Jan 15, 2020
4:54:45pm
4:54:45pm
tl;dr skip to the end for the conclusion
Passwords are an interesting study. I've thought about this a bit, and here are (IMO) the factors that people consider when choosing a password:
1. How memorable the password is
2. How easy the password is to type (especially if it has to be typed on a phone or a TV)
3. How secure the password is
People tend to prioritize the first option the most, which makes sense. Most people give little thought to how secure their passwords are; they think "I added a number and a symbol to it, so it's secure." Unfortunately, adding a number and/or a symbol does little to make the password harder for a computer to guess.
Here are the most basic factors that impact how secure a password is:
1. How difficult the password is for a human to guess
2. How difficult the password is for a computer to guess
3. How many logins the password is used for (more logins with the same password => less secure)
4. How long it has been since the password has been changed
The last two items are simpler, so I'll address them first: if you use the same password for multiple logins, you run the (very real) risk of having your password compromised when one site with poor security gets hacked. It gets worse if you use the same username (or email address) for the logins: if a hacker gets your credentials from somewebsiteyouonlyusedonce.com, they can try those credentials on a host of common sites with a high probability of gaining unauthorized access to multiple accounts that belong to you. This happened to my friend last month. Takeaway: never use a password for more than one site.
If you go for years without changing your password, the probability that it is discovered goes up dramatically. Even if the website never gets hacked, there are any number of ways that an attacker could get your credentials, many of which are very difficult to detect or defend against, so the only safe option is to change your password often. If it's been 6+ months since your password changed, it's time to get a new one.
Now for the first two items: how difficult the password is to guess. A human might guess your password if it's something that has meaning in your life; even so, if you add a few numbers or symbols, the probability of discovery by a human drops quickly. But virtually every attacker who ever tries to discover a password of yours will not be guessing manually; they'll have a computer guess for them. To defend against this, the most basic thing to do is never use a password that's on a list of commonly-used passwords, and never use a variation of a password on one of those lists. Here's one guy with a shocking quote:
https://www.passwordrandom.com/most-popular-passwords (Note that this author did a case-insensitive comparison, but that doesn't change the significance of the result because a good computer will still discover your password quickly if its only variation from a common one is case. Note further that this guy's work has little credibility, but his numbers don't have to be exactly right to communicate the correct idea: common passwords are extremely weak.)
But simply avoiding common passwords is not good enough; you must consider how theoretically difficult it is to guess your password. We measure this property using what's called bits of entropy. A simple explanation is thus: if a password has 20 bits of entropy, then even if an attacker knows the process you used to generate the password, he will still have about 2^20 = 1,048,576 possible passwords to check. On average he will discover your password after trying only 2^20 / 2 = 524,288 passwords. If we assume he can try only 1,000 passwords per second (which is a naïvely low estimate), then it will take on average only 524 seconds, or less than 10 minutes, to guess your password.
Humans are very bad at doing anything randomly, and generating passwords is no different. So this is a significant point: any password that you come up with yourself will not have very much entropy. Instead, you should have a computer randomly generate your passwords. The main problem with this of course is that if you have just a random sequence of 12 characters, it may have very high entropy (78 bits, by my count, which is enough to withstand millenia of cracking efforts by a supercomputer), but it will also be very difficult to remember and type. Fortunately, there is a way to generate highly random, memorable, and easy-to-type passwords, as illustrated in this comic:
If you have a list of only 2,048 common words and choose 4 of them randomly, you get 44 bits of entropy. If you have a list of 8,196 common words and choose 4 of them randomly, you get 52 bits of entropy. It's easy to memorize and type a sequence of 4 words, and even if your attacker can make 1,000,000 attempts per second, 52 bits of entropy gives an average of 74 years to guess the password. Even if they can guess 100,000,000 times per second, it will take on average 9 months to guess the password, but since you're changing your passwords more often than once every 9 months, you're safe.
Conclusion
To make your passwords secure, you cannot come up with them yourself and you cannot use any of them more than once. Furthermore, you should change them frequently. Since most of us have dozens of logins, we need a way to safely store passwords or else we have no chance of remembering them. A good password manager will do the trick; I use Norton Password Manager, which syncs between my computer and my phone to give me instant access to any password of mine while requiring me to remember only my master password; it even autofills my credentials for me when I visit websites. The only thing stored in the cloud are my encrypted passwords, and cracking the encryption is more difficult than guessing a password with 52 bits of entropy. One downside: my master password is not stored anywhere, and if forget it, my other passwords become irrecoverable.
Most of my online passwords are random sequences of 15 characters, autogenerated by Norton Password Manager. For those passwords that I might need to type myself (e.g. the password to unlock my computer, the master password, the BYUtv password that I have to enter on my TV every time I need to stream something from BYUtv, etc), I generate random sequences of common words using a program I wrote in Python. If the login service requires that I include a capital letter, a number, and a symbol, I capitalize the first letter and add '1!' to the end of the sequence of words (remember, adding capitalization or random symbols yourself doesn't do much to make the password more secure anyways; random word sequences are already secure enough, so there's no need to make them harder to remember).
Passwords are an interesting study. I've thought about this a bit, and here are (IMO) the factors that people consider when choosing a password:
1. How memorable the password is
2. How easy the password is to type (especially if it has to be typed on a phone or a TV)
3. How secure the password is
People tend to prioritize the first option the most, which makes sense. Most people give little thought to how secure their passwords are; they think "I added a number and a symbol to it, so it's secure." Unfortunately, adding a number and/or a symbol does little to make the password harder for a computer to guess.
