Creating the "perfect" password

Crafting a truly competent password is a balance between creativity and protocol.

Table of contents

No heading

No headings in the article.

Creating reliable passwords has always been a challenging and unnecessarily confusing task. Is this password long enough? Can I remember this? Is it "random" enough? Should I reuse this "perfect" password everywhere? Crafting a truly competent password is a balance between creativity and protocol. Ideally; security, privacy, and convenience should be attained with an optimal password. But there are compromises when creating unique and memorable passwords. In this guide, I will explain what it takes to make potentially impregnable passwords, and how to store them.

Top 10 most common passwords:

(1)123456 (2)123456789 (3)Qwerty (4)Password (5)12345 (6)12345678 (7)111111 (8)1234567 (9)123123 (10)Qwerty123

source: https://www.rd.com/article/passwords-hackers-guess-first/

The strength of a password is essentially the probability for a password to be guessed within a reasonable amount of time. The metric for measuring the complexity and efficiency of a password is its bit-entropy. In the context of computer security, entropy refers to the randomness or unpredictability of a password. The more random and unpredictable a password is, the higher it's entropy. One way to measure the entropy of a password is in bits. A password with 1 bit of entropy has only two possible combinations (for example, "password" and "password1"). A password with 2 bits of entropy has four possible combinations (such as "password", "password1", "password2", and "password3"). Each additional bit of entropy doubles the number of possible combinations. In general, longer passwords tend to have higher entropy than shorter passwords.

For example, a password with 8 bits of entropy has 256 possible combinations (2 to the power of 8), while a password with 16 bits of entropy has 65,536 possible combinations. This means that it would be significantly harder for an attacker to guess a password with 8 bits of entropy than one with 16 bits of entropy. The higher the number of bits of entropy, the stronger and more secure the password is considered to be. In general, it is recommended to use passwords with at least 12 bits of entropy to provide a reasonable level of security. This can be achieved by using a combination of upper and lower case letters, numbers, and special characters, and making the password long enough to increase the number of possible combinations.

A password that has never been used before will generally have higher entropy than a password that has been used by many people or that is based on a common phrase or pattern. A relatively longer but common string of characters (ex: 'longLiveDaQueen') will have a relatively equivalent bit-entropy to a shorter string with a more random assembly of characters. Avoid using common dictionary terms and personally-identifying information because hackers may try to socially engineer or collect as much information about their target as they can from their target's online presence.

"Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months" -Clifford Stoll

  • Creating a password: A helpful trick is to create an acronym from a sentence: “Deep down in Louisiana close to New Orleans, Way back up in the woods among the evergreens” becomes "$dDiLcTnO,wBuItW@Te", fulfilling the length and character criteria for a stronger password. Passwords of this complexity and length would take quintillions of years to crack!

  • Maintenance: It is commonly recommended for users to update their passwords frequently as well, usually every 6 months to a year. It is important to establish 2FA whenever possible to add an extra layer of security. It barely takes any time for setting up and ensures that the entity attempting to log in already has access to device(s) and/or services (e-mail, biometrics, hardware tokens, etc.) that would only be available to a credible source.

  • Remembering passwords: A password manager can help you store a personal encrypted database of unique passwords. Some even have the ability of creating custom pseudo-random passwords, analyze the entropy of your passwords, data breach monitoring, etc. I recommended using KeePassXC for its advanced feature-rich tools, cross-platform compatibility, ease of use, and non-cloud-based nature. Besides, it's free! I recommend making a master password, a string combination of symbols, numbers, and mixed-case letters which is at least 12 characters long and is easy to memorize. This will serve as the key used for accessing all your other passwords stored in your exclusively local repository.

  • Peace of mind: Some (good) companies will put in the effort of encrypting their client's login credentials. Robust measures are employed for securely utilizing and handling passwords. Hashing algorithms take in a user's password of arbitrary length and returns a string of seemingly unintelligible information at a fixed length. This value is intended to be unique given a specific input string. Some common hashing algorithms include MD5, SHA-1, SHA-2, NTLM, and LANMAN. The most popular hash algorithm as of the writing of this article is SHA-256, which returns a hash value of 256 bits, or 64 hexadecimal digits. These hashes are almost impossible to crack, given what I've discussed in this article was implemented.

Now go create your password and remember to never share it with anyone, not even your dog. Feel free to use uncommon Unicode characters (printable non-ASCII) in your passwords, and keep a personal copy of your database on a flash drive if possible. You can now soundly go to sleep with some more peace of mind.


Terminology:

  • Phishing n.: A type of social engineering where an attacker sends a fraudulent message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure, like ransomware.

  • Salting n.: the technique of appending a randomly generated numeric string before 'encrypting' the input contents with a hashing function/algorithm

  • Two-factor authentication (2FA) n.: Security measure that helps to protect against unauthorized access to accounts and devices. It adds an extra layer of security by requiring users to provide two forms of authentication, rather than just a single password.

  • Cryptographic hash function (CHF) n.: a one-way deterministic mathematical process that "garbles" data and makes it unreadable. It is collision-resistant, which means it is difficult to find two different inputs that produce the same hash value (known as a collision).

  • SHA-256 n.: Advanced encryption standard which has a digest/hash length of 256 bits (32-byte) and is practically unbreakable via brute force and our current computing capabilities. It is the most secure and robust encryption standard that is commercially available today.

  • Pseudo-random number generator (PRNG) n.: Deterministic algorithm for generating a sequence of numbers (given a seed) whose properties approximate the properties of sequences of random numbers. PRNGs are particularly useful in practice because of their speed and reproducibility. We use the to simulate random events, but it is possible to correctly reconstruct the encryption process if the seed and algorithm are known. Truly random numbers can be generated using physical processes, such as radioactive decay or atmospheric noise, but these methods are expensive and time-consuming.

Note* Encryption is not the same thing as hashing. Plaintext (readable Data) is modified with a key for encryption/decryption. This implies that the process is reversible, and the original data can be recovered. The hashing process is a one-way process, this makes the protocol great at ensuring the integrity of data and storing passwords.


References: