Choosing a Good Password
How many different passwords do you have? A password for your email
account? For your Amazon shopping? For your home computer? You undoubtedly
have been told to pick a "good" password but do you know what
makes a good password? I'm Jeanna Matthews and this is Common Sense
Computing.
Many systems that require a password will enforce rules such as the
password has to be at least 8 characters long and it must contain a letter
and a number. There are actually good reasons for these rules involving the
statistical probability of "cracking" or guessing your password.
Lets take a simple example to start with. Say that each password was 2
characters and each character could be either a lower case or upper case
letter. That means that for each character there would be 52 choices you
could make (26 lower case letters and 26 uppercase letters). Then, to get
the total number of different 2 character passwords, you simply multiply 52
times 52 for a total of 2704. Thus to guess your password, someone would at
most have to guess 2704 times.
Now, certainly lengthening the password will make it harder to guess.
For a longer password, say 8 characters, if you still could have only lower
case and upper case letters, there are 52*52*52 ...etc eight times or 52 to
the power 8 which is over 53 trillion.
That might seem like it would impossible to guess for a human, but it
isn't actually that hard for a computer. Depending on how long it takes the
computer to "test" each guess, it may be able to
"crack" the password relatively quickly. Multiple computers can
also divide up the work to get the job done even faster.
To make the passwords harder to guess, we can basically do one of two
things - make the passwords longer or increase the number of choices for
each character. If we allow the characters to be numbers as well as
letters, then we increase the choices for each character from 52 to 62.
That increases the number of possible 8 character passwords to 218
trillion. Adding in 32 punctuation and other special characters increases
this to over 6 quadrillion.
Of course, any password system is only as secure as the passwords
actually chosen by users. People in general prefer to pick passwords that
are easy to remember. Common choices are English words, pets’ names, etc.
These may seem difficult for someone to guess. But considering that there
are only about 250,000 words in the whole English language, choosing an
English word makes your password very easy to guess. There is even a
special name for attacks that try to exploit this - they are called
dictionary attacks because they try to guess all words in a dictionary.
That is why many systems require that all passwords contain at least one
number and one special character; this forces users to at least go beyond
simple words.
Of course, if you make your password to hard to remember, then you will
be tempted to write it down and this can of course lead to other problems
if someone steals or oversees your written password. Generally passwords
based on real words, but with some strategic additions or substitutions can
strike a good balance.
If you would like more information on choosing good passwords and other
related links, visit us on the web at www.commonsensecomputing.org.
Words in the English Language: http://www.askoxford.com/asktheexperts/faq/aboutwords/numberwords
Copyright (c) 2005 - Jeanna
Matthews
|