Passwords: How to choose one and why we need them

May 07, 2013 by Philip Branch, The Conversation
Having trouble remembering all your passwords? Don’t expect respite any time soon. Credit: Jonno Witts

I just did a count of the systems I use that require a password and gave up at 40. I know I'm not alone; for many of us, it often seems we have too many passwords to manage.

They are, however, required to access most of the systems we interact with for work, entertainment, and everyday living.

Perhaps it is because they are so ubiquitous that we take them for granted without ever really understanding how they work.

are an example using of something you know to prove your identity. In security circles it is often said the way we prove our identity falls into three categories:

  • something you have, such as a bank card
  • something you are, such as some form of biometric such as a photograph of the user, fingerprint or iris scan
  • something you know, with passwords being the most common example

What are passwords really made of?

Well-designed password systems never store passwords directly. What's stored instead is

  • the hash – a cryptographic function that takes a sequence of characters or numbers and generates a sequence based on it
  • the salt – some additional characters which do not form part of the password, but are added during to make it harder for to hack password files

The output of a hash function tells you very little about its input so is very difficult to reverse.

It takes vastly more computation to reverse a hash value than it takes to calculate it.

When a password is entered into a system, the hash of the password and any salt value is calculated and compared with the stored value.

If it matches then the user knows the password and identity is assumed to be proved.

"Assumed to be proved" is an important point. Because we have so many passwords, people tend to reuse them or choose passwords that are easily remembered but also, unfortunately, easily guessed.

As a result, passwords by themselves are often regarded as inadequate proof of identity.

Certainly when we get cash from an ATM or pay for goods via EFTPOS the password (the PIN) is not sufficient proof or identity.

In those cases a second form of identity proof (the bank card) is also required.

Of course, PINs are not particularly good passwords, being so short and restricted to the digits 0 to 9, but in general, where reasonably strong level of proof of identity is needed passwords alone are usually regarded as insufficient.

Credit: B. Rosen

Using rainbows to generate a storm

One of the reasons passwords are less trusted than they once were is the availability on the internet of rainbow tables, which are precomputed tables that enable the hash of passwords to be reversed.

For example, rainbow tables are used in dictionary attacks, where real words found in the dictionary are used for passwords.

Rainbow tables also exist for passwords that are all lower case and fewer than eight characters long.

What's the big deal?

Often it is not understood why cracking of any password is a serious matter. What does it matter if passwords to the office footy tipping competition are compromised?

Unfortunately, it matters a great deal because of the way people use passwords.

Most of us have many passwords; far too many to be able to remember. As a result, we tend to reuse them.

The password used for low risk systems such as the office footy tipping competition will often be reused in high risk systems such as internet banking, email systems, and the like.

In this way, compromising one low risk system may compromise a much higher risk system. Consequently, it is important to use different passwords for different systems.

Or, if this is too difficult, at the very least use unique passwords for high risk systems.

This gets us to the vexed question of whether systems should force regular password changes. As always in security system design the answer is "it depends".

In some cases the importance of the information protected is such that it warrants a regular change of password.

But often forcing regular changes of password is counterproductive. We have so many passwords as it is, and forcing us to change them regularly may cause us to choose passwords that are easy to remember but also easy to crack.

What makes a good password?

A good password should be easy to remember but almost impossible for others to guess.

It should either include characters from a large character set (such as upper and lower case, numeric and non-numeric characters) or be very long.

Some approaches are to make use of information that only you can possibly know, such as the phone number of a girlfriend or boyfriend from a few decades ago, the street you lived on when at high school, or something similar.

Of course, in these days of social media, such information is not always as unknowable as it once was.

You might blend multiple sources of such information and include some non-numeric characters in a way only you know and perhaps include the name of the site.

Another suggestion is to choose long random sequences for passwords and write them down on a list which you store in your wallet, or use a password manager such as those available as an app on most mobile phones these days.

Such advice is controversial (particularly writing passwords down) but the counterargument is that most of us are quite good at securing our wallets, and the rainbow table based systems for cracking passwords are so sophisticated that anything other than a random sequence is vulnerable to a dictionary attack.

This advice does beg the question: what happens if you lose your mobile phone or your wallet, or forget the password to your password manager application?

So, are there alternatives to passwords?

Not really. Of course if the system being protected warrants it, there are alternatives such as security token systems, retina and iris scans, fingerprint systems, and face recognition, to name but a few.

But there is nothing as cheap and as well understood as passwords.

So keep your memory sharp – passwords are likely to be around a while yet.

Explore further: Fine tuning your campaign: Scientists conduct research into crowdfunding

add to favorites email to friend print save as pdf

Related Stories

Are you any good at creating passwords?

Jan 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

Facebook adds 'app' passwords to site security

Oct 27, 2011

Facebook is ramping up security by giving people the option of setting passwords for games or other third-party applications added to pages at the leading online social network.

Recommended for you

Spain: Google News vanishes amid 'Google Tax' spat

Dec 16, 2014

Google on Tuesday followed through with a pledge to shut down Google News in Spain in reaction to a Spanish law requiring news publishers to receive payment for content even if they are willing to give it away.

