The choice and management of passwords has been a recurring and controversial issue for many years. While the simple users of networks and online services are mostly annoyed by the topic of password protection – and just as often overwhelmed – system administrators try to close security gaps in user behavior – and are still confronted again and again with the consequences of careless handling of password security. But what exactly is a secure password? In order to be able to answer this question better, one should first take a look at the methods with which attackers usually take possession of someone else’s password.
Brute Force and Dictionaries: Password Attacks
The obvious method of guessing a password is also the less likely one: Repeatedly entering passwords directly, even if it is automated, is inefficient and time-consuming. Since the server that is the target of the attack always needs a certain amount of time to check the password and for its answer, only a very limited number of attempts can be made within a certain period of time. The attack would also be noticed and prevented by administrators after a short time. Such an approach makes most sense if a password was previously spied out in a different way (e.g. through social engineering) or if it can be easily guessed from other sources.
Attacks on entire password files are much more common: Most server systems store the identities of their users together with the passwords in password files. The password is encrypted by a hash function into a random sequence of characters from which it can no longer be derived. If attackers get hold of such a password file, they can calmly encrypt millions of possible passwords using the hash function and compare the results with the entries in the password file. Each match then corresponds to a “cracked” password.
There are essentially two methods for guessing passwords. One is to try any character string below a certain length. This method, known as brute force, checks all character combinations without gaps and is therefore comparatively complex. A more elegant approach is the dictionary attack: The attacker goes through lists of possible passwords one after the other. Such lists can be found on the Internet and have grown to many millions of entries over the years.
The secure password?
So what makes a high quality password out? Everyone knows the instructions given to newcomers on websites when choosing a password: it should have at least 8 characters and contain upper and lower case letters as well as numbers and special characters. The creation of a password is always a question of weighing up security versus forgetfulness, password protection versus convenience. As important as password security is, a password that is repeatedly forgotten is useless. This is one of the reasons why the objection is repeatedly raised that it makes more sense to allow (or require) longer passwords. In other words, passwords consisting of several easy-to-remember words, connected by special characters, for example, instead of a jumble of characters that its owner forgets far too quickly. Another problem is the increased need for passwords per person.
So there is no silver bullet to a secure password. But there are a number of criteria and rules of conduct that increase the quality of passwords, make them more secure and thus protect sensitive information.
Passwords: dos and don’ts
- Choose different passwords for all purposes.
- Do not use passwords that can easily be derived from your life and environment. No names of people or pets, no dates of birth or anything like that.
- Choose a long password, but not one that consists of only one word that can be found in the dictionary or encyclopedia. Rule of thumb: If a search engine finds matches for your password, you should choose a different one.
- If you want to remember the password more easily, choose a chain of several simple words connected by numbers or special characters. The resulting password should then be very long.
- The more different types of characters (upper and lower case letters, numbers and special characters) the password contains, the better.
- If you want or have to write down the password, only do so by hand and keep it away from the computer if possible. No sticky notes at the edge of the screen!
- If the browser offers you to save a password, think carefully about who has access to the computer. If in doubt, it is better not to save.
Also Read: Why Is Password Security So Important?