¹⁴	64 years	1.801x10¹⁶	11,416 years
10 characters	3.656x10¹⁵	2,317 years	1.153x10¹⁸	730,678 years

Now you can see something I couldn't quite explain before. If you pick passwords you can remember (short, with lowercase letters and maybe a number thrown in), your password is guaranteed to be easy to guess. If you want more than a week of computing time worth of security, memorizing passwords isn't going to cut it. Especially if you have to change them regularly. Another thing: if you can help it, never use an alphanumeric password shorter than 8 characters.

On the other hand, if you gear your passwords to be breakable in a week, you can break them yourself if you ever have to. Most hackers are willing to take any account, not just yours, and will go on to easier targets if your password takes more than five minutes of computing time to break. Here is a page giving the hacker's perspective on passwords.