Tech blog post: strong passwords in practice

Themes:
Security of personal data
Data breaches

A few weeks ago, Dutch DPA technologist Jonathan Ellen took you on a trip through the world of strong passwords. Our hope is, of course, that you have started thinking about the strength of your passwords and replaced them in some cases. Good chance that you have encountered a number of practical problems in the process. How do you strike a balance between strength and usefulness? In this second blog post, we address the approach in practice. The next and last part will deal in more detail with alternatives for passwords and with multifactor authentication.

A password is strong when cracking it takes more time (and therefore costs more money) than what it promises to deliver. This is the case when a computer criminal has to make too many attempts to find out the password. The number of attempts required depends on the total number of possible passwords. This total number was called the 'password space' in the last blog post.

The password space depends on the number of different characters that a password can consist of, and the length of the password. The length has a greater influence on the space than adding, for example, special characters. Arbitrariness is also important. Criminals use the fact that people display predictable behaviour. As a result, they actually have to search no more than a small part of the password space. An arbitrarily selected password prevents this predictability.

The only risk of a long and arbitrary password is that you easily forget this. After all, the human brain is designed to work in patterns and structures, not to remember rows of letters and symbols. In this blog post, you will get a number of practical tips to avoid this and nevertheless use strong passwords.

Diceware

The first tip is not to compose your passwords of letters and symbols, but of entire words. Numbered word lists are available online. Words with a length of around 6 letters are ideal for this purpose. This approach is also called the 'diceware' method.

You throw a dice a number of times and put the numbers of all throws in a row, so you get 1 number. You look up this number in a word list. Then you see what the associated word is. You can also have a computer generate an arbitrary number, so you do not need a dice. In this way, you arbitrarily select a number of words from the list, for example 6, and put them in sequence. Taken together, these 6 words in sequence are your password.

In the last blog post, we explained that the strength of a password depends on the length and the number of possible characters. The alphabet, for example, gives you 26 characters to choose from, or 52 if you also use capital letters. Instead of characters, you use entire words when applying the diceware method. Every complete word has the same function as a single character. But the number of possibilities is not 26, as with the alphabet, but all words from the word list. That could easily be thousands of words.

Arbitrariness is also important when creating a strong password. Using entire words sounds less arbitrary. But because a word list is so much bigger than the alphabet, the password space – and therefore the total number of possible passwords that a criminal has to sift through – is nevertheless great.

Passwords that you create using the diceware method generally contain fewer elements than conventional passwords. This is also what makes them easier to remember. Instead of 10 or more characters, you only have to remember a few words. Besides, the total length is also fine: a password consisting of 6 words à 6 letters has a total length of 36 characters. 

The biggest challenge is remembering the order. A good way to do this is to think up a story in which the words appear in the right order.

Password sentences

If remembering a series of arbitrary words is too difficult for you, you can also turn the process around. In that case, you start with a story or a sentence. An advantage of this method is that a running sentence is easy to remember. The sentence may be an existing one, for example from a book. Or you can think up one yourself.

A disadvantage of this method is that you sacrifice some arbitrariness. Especially if the sentence is logical, this offers opportunities for a criminal to predict the sentence or include it in a list of 'passwords to be tried out'. Well-known proverbs, expressions or song lyrics are unsuitable for this reason.

Do you choose to use a running sentence as a password? Then compensate this risk by making the password sentence extra long.

Password managers

A point that is not taken into account in the above-mentioned methods is that you use many passwords in everyday life. Even keeping password sentences apart that are easy to remember is difficult if there are too many of them. It goes without saying that reusing a password or sticking this on a post-it to your screen is not an option. 

Fortunately, your own computer and smartphone are perfectly capable of storing passwords safely. Programmes that do this are also called password managers. Depending on the version, you can use a password manager online or offline.

In addition to the ease of use offered by a password manager, there are other advantages. For example, password managers have functionalities for quickly generating fully arbitrary – and therefore strong – passwords. You will never have to think about a new strong password anymore.

The most important disadvantage is, of course, that you, if every account has a fully arbitrary password, cannot access your other accounts without access to the manager. Make sure, therefore, that you have an updated (offline) backup. In this way, you will also be able to access your account if there is a breakdown.

You protect the password manager itself with – guess what – a password. Needless to say, this 'main password' has to meet the strictest requirements. Use, for example, the diceware method with at least 8 words for this purpose. But sometimes, having only a password is not enough. That is why you should also enable multifactor authentication. You can read more about this in the next blog post.

Conclusion

Sometimes it seems that strong passwords are not practical. Fortunately, there are several ways to create strong passwords that are easy to remember. Password sentences and solutions such as diceware take a burden off your shoulders.

A solution to the problem of remembering many passwords has also been found. By storing all your passwords in a password manager, all you have to remember is the main password.

But passwords, no matter how strong they are, are nevertheless always vulnerable to many types of attacks. Even a password manager won't protect you against phishing. And even a strong password can be guessed. By combining passwords with other means of authentication, you ensure even better protection.

You can read more about this in the third and last blog post about passwords.

Man thuis achter laptop

Also read

View all current affairs