Obtuse Networking

Picking a "good enough" password

Michael Graves -

This quick article came from some things I realized that I just assume everyone knows during a talk I had with my family about picking a good passwords.  (Ok, I talked, they pretended to listen.) I didn't want to tell them what was a good password, instead I wanted them to understand what makes a passwords good enough.  And how to manage the multiple passwords they have to manage.

Bigger is better

The bigger a password is the harder it will be to guess.   Looking at the math when using an 8 character password with just lower case letters and number (36 unique symbols) is 8^36 =~ 3.25e23 possible combinations.  Pretty good if everything was totally random.  However computers are fast... so let's expand the number of symbols.

Multiple character classes are better (letters, numbers, symbols)

On a standard US keyboard, there are 52 letters (upper/lower case), 10 numbers, and 28 symbols.  Add symbols and upper and lower case the combinations is now 8^90 =~ 1.89e81 possible combinations.  Well that's good enough?  Not exactly. While that significantly increases the number of possibilities, there are two problems.  First, selecting a password is not a truly random process.  We will tend to start with a letter and try to make it something memorable that is associated with us.  Dates, pets, etc.  All stuff the narrows down the possibilities significantly.  Even if we get a totally random generated password, we still have problem number to... remembering it.

Making it memorable is the best

As humans we are not good at memorizing lots of random letters, number, digits and symbols.  (This is a study I did with a sample size of one... me.)  We can remember a very select few pieces of data.  With practice some people can memorize some truly amazing things.  For example, PI out to a silly amount of digits.  However, when we don't use the information, we forget it.  Some information we retain forever, but most of it we will forget.

So while we are creating a password it should incorporate all the character classes and it should be memorable (and not limited to just 8 characters). The comic below from XKCD summarizes my point perfectly.

Methods for choosing a good password

I've read and tried many different methods for creating good, yet memorable, passwords. Below are some methods for finding the inspiration for creating good enough passwords.

Lyrics

Take the lyrics or a phrase of a song as a start.  Then using the first letter of each word create the password.  On sentences, use upper case.  Throw in the inflections, exclamations, questions, etc.  While it will take you a little bit to get the muscle memory to type the password quickly, you will not easily forget it.

Simple words or phrases

Just picking some simple words or phrases and then altering their spelling can also be helpful.  (NOTE: The example passwords are not ones that I have ever used and they are not ones that anyone should ever use, since they will likely be added to a password list, assuming they are not there already.)

In for a penny in for a pound  ->  N4apN4a#
Not on my watch -> !onmyW@tch

A few random words

Picking a few random words is another way.  This might seem counter intuitive, but as humans, we deal with words all the time.  They are easy for us to remember, even if they are "random".  If for some reason, the words are not seeming random enough you can use a tool like XKCD Password Generator or Bitwarden Password Generator which will do the same thing.

Additional Considerations

Just as important as being able select a password that is easy to remember and hard to guess, it is important also do the following.

Recycling 'passwords' is good for the environment?

Do not reuse passwords.  Ever.  Not across sites and not across time.  Once a password has been changed, for whatever reason, let it go (even if "it was a good one!" ) .  Also do not use the same password on multiple sites.  When that site is breached, wither you ever find out about it, that password will not give the attacker any other access to any other accounts of yours.

Password Manager

Using a password manager is a good habit to get into early.  Regardless of how good your passwords are, if you properly used hard to guess passwords on every site, you will gather quite a collection.  While it is tempting to use the "Post-It (r)" method of password organization, That will ultimately become too cumbersome and when you change your password on a site, will you remember to update your Post-It?  Really!?!?

Instead using a password will help you in several ways.  First it will store all your password securely.  Second, depend on the password manager you choose, it will have clients for browsers and phones.  This will make it easy to take the passwords, securely, where ever you are.  Third, as full featured password manager will allow you to store other sensitive information, securely.

I've used several password managers over the years.  I've used Keepass style managers.  They do a good job at keeping password and have features such as password generation and OTP generation, but syncing password DB's across devices was not the easiest.  Eventually I settled on Bitwarden. (Full disclosure: I currently pay for the Family tier out of pocket and do not receive any consideration from Bitwarden)  But there are other password managers out there.  Too many to name.  Pick one that is right for you.

Conclusion

Did I miss anything that is critical to creating a "good enough" password?  Send me an email, let me know.