I suspect I’m preaching to the choir here, since most readers/co-bloggers are quite tech-savvy. But here goes…

Edit: I’ve revised this post a little, after realizing that the first version was epicly long and lacked ‘sections.’

Understanding the Risk: And Why You Are at Risk

(Short version: everyone is likely to have someone try to crack their password, and it’s going to be done by a fast computer over the Internet.)

When it comes to passwords, a lot of people think, “Who would try to crack my password?” And indeed, I used to think that, too. Using “c” as a password might work great, because no one is going to sit down at your computer and guess that.

But this way of thinking is a serious blunder. You probably wouldn’t think, “Why would terrorists single me out?,” or, “Why would a mugger take my purse?” Others might wonder, “Who would send me a virus?” or, “Why would lightning strike my house?”

The “threat” that passwords protect against, though, isn’t a guy in a hamburgler mask that’s going to sit down at your computer and type in various possible passwords. The threat is automated attacks over the Internet. They don’t ‘single anyone out,’ but instead, they go after every account they can find. No one sits down and types out possible combos, but they let a computer guess thousands of passwords a second.

If you’re like most people, you don’t have a fortune in your bank account, don’t have any big enemies, and don’t have access to anything all that special on the computer. But you’re at risk. While “hackers” is a nice scary term to be afraid of, the reality is that a lot of what goes on now is carried out by viruses and worms. Someone’s computer gets infected with a virus that will seek out accounts and try to guess the password.

It’s almost a classic human move to try to protect against threats without understanding them. A while back I read a neat piece on burglars, that involved interviewing a few burglars and a few people who had their homes broken into. And it really turned my thinking on its head. You know those ingenious “book safes,” where a book is hollowed out and used to store jewelry and cash, disguised as just another book on your bookshelf? To you and I, it seems like a great idea. It’s surrounded by lots of other books, so we might never notice. The problem is that we never stop to think like a burglar. People who had their homes broken into routinely mentioned that their bookcases were knocked over. That ultra-hidden “book safe” will spill your gems all over the floor. And you know those hollowed-out cans of Campbell soup that are sold to hide your valuables in? They’re actually not a bad idea, but most people don’t think it through enough, and end up leaving a fake can of soup on their dresser, where it looks ridiculously out of place and practically screams, “Look, the valuables are here!” One of the burglars who was interviewed mentioned that he robbed a house where the owners had apparently thought to stash a bunch of their cash in their DVD player. The problem is that he was looking for electronics to pawn, so the cash that the owner had meant to ‘hide’ became an unintentional bonus for the crook.

So no one is going to ‘single you out’ to break your password. You’re going to be one of thousands, and in most cases, they really don’t know or care who you are.

How Passwords are Cracked

Let’s start with a seemingly-irrelevant story. Bear with me, because it’s entirely relevant. Every now and then scientists, many of whom seem to devote their lives to writing boring theses about boring topics, do something that makes me chuckle. Such is the case with the Infinite Monkey Theorem. You’ve probably heard of it, in fact: “An infinite number of monkeys, on an infinite number of keyboards, will almost surely eventually reproduce the complete works of Shakespeare.”

The theorem really has nothing to do with monkeys, keyboards, or Shakespeare, though. It’s about probability, especially when huge numbers (especially infinity) are involved. For example, consider a no-hitter game in baseball. For the sake of argument, let’s (completely arbitrarily, but believably) say that the odds of a MLB pitcher having a no-hitter game are 1 in 10 million. Most pitchers, then, will probably go their whole career without having having one. But now suppose that a given pitcher, by some strange chance, pitches in 17 billion games. This, of course, is a pretty unreasonable assumption: assuming one game a day, year-round (365 days a year), this would take about 46.5 million years. But that’s really the point of the theory: as the number of ‘iterations’ of something grows, approaching infinity, the probability of it happening approaches 100%. If the odds are 1 in 10 million, and he throws in 17 billion games, it’s practically guaranteed that he’ll throw several no-hitters.

Passwords, and encryption is general, are often compared to locks. The big difference (besides one being tangible and the other being a complex mathematical science) is that locks can be pretty trivially picked. Most methods of encryption in use have been thoroughly analyzed by teams of people with advanced degrees in fields you and I haven’t even heard of, so most people agree that you can’t really ‘pick’ encryption: hundreds of the brightest minds couldn’t find any vulnerabilities. If passwords were like keys, then, the only option is to try lots and lots of keys until you find the one that opens the lock.

