World Password Day brings attention to some simple steps everyone can take to secure their digital life: 1. Create Strong Passwords, 2. Use a different password for each account, and 3. Get a password manager, no, not a post-it note in your desk drawer!
The best password is one that is diffcult to guess. But difficult to guess takes on a new meaning when hackers use computers to do the guessing. Hence, the best password becomes one that would take a computer so long to guess that it’s not practical to do so. That means a long series of random characters and the longer and more random, the better, and a different password for every site you use.
Make Your Passwords Strong and Long
If every password you created was different set of 100 randomly-selected characters, breaking into an account would be close to impossible for a hacker. The lower-half of the ASCII character set (the most commonly used characters) is 128 characters. The number of possible passwords for a 100 character password made from randomly-selected, lower-ASCII characters would be 100 to the 128th power. That number is so large that it would take the typical PC years to find a match. But again, the problem is that users can’t even remember a handful of meaningful passwords just 10 characters long. If the average person has 50 things in their life that each need a password, how do we get them to remember 50 unique, random 100 character passwords? We don’t.
Password manager software such as the Keychain on OS X, 1Password, or Roboform that can generate these types of passwords and store them securely on the user’s device. The long, unique and random passwords can then be entered automatically so the user doesn’t have to remember them or deal with them. How do we get people to use a password database? Easy –
We don’t allow people to choose their passwords.
Stick with me here. Imagine if websites and applications that required passwords generated the them for you rather than allowing you to choose one? Hello Mr. Perlman, your password is:
KÂs-&DÂbu^ÂF|ÂUÂÂ]qÂÂÂÂ95ÂÂÂIkKXjoÂ;O6ÂuÂÂRUÂdÂ!AUÂx(IÂwÂÂ~ÂYlÂF Â#ÂÂÂÂ:8?LD$Â5tfK%P.VbT9HQi%Y[Â7a
You would have no choice but to use a password database to keep track of them. Now this might seem a bit extreme. However, requiring a password at all seemed extreme when we first started on the web. If websites and software applications generated the passwords at random, people would have no choice but to use a password database. It’s the login equivilent of a seatbelt law.
In this scenario, programs written by hackers to guess passwords become obsolete. Now you might say that the hackers will just turn their attention to hacking your password database. That’s true but that’s a much bigger problem for the hacker. They don’t want your credit card number. They want thousands of credit card numbers. Getting them one at a time, person by person, is totally impractical.
We’ve blogged about web security and passwords before. Well-designed websites don’t store your password, they store a hash of your password. When you attempt to login, they hash the password you type and compare it to the hash of the password in their database. If the two match, the site knows only that that they matched. The website still does not know your password, even if that website generated your password, because it shouldn’t be storing it. That’s what we do with user accounts at Xojo.
What would be required to implement such a thing?
First, websites and applications need to allow longer passwords. Passwords are usually stored in a database field so changing the field to allow a 100 character password is two seconds work. Next, you need to write the code to generate the random passwords. In Xojo, that code is a trival 5 lines. Ideally, the code creating the password could pass the password back to the user’s device securely so that it could be automatically stored in their password database without the user having to be involved.
Removing the user’s ability to choose their own password may seem draconian, but it would be the ultimate password solution. Existing password databases can be made to interact seemlessly with websites to store new passwords and pass them back when needed. Of course, websites need to be properly written to be secure and hosted in secure facilities. But the great thing about this solutions is that instead of hackers having to target 100,000 servers with valuable data on them, they have to attack potentially hundreds of millions of devices which is totally impractical.
And exactly how long would it take for a PC to crack that 100 character password I suggested above?
According to HowSecureIsMyPassword.net, it would take 69,003 NONAGINTILLION years to crack your password. I’m quite certain it’s long enough.