How to create and remember a strong password

Over time, all sorts of web services and applications decided to forcibly complicate passwords created by users. Requirements have been added, according to which the password must have a certain minimum length, contain numbers, upper case and special characters. Some services took this so seriously that it takes a really long and tedious task to come up with a password that the system would accept.

The key problem is that almost any user does not generate a truly brute-force password, but only tries to meet the system's requirements for the composition of the password to a minimum.

The result is passwords like password1, password123, Password, PaSsWoRd, password! and the incredibly unpredictable p @ ssword.

Imagine you need to remake your spiderman password. Most likely it will look like $ pider_Man1. Original? Thousands of people will change it using the same or very similar algorithm.

If the cracker knows these minimum requirements, then the situation only gets worse. It is for this reason that the imposed requirement to increase the complexity of passwords does not always provide the best security, and often creates a false sense of increased security.

The easier the password is to remember, the more likely it is to end up in cracker dictionaries. As a result, it turns out that a really strong password is simply impossible to remember, which means that it needs to be fixed somewhere.

According to experts, even in this digital age, people can still rely on a piece of paper with passwords written on it. It is convenient to keep such a sheet in a place hidden from prying eyes, for example, in a wallet or wallet.

However, the password sheet does not solve the problem. Long passwords are difficult not only to remember, but also to enter. The situation is aggravated by virtual keyboards of mobile devices.

Interacting with dozens of services and sites, many users leave behind a string of identical passwords. They try to use the same password for every site, completely ignoring the risks.

In this case, some sites act as a nanny, forcing the combination to be complicated. As a result, the user simply cannot remember how he had to modify his standard single password for this site.

The scale of the problem was fully realized in 2009. Then, due to a security hole, the hacker managed to steal the database of logins and passwords of RockYou.com, the company that publishes games on Facebook. The attacker made the database publicly available. In total, it contained 32.5 million entries with usernames and passwords to accounts. Leaks have happened before, but the scale of this particular event showed the whole picture.

The most popular password on RockYou.com was 123456, which was used by almost 291,000 people. Men under 30 more often preferred sexual themes and vulgarities. Older people of both sexes often turned to a particular area of culture when choosing a password. For example, Epsilon793 doesn't seem to be such a bad option, only this combination was in Star Trek. The seven-digit 8675309 appeared many times because this number appeared in one of the Tommy Tutone songs.

In fact, creating a strong password is a simple task, it is enough to create a combination of random characters.

You cannot create a perfectly random combination in mathematical terms in your head, but you are not required to. There are special services that generate truly random combinations. For example, it can create passwords like this:

mvAWzbvf;
83cpzBgA;
tn6kDB4T;
2T9UPPd4;
BLJbsf6r.

This is a simple and elegant solution, especially for those who use a manager to store passwords.

Unfortunately, most users continue to use simple, weak passwords, even ignoring the “different passwords for each site” rule. For them, convenience is more important than safety.

Situations in which password security can be compromised can be divided into 3 broad categories:

Random, in which a person you know is trying to find out the password, relying on information he knows about you. Often, such a cracker only wants to play a trick, find out something about you, or make a mess.
Mass attackswhen absolutely any user of certain services can become a victim. In this case, specialized software is used. For the attack, the least secure sites are selected, which allow you to repeatedly enter password options in a short period of time.
Purposeful, combining the receipt of hints (as in the first case) and the use of specialized software (as in a mass attack). This is about trying to get hold of really valuable information. Only a sufficiently long random password will help to protect yourself, the selection of which will take time comparable to the duration of your life.

As you can see, absolutely anyone can become a victim. Statements like “my password will not be stolen, because no one needs me” are not relevant, because you can get into a similar situation quite by accident, by coincidence, for no apparent reason.

It is even more serious to take password protection for those who have valuable information, are associated with a business or are in conflict with someone on financial grounds (for example, division of property in the process of divorce, competition in business).

In 2009, Twitter (in the understanding of the entire service) was hacked only because the administrator used the word happiness as a password. The hacker picked it up and posted it on the Digital Gangster website, which led to the hijacking of Obama, Britney Spears, Facebook and Fox News accounts.

Acronyms

As in any other aspect of life, we always have to find a compromise between maximum safety and maximum convenience. How to find a middle ground? What strategy for generating passwords will allow you to create strong combinations that can be easily remembered?

At the moment, the best combination of reliability and convenience is to convert a phrase or phrase into a password.

A set of words that you always remember is selected, and a combination of the first letters from each word is used as a password. For example, May the force be with you turns into Mtfbwy.

However, since the most famous ones will be used as the initial phrases, programs will eventually receive these acronyms in their lists. In fact, the acronym contains only letters, and therefore is objectively less reliable than a random combination of characters.

Choosing the right phrase will help you get rid of the first problem. Why turn a world famous expression into an acronym password? You probably remember some jokes and sayings that are relevant only among your close circle. Let's say you heard a very catchy phrase from a bartender at a local establishment. Use it.

Still, the acronym password you generated is unlikely to be unique. The problem with acronyms is that different phrases can be composed of words starting with the same letters and in the same sequence. Statistically, in various languages, there is an increased frequency of the appearance of certain letters as the beginning of a word. The programs will take these factors into account, and the effectiveness of the acronyms in the original version will be reduced.

Reverse way

The way out can be the opposite way of generation. You create a completely random password at random.org, and then turn its characters into a meaningful memorable phrase.

Often, services and sites give users temporary passwords, which are the very same perfectly random combinations. You will want to change them, because you will not be able to remember, but you just take a closer look, and it becomes obvious: you do not need to remember the password. For example, let's take another option from random.org - RPM8t4ka.