Here are the most basic factors that impact how secure a password is:
1. How difficult the password is for a human to guess
2. How difficult the password is for a computer to guess
3. How many logins the password is used for (more logins with the same password => less secure)
4. How long it has been since the password has been changed
The last two items are simpler, so I'll address them first: if you use the same password for multiple logins, you run the (very real) risk of having your password compromised when one site with poor security gets hacked. It gets worse if you use the same username (or email address) for the logins: if a hacker gets your credentials from somewebsiteyouonlyusedonce.com, they can try those credentials on a host of common sites with a high probability of gaining unauthorized access to multiple accounts that belong to you. This happened to my friend last month. Takeaway: never use a password for more than one site.
If you go for years without changing your password, the probability that it is discovered goes up dramatically. Even if the website never gets hacked, there are any number of ways that an attacker could get your credentials, many of which are very difficult to detect or defend against, so the only safe option is to change your password often. If it's been 6+ months since your password changed, it's time to get a new one.
Now for the first two items: how difficult the password is to guess. A human might guess your password if it's something that has meaning in your life; even so, if you add a few numbers or symbols, the probability of discovery by a human drops quickly. But virtually every attacker who ever tries to discover a password of yours will not be guessing manually; they'll have a computer guess for them. To defend against this, the most basic thing to do is never use a password that's on a list of commonly-used passwords, and never use a variation of a password on one of those lists. Here's one guy with a shocking quote:
While many people have improved the security and strength of their passwords, there are still a huge number of people who pick from a very small list of common passwords. In fact, 91% of all user passwords sampled all appear on the list of just the top 1,000 passwords.
https://www.passwordrandom.com/most-popular-passwords (Note that this author did a case-insensitive comparison, but that doesn't change the significance of the result because a good computer will still discover your password quickly if its only variation from a common one is case. Note further that this guy's work has little credibility, but his numbers don't have to be exactly right to communicate the correct idea: common passwords are extremely weak.)
But simply avoiding common passwords is not good enough; you must consider how theoretically difficult it is to guess your password. We measure this property using what's called bits of entropy. A simple explanation is thus: if a password has 20 bits of entropy, then even if an attacker knows the process you used to generate the password, he will still have about 2^20 = 1,048,576 possible passwords to check. On average he will discover your password after trying only 2^20 / 2 = 524,288 passwords. If we assume he can try only 1,000 passwords per second (which is a naïvely low estimate), then it will take on average only 524 seconds, or less than 10 minutes, to guess your password.
Humans are very bad at doing anything randomly, and generating passwords is no different. So this is a significant point: any password that you come up with yourself will not have very much entropy. Instead, you should have a computer randomly generate your passwords. The main problem with this of course is that if you have just a random sequence of 12 characters, it may have very high entropy (78 bits, by my count, which is enough to withstand millenia of cracking efforts by a supercomputer), but it will also be very difficult to remember and type. Fortunately, there is a way to generate highly random, memorable, and easy-to-type passwords, as illustrated in this comic:
If you have a list of only 2,048 common words and choose 4 of them randomly, you get 44 bits of entropy. If you have a list of 8,196 common words and choose 4 of them randomly, you get 52 bits of entropy. It's easy to memorize and type a sequence of 4 words, and even if your attacker can make 1,000,000 attempts per second, 52 bits of entropy gives an average of 74 years to guess the password. Even if they can guess 100,000,000 times per second, it will take on average 9 months to guess the password, but since you're changing your passwords more often than once every 9 months, you're safe.
Conclusion
To make your passwords secure, you cannot come up with them yourself and you cannot use any of them more than once. Furthermore, you should change them frequently. Since most of us have dozens of logins, we need a way to safely store passwords or else we have no chance of remembering them. A good password manager will do the trick; I use Norton Password Manager, which syncs between my computer and my phone to give me instant access to any password of mine while requiring me to remember only my master password; it even autofills my credentials for me when I visit websites. The only thing stored in the cloud are my encrypted passwords, and cracking the encryption is more difficult than guessing a password with 52 bits of entropy. One downside: my master password is not stored anywhere, and if forget it, my other passwords become irrecoverable.
Most of my online passwords are random sequences of 15 characters, autogenerated by Norton Password Manager. For those passwords that I might need to type myself (e.g. the password to unlock my computer, the master password, the BYUtv password that I have to enter on my TV every time I need to stream something from BYUtv, etc), I generate random sequences of common words using a program I wrote in Python. If the login service requires that I include a capital letter, a number, and a symbol, I capitalize the first letter and add '1!' to the end of the sequence of words (remember, adding capitalization or random symbols yourself doesn't do much to make the password more secure anyways; random word sequences are already secure enough, so there's no need to make them harder to remember).
- New username
- zuko
- Bio page
- ThetaSigma
- Joined
- Aug 4, 2015
- Last login
- Sep 17, 2020
- Total posts
- 0 (0 FO)
Other Related Threads:
I just ran across a great article on using a password manager: (El Jefe, Jan 25, 2020 at 7:31am)
Question. I just got scam text from Fed Ex, had my name right, and had a link, (777, Jan 15, 2020 at 8:02pm)
Google Authenticator FTW!!!!! (No touching, Jan 15, 2020 at 12:02pm)
Messages
Time
I avoided Two-Factor for a long time because I thought it meant I had to do it every time. I turned it on today
1/15/20 5:05pm
1/15/20 5:17pm