And here’s where the Infinite Monkey Theorem comes in. Computers are excellent at performing mathematical tasks like generating every possible password. A modern computer can guess thousands of passwords a second. To use the key analogy, you get a key cutting machine and lots of blank keys, and try every one. There are a lot of possibilities, but computers make short work of it. A one-in-a-million probability of guessing your password is actually dangerously low. It’s probably under an hour’s worth of work for a computer. Increasingly-powerful computers, in a way, are the infinite monkeys: they make it extremely easy to simply try every single possibility.

But It’s Easier Than It Seems

(Short version: a lot of common mistakes can make your seemingly-good password easier to crack than you’d like to think.)

The problem is that most people make it easier than it should be. Falling back on our key analogy, the typical key has five or six ‘teeth’ that stick up to move the pins in the lock to just the right height. If all the pins are at the right height, the lock cylinder can be turned, and the door will open. There are nine or ten possible ‘heights’ for each ‘tooth.’ (Note that I’m not a locksmith, and I’m simplifying things a bit anyway. If you’re seeking to know everything there is to know about how tumbler locks work, I’m not the one to listen to.) Assuming five ‘teeth’ and nine possibilities for each, we get 9 x 9 x 9 x 9 x 9 (9⁵) possibilities, which gives 59,049 possible combinations. It seems that we’d need to make 59,049 different keys to open the lock, then.

But we probably don’t need that many. For one, 59,049 is the total number of possibilities. Cutting 59,049 keys guarantees you’ll have the right one. But what if the third key you try happens to be the right one? That’s incredible luck, but any of the possibilities are (theoretically) equally probable. And you can figure that there’s a 50% chance that you’ll get it in 30,000 tries or less.

But there’s another thing that makes guessing passwords even easier. (Time for another analogy.) If you’re anything like me, you find yourself, on a daily basis, looking around trying to figure out where you left your car keys. If I was really, really bored, I could probably make a list of 10,000 different places in my house where my keys could be. However, you probably wouldn’t sequentially run through that list of every possible place. It’s possible that I left my keys behind the refrigerator again, or that I decided to store them at the bottom of the gallon of milk in the fridge this time. But, unless you’re absolutely insane, you’re going to start your search by looking on the kitchen counter, and them move to my desk. And the odds are pretty good that you’ll find them in one of those places, without ever having to take apart my printer or disassemble the lamps. This whole comment sounds incredibly ridiculous, I’m sure. Of course you’re going to start your search by looking in the most common places. And so do password cracking tools.

How many people do you think have “password” set as their password? “asdf” and “qwerty” top the lists, too, as does a blank password. And “monkey” seems to make a lot of lists for reasons no one’s ever really figured out. So password crackers start with a list of common passwords. Most lists have a couple hundred to a couple thousand of the most common passwords on them. It’ll take maybe 2 seconds for the computer to run through all of them, and it seems like they get an insane number of results right there.

If that fails, they’ll then fall back to a list of every word in the dictionary. “doorjam” might not be the most common password, but it’ll probably get cracked in about 30 seconds as the script runs through the dictionary.

If that fails, it then has to methodically search everything. Your goal is to make sure that any password cracker ends up here. It’s kind of like the locks on your house: a would-be robber might try jiggling the handle to see if it’s open. And if it’s locked, he might give the door a quick kick to see if it breaks open. If it does, you’ve made it super-easy for him to get in. But if it doesn’t, he’s got to do something really hard (maybe take a torch to cut the lock off, or work on picking the lock). So most people might just move on to find an easier target. But read on to see why you shouldn’t stop at making a “slightly” hard password.

What Are the Odds?

So you know that using a dictionary word is a really bad idea, as is using any of the super-common passwords. (“qwerty” technically isn’t in the dictionary, nor is “abc123.” But both will be tried even before running through the dictionary.) The other bit of advice that’s common to hear is that you want a long password. And this is incredibly good advice.

Let’s incorrectly assume that there are only 75 possible characters for a password (a-z, A-Z, 0-9, and a handful of things like +, &, and whatnot). A one-character password, obviously, would have 75 possibilities. Two characters brings it to 75 x 75 (75²), or 5,625 possibilities. Each character added, then, means the field of things a brute-force cracker would have to try is seventy-five times bigger. This grows unbelievably quickly. Six characters would leave 178 billion possibilities. That’s an awful lot, but remember that thousands a second can be tried. Go for 8, and you’re in numbers that no one can make sense of without exponents. (1 x 10¹⁵, or a quadrillion). Spring for 10 and you’re at 5 x 10¹⁸, which is 5 quintillion, a number so ludicrously large that I had to look it up to see what it meant.

But do remember that the length of your password alone doesn’t matter. “password” is eight characters long, after all, and that’s a pretty good length, but will probably take less than a second to crack. The real point here is that each character you add can make your password massively more difficult to crack.