Although it seems meaningless, our brain is able to find certain patterns and correspondences even in such chaos. To begin with, you can notice that the first three letters in it are uppercase, and the next three are lowercase. 8 is twice (in English twice - t) 4. Look a little at this password, and you will surely find your own associations with the proposed set of letters and numbers.

If you can memorize nonsense sets of words, then use that. Let the password turn into revolutions per minute 8 track 4 katty. Any conversion that your brain is better at will do.

A random password is the gold standard in information security. It is, by definition, better than any human-made password.

The disadvantage of acronyms is that over time, the spread of such a technique will reduce its effectiveness, and the reverse method will remain just as reliable, even if all people on earth will use it for a thousand years.

A random password will not be included in the list of popular combinations, and an attacker using a mass attack method will only brute force such a password.

Let's take a simple random password that takes into account upper case and numbers - that's 62 possible characters for each position. If we make the password only 8 digits, then we get 62 ^ 8 = 218 trillion options.

Even if the number of attempts within a certain time interval is not limited, the most commercial specialized software with a capacity of 2.8 billion passwords per second will spend an average of 22 hours trying to find the right combination. To be sure, we add only 1 additional character to such a password - and it will take many years to crack it.

A random password is not invulnerable, as it can be stolen. The options are plentiful, from reading keyboard input to having a camera on your shoulder.

A hacker can hit the service itself and get data directly from its servers. In this situation, nothing depends on the user.

One reliable foundation

So, we got to the main thing. What kind of random password tactics should you use in real life? From the point of view of the balance of reliability and convenience, the "philosophy of one strong password" will show itself well.

The principle is that you use the same basis - a super-strong password (its variations) on the services and sites that are most important to you.

Remember one long and difficult combination for everyone.

Nick Berry, an information security consultant, admits this principle, provided the password is very well protected.

The presence of malware on the computer from which you enter the password is not allowed. It is not allowed to use the same password for less important and entertaining sites - simpler passwords are quite enough for them, since hacking an account here will not entail any fatal consequences.

It is clear that the reliable base needs to be changed somehow for each site. As a simple option, you can add a single letter to the beginning, which ends the name of the site or service. If we go back to that random RPM8t4ka password, it will turn into kRPM8t4ka for Facebook authorization.

An attacker, seeing such a password, will not be able to understand how the password for your bank account is generated. Problems will begin if someone gains access to two or more of your passwords generated in this way.

Secret Question

Some hijackers ignore passwords altogether. They act on behalf of the account owner and simulate a situation when you have forgotten your password and want to restore it with a secret question. In this scenario, he can change the password at will, and the true owner will lose access to his account.

In 2008, someone got access to the email of Sarah Palin, the governor of Alaska, and at that time also a presidential candidate. The burglar answered the secret question, which sounded like this: "Where did you meet your husband?"

After 4 years, Mitt Romney, who was also a presidential candidate at the time, lost several of his accounts on various services. Someone answered a secret question about the name of Mitt Romney's pet.

You already guessed the point.

You cannot use public and easily guessed data as a secret question and answer.

The question is not even that this information can be carefully fished out on the Internet or from the person's close associates. Answers to questions in the style of "animal name", "favorite hockey team" and so on are perfectly selected from the corresponding dictionaries of popular options.

As a temporary option, you can use the tactic of the absurdity of the answer. To put it simply, the answer should have nothing to do with the secret question. Mother's maiden name? Diphenhydramine. Pet name? 1991.

However, such a technique, if found widespread, will be taken into account in the corresponding programs. Absurd answers are often stereotyped, that is, some phrases will be encountered much more often than others.

In fact, there is nothing wrong with using real answers, you just need to choose the question wisely. If the question is non-standard, and the answer to it is known only to you and cannot be guessed after three attempts, then everything is in order. The advantage of being truthful is that you won't forget it over time.

Personal Identification Number (PIN) is a cheap lock that our money is entrusted with. Nobody bothers to create a more reliable combination of at least these four numbers.

Now stop. Right now. Right now, without reading the next paragraph, try to guess the most popular PIN. Ready?

Nick Berry estimates that 11% of the US population uses 1234 as their PIN (where they can change it themselves).

Hackers do not pay attention to PIN codes because the code is useless without the physical presence of the card (this can partly justify the small length of the code).

Berry took the lists of four-digit passwords that appeared after the leaks on the network. The person using the 1967 password is likely to have chosen it for a reason. The second most popular PIN is 1111, and 6% of people prefer this code. In third place is 0000 (2%).

Suppose that a person who knows this information has a bank card in his hands. Three attempts to block the card. Simple math shows that this person has a 19% chance of guessing their PIN if they enter 1234, 1111, and 0000 in sequence.

Probably for this reason, the vast majority of banks assign PIN-codes to issued plastic cards themselves.

However, many people protect smartphones with a PIN, and here the following popularity rating applies: 1234, 1111, 0000, 1212, 7777, 1004, 2000, 4444, 2222, 6969, 9999, 3333, 5555, 6666, 1313, 8888, 4321, 2001, 1010.

Often, the PIN represents a year (year of birth or historical date).

Many people like to make PINs in the form of repeating pairs of numbers (moreover, pairs where the first and second numbers differ by one are especially popular).

Numeric keyboards of mobile devices display combinations like 2580 in the top - to type it, it is enough to make a direct passage from top to bottom in the center.

In Korea, the number 1004 is consonant with the word "angel", which makes this combination quite popular there.