Passwords:  You hate them.  We hate them.  We make you choose strong ones, and then we make you change them.  You get frustrated.  We get frustrated.  We all agree that passwords, and managing them, suck.

There’s an XKCD that we often quote:

It talks about the importance of entropy in passwords, and how what we think of as ‘best practice’ for passwords, isn’t.

In the past year or so, we’ve done some experimenting around passwords, and as a result of our experimentation, we’ve adapted the approach in the XKCD comic slightly.

We love passphrases, but the problem with dictionary-word-only passwords is that rainbow tables and other modern password cracking tools are getting better and better.  It’s a constant cat-and-mouse game.

Here’s our current best-practice for passwords that are strong and easy to remember.  Use a phrase you’ll remember, and do some simple letter substitutions.  Sprinkle in some special characters (see footnote about those!). Length trumps complexity, and by extension, complexity is just a tool to stop crackers from compiling lists of common phrases, like “The quick brown fox jumps over the lazy dog”.  Here’s an example:

“this is my super secret email account”

According to Keepass, that has 96 bits of entropy.  Pretty good! But let’s make it more secure.

“This is my super secret email account.”

OK, we’re up to 105 bits now, and we didn’t make it appreciably harder to remember at all.
Now, if you use *consistent* substitutions, it makes it slightly harder to remember, but significantly more secure.

“!Th1s 1s my sup3r s3cr3t 3mail 4cc0unt.”

We’re now up to 138 entropy bits according to Keepass, which by the XKCD formula would take… well, 2^138/31,536,000 seconds in a year = 1.104924986450535852950582185471e+34, which equates to, roughly, a very long time.  Effectively uncrackable, by today’s standards.

Here’s what makes the above so hard for crackers: Computers are very good at matching strings.  But entropy is a function of exponents, meaning that the number of possibilities goes up exponentially (squares, to be precise) with each additional character.  There are tools that crackers can use to cut that by a bit, but the simple fact is that unless you use a very common phrase, a long password is exponentially harder to guess than a shorter one.  Add in some special characters to cut down on substitution success, and you’re golden.

Unless your password is stored in clear text or with reversible encryption somewhere (LinkedIn, I’m looking at you), and that brings us to our last words of advice for password management and security:

1. NEVER use the same password in multiple places.
2. Use a password manager. Keepass is free, Open Source, and cross platform.  It rocks.
3. Change your password, at least occasionally, particularly on websites where you don’t have any way to know how they’re being stored.
4. Did we say NEVER use the same password in multiple places?

A footnote about the entropy measures in Keepass: They’re imperfect, much like anything that humans are responsible for.  By Keepass’ measure, “correct horse battery staple” has 99 bits of entropy, where Randall (the author and artist behind XKCD) only gave it 44 bits of entropy.  I have no opinion on which is right or wrong – in my opinion they’re really only useful as comparative scores.  So don’t compare Randall’s 44 bits to Keepass’ 99 bits, they’re the same.  But it is useful to compare 99 bits to 138 – there’s a significant increase in entropy there.  And if you’re really nerdy, we can argue about the effectiveness of case changes and other nuances of randomness somewhere else 🙂

A word about special characters:  We’ve decided that referring to the @sign as the ‘commercial at’ is boooooring.  And no one can agree whether the # is a pound, number sign, or hash.  So we came up with a new nomenclature for them:  @ is a capital 2.  # is a capital 3. etc..  We may or may not have actually invented this convention, but since we’ve never heard anyone else use it we’re going to take credit for it anyway!