Generating a Good Password

So you’ve read this far. (Or just jumped to the headline that looked like it was worth reading.) You know to avoid dictionary words, and that you want a long password. But what does that leave? Will you be able to remember a “good” password? The answer is yes, and it’s easy.

Start with a “word” you’ll remember, but that isn’t a word in the dictionary. E-mail addresses, screen names, license numbers, model numbers, serial numbers and the like are pretty good. Avoid anything that’s all numbers or just really common. And even though “the enemy” your password guards against probably doesn’t know you, it’s still bad practice to pick something easily linked to you: don’t use your screenname, for example. But how about your neighbor’s license plate, or your boss’s e-mail address? Remember that this is just the starting point, not your final password.

If it’s something short, add something else to it. “n1zyy” isn’t good because it’s short, and “xts3000” (a radio model number) isn’t that good, either. Really, they’re not even good starting points: they’re both short, they’re both simple, they’re both things someone might guess about me, and the numbers are quite simplistic. (“n1zyy” is an especially bad choice for me, given that it’s also my username. That’s right up there with using “password”.)

But since I don’t want to use any “excellent” choices as an example to post on the Internet (which would transform it into a really bad choice), let’s use them for this example. We’ll start by just combining them: “n1zyy+xts3000”. Thirteen characters long, neither of them in the dictionary. We’re doing alright. But stopping here is no good.

You then want to apply various “changes” to this, such as:

• Deliberate “typos” (“xts3000” might become “xst3000”)
• Using l33t (“password” would become “p4ssw0rd”… “n1zyy+xts3000”, incidentally, doesn’t really lend itself to any l33t at all, but this is atypical.)
• Inserting random characters (oddball ones, like & or _ or :, are excellent)
• Changing capitalization (“password” is bad; “pAsswoRD” is better, though still bad)
• Incrementing/decrementing numbers (or letters): “xts3000” might become “xts2999,” though it’s better to not just shift by one, and it’s better to treat each character individually (“xts4111” adds ‘1’ to each digit individually). Or, even better, be entirely inconsistent.
• Hold down shift on some of the numbers (“1234” becomes “!@#$”) as an easy way to mix in ‘harder’ characters.
• Avoid the things everyone does, like adding “1” to the end of your password and using “+” to merge two words, in particular. You might also want to know that l33t, in and of itself, is a common trick for passwords. If you catch your self doing any of these things, run through the list again to change those things a little more. (“p4ssw0rd” might become “p5ssw1rd”, which is suddenly looking a lot less-likely to get cracked. And “big+cat” might become “big%cat”. Both of those, of course, are still bad passwords.)

The goal is to mix-and-match from those sort of things, in whatever order you see fit. You shouldn’t see this as a list of the steps to take, but as sources of inspiration for various ways to “mess up” the base ‘phrase’ of your password, making is astronomically more difficult to guess.

The end product might be something like “N2zyy&&xst29))” which isn’t a bad password: it’s long, and, best of all, it looks like total gibberish, mixing in a fair amount of unlikely characters.

And although it doesn’t look it, it’s easy to remember. That’s because you’re not remembering that weird string of characters itself. You’re remembering “n1zyy” and “xts3000” (which, if you were the one making the password, were things you already remembered), but with some simple changes made: they’re combined with a && (anything but a “+”), and then with a few changes: Upper-case the “N,” change the 1 to a 2, “xts” becomes “xst,” 3000 becomes 2900, and you hold down Shift for the last two characters, making 2900 “29))”.

You might have to “think it through” the first few times, but if you’re like me, after a couple times, muscle memory takes over, and you’re typing the password without even thinking about it. It’s actually possible to get to a point where you don’t “know” your password: it’s something your fingers can type, but if someone asked you, you really couldn’t answer without typing it out. You might never consciously remember, character-for-character, that your password is “N2zyy&&xst29))” but you’d use it many times a day without even having to think.

One quick note: make sure you don’t incorporate things you type every day into your password. Putting aside all the other reasons that “bl0gs” would be an awful password, it’s especially bad for me, because whenever I try to write something about the blogs, I’m liable to type “bl0gs” instead, inadvertently showing my password to everyone. I made a mistake of this sort with a previous password, loosely based on a common word. The “o” and “0” are next to each other, so maybe “bl0gs” is a conceivable typo. But if you make a strange error in typing a common word more than a couple times, it doesn’t take much to deduce that it’s probably a password to something.

Writing Your Password Down

It seems like anyone who knows anything about security will tell you that writing your password down is the worst thing you can do. Here, I tend to swim against the current: the odds of someone finding and using my password that I write down are very slim, but the odds of me forgetting the deliberately-complicated password I just came up with are very high. Obvious exceptions apply if you’re in a position where you need a really strong password: I’d really hope that top military leaders don’t take my advice to write their password down, and if you work right next to other people who you don’t trust, writing down your password is bad, too. But for most people, it’s really not a bad idea.

Of course, don’t do anything foolish. Security experts go crazy at the number of people who have their password on a Post-it note on their monitor. (Putting it on the bottom of your keyboard is more clever, but it’s kind of like using the fake book as a safe: it might make you feel good, but it’s not going to fool anyone with the least bit of experience.) When I’d just come up with a strong password I worried I’d forget, I wrote it down and stuck it in my wallet. I’m quite protective of my wallet, and if someone got my wallet, I had enough problems anyway.

The other important bit with writing your password down is to be vague. If you snatched my wallet and saw “N2zyy&&xst29))” written inside, you might assume it’s a password. But to what? Make sure they’re left wondering: giving in and writing “www.bank.com – Account 1234567” is just begging to have your account compromised. But the password on its own is relatively meaningless. (Unless, of course, it goes to a bank account listed on another card in your wallet, or something of that sort.)

So if you’re worried you’ll forget it, write your password down. Just make sure you’re not dumb about it, and that you don’t forget about it: once you no longer need it, rip it up and throw it out.

Use a Really Good Password for E-mail

A lot of us assume that no one wants to read our e-mail. But protecting your e-mail is actually super-important. There are lots of ‘little’ reasons: they could “harvest” lots of e-mail addresses to spam (or to try to break into); you probably have some financial data in there; you might have login information sitting in there; they could send spam from your account…

But there’s one really big reason. Practically everything these days uses your e-mail address to validate your identity. Forgot your password and need it reset? They’ll send you an e-mail to confirm that it’s really you. Need a new PIN at your bank? Probably done via e-mail. If someone can get into your e-mail, then, they can “take over” almost any of your accounts. They can go to a site where you have an account, plug in your e-mail address, and request that the password be reset. It’ll be sent to you, but they’ll be in your mailbox, act on the e-mail, and promptly delete it. You’ll probably be none the wiser until you can’t log in anywhere, and the password reset e-mails don’t come. (Because, after hijacking the accounts, they changed the e-mail. You were sent a confirmation e-mail about that, too, but they confirmed it and then deleted that e-mail.)

Don’t Trust Websites

(Short version: Speaking as a webmaster, it’s disconcertingly easy for people running websites where you have to log in to see your password. For important accounts, have a password that’s used only for that account.)

Simply put, whenever you log into a website, you’re sending them your password “in the clear.” (If you use a “Secure” website, all it means is that the communications between your browser and their webserver are encrypted. It doesn’t mean that the people running the webserver can be trusted, nor that they’re going to store your password in a safe manner.)

Most good sites don’t store your password, but instead a one-way hash of it. The passwords used on the blogs, for example, aren’t capable of being decrypted.

But you should take absolutely no comfort in that. (For one thing, lots of websites don’t do this, and store your password in the clear.) When you go to log in, even at a site that does things the right way, you send your password to the webserver. The code will run it through the MD5 function and see if the resulting hash matches the one in the database. But nothing stops an unscrupulous webmaster from changing the code to first log the password you send. (Or an unscrupulous “man in the middle” from snooping the password off the network, unless you’re using HTTPS/SSL.) Or, anyone with access to the website’s users database could just try a brute-force attack on the hash, just like I wrote so much about earlier here. But they might not even have to do that: there are huge databases online of MD5 hashes and the corresponding passwords. (Warning: don’t submit your password to “see” if it’s there, as you’ll most likely add it to the database!)

Those of you with accounts here, your passwords are safe, and you can trust me. But you shouldn’t. Especially on other websites, you should essentially assume that the webmaster is able to see your password, and that the webmaster doesn’t know the first thing about keeping hackers from viewing the database, either. Because if you have lots of accounts online, it’s probably true of at least one of them.

This needn’t be a big deal, though. You can make the problem meaningless by using a different password everywhere. If you have a password that you only use on the blogs, and I ‘crack’ it, all I can do is log into the blogs as you. (And since I’m the administrator, that wouldn’t let me do anything I can’t already do.) Many people, though, use the same e-mail address, password, and username everywhere. Those people are setting themselves up for big trouble.

What I do isn’t perfect, but it’s an improvement. I have a set of nice, strong passwords I use at important places. My passwords for PayPal and my bank are things no one would ever guess, and that would take a good computer years to guess. But I also have one ‘garbage’ password that I use at multiple places. I’m at risk in a way: if any of those site admins figure out my password, it wouldn’t be too hard for them to log into other sites using the same credentials. But for sites that are important (here, my bank, school, etc.), I generate a unique password. My password on some forums will get you into my Digg account and my Youtube account, but it most certainly won’t get you root on my server, or let you into my bank account.