Understanding Password Vulnerability
Recent studies on the topic of password selection indicate that an alarming rate of password choices are common. A 2011 case study sampling 6 million passwords found that 99.8% occur in the top 10,000 most used password list, and 91% of those were in the top 1000 list. Using the sample database mentioned above, a computer with access to the 10,000 most commonly used passwords would be able to access nearly 5,988,000 accounts without breaking a sweat.
Common techniques to disguise passwords such as the use of numbers like 0 and 4 to represent letters (known as "leet" speak), random capitalization, or uncommon spellings are only marginally helpful in making a password stronger while having a negative effect on memorability. Furthermore, several such techniques are sufficiently well known and understood that popular password cracking software has been updated to address them.
Clearly, common beliefs and practices in regards to password selection are flawed, and they instil a false sense of security while leaving the user vulnerable to attack.
What makes a password strong?
Ideally, a good password is one that is easy for the owner to remember but difficult for another party to guess. Going a bit further, a strong password is one that is easy to remember but difficult for a computer to guess via a dictionary1 or brute force attack2.
So what does make a strong password? A good choice is something that isn't susceptible to a dictionary or pattern attack. It shouldn't contain any personal information (eg. name, birthday, anniversary, etc.) that can easily be tied to the owner, and it should be sufficiently long to make brute force attacks time consuming. We strongly suggest a 20 character random string of upper and lower case letters, numbers and punctuation or a passphrase (a short sentence that includes capitalization and punctuation) of up to 72 characters.
Password Examples
First a naive password:
As evident above, the word "Law" is far too short, susceptible to a dictionary attack, and would be cracked almost immediately.
While slightly better, a password of "Law Elite" is weak. It’s too short and would soon fall to an attack.
Success! Here the user has used a variety of upper and lower case letters, numbers and punctuation. Similarly, longer passwords or passphrases are also considered strong.
Using a short sentence or a phrase like the one used in this example, "The profession of Law is noble", is also very difficult for a brute force attack to crack.
Helpful Password Generation/Management Tools
1 A dictionary attack is a technique for defeating an authentication system by trying hundreds or thousands of possible passwords
2 A brute force attack is the slowest possible technique for defeating an authentication system. It involves systematically checking all possible password values until the correct solution is found
3 A string of characters that fall one after another on the keyboard. For example: qwerty, zxcvbn, 123456