tharun15 - Fotolia

Manage Learn to apply best practices and optimize your operations.

How to build complex passwords and avoid easy breaches

In the wake of the iCloud celebrity photo hack, expert Keith Palmgren offers advice on how to build more effective passwords and avoid easy data breaches.

For more than 40 years, the IT industry has been fighting the password battle and losing. The recent celebrity iCloud hack is just one of many high-profile examples of our failure. So how can something so seemingly simple, like a password, be so difficult?

The problem with password security is that it is so simple, that it is actually paradoxically hard. In security, the most dangerous thing in the world is what you think you know, because then you don't question your knowledge. If you ask a typical IT security professional if they understand passwords, the vast majority will respond with a confident and emphatic "Yes." But if that were really true, why are password-related breaches so prevalent?

We are not discussing technical issues of protecting passwords in storage. Rather, we are discussing the human part of the equation. People continue to choose bad passwords. Case in point, the most common password of 2013 was "123456", second place went to the word "password", and in third place, "12345678". And yes, the venerable favorites of "iloveyou", "letmein", "abc123", and "princess" make the list of common passwords every year, as well. (The list of common passwords can be found here).

So why are users putting such little thought into their passwords? It happens, in part, because people (celebrities included), don't think anyone will go after their account. It is the old, "it won't happen to me" mentality. But it also happens because our message to users on passwords is often flawed.

One of the biggest mistakes the IT security industry continues to make is pushing users to implement extremely complex passwords without providing realistic guidance on what that truly means. If we make it too difficult for users to remember a password, "123456" is the end result. In the rare event the user does create a complex password, it will often be too short and used on all of their sites -- at home and at work -- including electronic purchases and online banking. That means a compromise at any one site can lead to potentially devastating consequences.

Debunking complex passwords

The term "complex password" is perhaps the most misunderstood term in the IT industry and the cause of many of today's password problems. Too often, "complex password" is interchangeable with "impossible to remember." We must come to the understanding that complexity is only a small part of the equation. It is not simply a question of complexity, but of unpredictability (password entropy is a helpful measurement of password predictability). That is the key to a good password.

An unpredictable password can be easy for a user to remember. Using a combination of uppercase, lowercase, numbers and special characters (classic complexity rules) is fine -- so long as we don't focus solely on those rules. For example, take the string, "Iwentfishing4timeslastmonth?". This password (or, more accurately, passphrase) is easy to remember and easy to type. It is not predictable, yet it is a "complex password" in that it contains the upper/lower/number/special characters that we always recommend.

Special coverage: iCloud breach

After iCloud hack , experts say enterprise data likely at risk

Apple two-factor authentication failure leaves iCloud users vulnerable

Any short sentence or saying that is easy for the user to remember will work. Take that saying and add just a touch of the complexity rules and suddenly you have an extremely strong password that will not be found in a hacker's dictionary and can only be broken via brute force. The "Iwentfishing4timeslastmonth?" example above would take about 76.43 million trillion trillion centuries to brute force, even at a rate of one hundred trillion guesses per second, according to Gibson Research Corporation's brute-force password calculator. That's a strong passphrase.

Users can take a few strings of this nature and develop a formula that makes sense to them for modifying the string on different sites. For example, a Facebook password might add "FB" and the user's graduation year to become "FB89Iwentfishing4timeslastmonth?" and so on. I would suggest a more complex formula than the one in this simple example, but the concept is there. Using this method, the user can now have a very strong, easy-to-remember, easy-to-type, and different password on every site they visit. Is this perfect security? Of course it isn't. But does it beat the password "123456" being used on 30 different sites? Yes it does.

Another trick is to create a unique username when possible. While many sites require a user's email address as the username, some financial institutions will allow for the creation of distinctive usernames. If the user has his or her email address as the username at every site (especially with the same password), and that information is compromised at any one site, then tracking down the user's other sites becomes simple. Putting a unique username on any site dealing with money is a good idea, as is using a different passphrase string on these critical sites.

As a security community, we must do a good job of getting our message across to the users about how to create good passwords. We must get users to understand "123456" is not a viable password and that impossible-to-remember passwords are not necessary either. Being successful with this message means we must come to a better understanding of unpredictable passwords ourselves. Only then can we hope to explain the message to our users.

About the author:
Keith Palmgren is a Certified SANS instructor and runs his own consulting company, NetIP Inc. in San Antonio. Keith has 30 years of experience in the IT security field and holds the CISSP, GSEC, GSLC, GCIH, GCED, GISF, CEH, Security+, Network+, A+, and CTT+ certifications.

Next Steps

Learn how to reduce user resistance to creating strong passwords.

Expert Michael Cobb analyzes the value of password-strength meters.

This was last published in September 2014

Dig Deeper on Password management and policy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization's security personnel offer password best practices?
If your IT team isn't functioning as the educational and strategy resource to train your staff how to secure their devices and data, then they're missing the train. One of the primary roles of your IT staff is to keep facilities and data safe. They should ensure that all personnel know how to do this. They should work in conjunction with HR and anyone who provisions employees. Don't make me pull my soapbox out!
At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts. Most of the humans are thousands times better at dealing with image memories than text memories. The former dates back to hundreds of millions of years ago while the latter's history is less than a fraction of it.I wonder what merits we have in confining ourselves in the narrow corridor of text memories when CPUs are fast enough, bandwidth broad enough, memory storage cheap enough, and cameras built in mobile devices.
It is common that too many people tend to put easy password which normally take less time to crack even thou if you educate the staff about this type of preventive measures they keep on doing such unforgiving act and later pay the prices when there is a breach. By the way a nice article.
I'm curious what security folks think of services like LastPass/Keychain which store all your passwords and allow you just to remember one (for that service). It feels like putting too many eggs in one basket to me.