Brazil: Google fined in Petrobras probe

Dec 15, 2014

A Brazilian court says it has fined Google around $200,000 for refusing to intercept emails needed in a corruption investigation at state-run oil company Petrobras.

Microsoft builds support over Ireland email case

Dec 15, 2014

Microsoft said Monday it had secured broad support from a coalition of influential technology and media firms as it seeks to challenge a US ruling ordering it to hand over emails stored on a server in Ireland.

User comments : 8

Adjust slider to filter visible comments by rank

Display comments: newest first

antialias_physorg
not rated yet May 07, 2013
One of the reasons passwords are less trusted than they once were is the availability on the internet of rainbow tables, which are precomputed tables that enable the hash of passwords to be reversed.

Rainbow tables do not reverse the hash (many has functions are more costly to calculate inverse than forward).
The attacker does not need to guess your password correctly. All he needs is to get any word that will map to the same hash.
By knowing the hash function (which is oftentimes the case) you can create rainbow tables of words that map to UNIQUE hashes. These tables can be orders of magnitude smaller than trying all letter/symbol/numeral combinations - thereby making a brute force attack possible.
Claudius
1 / 5 (1) May 07, 2013
A good password should be easy to remember but almost impossible for others to guess.


A password that can be easily remembered is not a good one.

My method is to take a book and a pin, close my eyes and lower my had with the pin to the page, look at the character, write it down, and repeat as necessary. Then I store the password securely. If I need to use it, I access the stored password.
antialias_physorg
5 / 5 (1) May 07, 2013
A password that can be easily remembered is not a good one.

Why not?
This xkcd-comic explains very succinctly why complicated passwords are not stronger (and arguably a LOT harder to memorize) than a conveniently selected simple one
http://www.explai...Strength

A very simple alternative is to take something long but easy to remember (e.g. the URL of the site you use the password for) then take two numbers you can always remember (e.g. 3 and 4) add those at the end and transpose letters 3 and 4 of the entire password.
voila: individual password for any site and easy to remember/reconstruct but hard to crack.
Neurons_At_Work
not rated yet May 07, 2013
I currently have over 70 sites requiring username/password combinations, and all my passwords are complex random 20 characters minimum with caps, lowercase, numbers, and special characters. Using the password manager Lastpass simplifies things immensely, however. I've used it for at least five years on my computers and tablet, and with one strong master password it logs me in automatically to all sites, and also saves secure notes of other information unrelated to usernames or passwords. Not trying to sound like an ad for them, but it makes complex password management really simple to deal with...
alfie_null
not rated yet May 08, 2013
One of the many problems with passwords is people aren't good random generators. Yet (as with multitasking), we think we are. Any "trick" you use to increase the entropy can easily be emulated once it's known (hint: it's probably a good idea to keep your tricks secret).

A highly entropic password is going to be really hard to remember. And then consider the prospect that it should be changed regularly and often. And that you only get so many tries to enter your really hard to remember password.

All the things we do to try to make password based authentication more secure end up making life more difficult, in exchange for relatively small amounts of increased security.
Claudius
1 / 5 (1) May 08, 2013
A password that can be easily remembered is not a good one.

Why not?
This xkcd-comic explains very succinctly why complicated passwords are not stronger (and arguably a LOT harder to memorize) than a conveniently selected simple one
http://www.explai...Strength

A very simple alternative is to take something long but easy to remember (e.g. the URL of the site you use the password for) then take two numbers you can always remember (e.g. 3 and 4) add those at the end and transpose letters 3 and 4 of the entire password.


In the example they give: "Tr0ub4dor&3" is easier for password cracking software to guess than "correcthorsebatterystaple", Tr0ub4dor&3 seems to be using your method. In my case, the password is entirely random, for example "amt3uowlsyyn" is going to be harder to crack than either of the examples above, (and is going to be much harder to remember.)
antialias_physorg
not rated yet May 08, 2013
In my case you just need to remember 3 and 4...as the rest is obvious. (the URL you can even just copy and paste from the address bar - so you don't even need to type it).

Very difficult to crack and (next to) no effort to remember.

"amt3uowlsyyn" is only marginally harder than "Tr0ub4dor&3" because of the one extra letter Depending on the choice of cracking algorithm it's even easier - as many cracking algorithms will not even consider special characters or except for numbers as number substitutions are much more common in passwords. Sometimes the algorithm will also not consider capitals as most people want something they can type without using shift.
In that case "Tr0ub4dor&3" wins easily.

What the comic illustrates is that length beats complexity any day.
antialias_physorg
not rated yet May 08, 2013
All the things we do to try to make password based authentication more secure end up making life more difficult

As the comic notes:
"Through 20 years of effort we have trained everyone to use passwords that are hard for humans to remember but easy for computers to guess"

This is because the first hackers tried passwords based on human fallacies and 'educated guessing' (dictionary attacks, easy password lists like 12345, etc.) - at the time brute force wasn't an option because it took too long.
Today brute force/rainbow tables ARE an option - and therefore the 'complex' passwords we thought were an answer back then have become weak.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.