Information Security

Choosing strong passwords

Reasons for choosing strong passwords and tips for how to choose these

Reasons for strong passwords

  • It takes automated software under 90 minutes to crack most people's passwords. Specially created computers, can be designed to do this in just a few minutes. Password cracking software tries all combinations of letters and numbers ("brute force" or "incremental" attack) and also any word you might find in a dictionary ("dictionary attack") - including foreign languages.
  • The websites you use try to harden themsleves against attack - your password is a weak pont.
  • What's at stake: all your files and your mail; and "identity theft" which can cause you serious and upsetting problems.

Tips for safe (strong) passwords

Hackers are very good at finding out passwords. They don’t simply try to guess them, they get very fast computer programs to try out millions, very quickly. Hackers also know the kind of “tricks” that people use to try to strengthen their passwords.

We advise you memorise a few strong passwords for the systems you use regularly. For services you use less often, find a way to manage those passwords that works for you so that you can look them up, or work them out when you need them.

  • University systems require a password length of seven. We recommend you choose more. See "Long passwords" below.
  • Use a mix of upper- and lower-case letters, numbers and punctuation marks
  • A strong password looks like a random sequence of symbols - use some non-alphabetic characters such as @#$!%+-/:?_
  • Use non-dictionary words - like XKCD or one of the other approaches, described below

Long passwords (for some, use 15 characters or more)

The most important thing is not your password length, but that you mange different passwords for all the services you use. However, long passwords are usually stronger as they can make brute-force attacks take much longer.

  • Choose long passwords for the few services you think need most protection
  • If you are using a long password, it's a good idea to use 15 characters or more

A long password, is only any good if it is also strong, so choose these carefully in such a way that you can remember them, but it is very difficult for others to guess.

It is actually more important to choose unique passwords for the services you use, than it is to choose very long ones. Do not make it too hard for yourself to remember very many long ones.

XKCD Passwords

A very useful way to choose very strong passwords, is to use the XKCD approach. This is a password made up of four randomly chosen words. It is as easy to remember as four randomly chosen letters, but it results in very strong passwords.  For example an XKCD password could be:

  • correct horse battery staple  

or to make it compatible with service that insists on punctuation marks and Capitals:

  • C.rr3ctHorseBatteryStaple

More advice and details about XKCD can be found here.

XKCD

Other approaches to choosing strong passwords

Weak password Strong password Comment
sunshine %5un555h1n3_SuperMan Replaced letters with numbers, added special characters, but with a lot of randomness added in
sherlock SHlmsVSPrf.M Derived from the phrase "Sherlock Holmes VS Prof. Moriarty"
billiejean 440D&fn,tlwohs If you know the lyrics of a song, don't use the chorus "She's just the girl who claims that I am the one". Use instead for example: "For forty days and forty nights, the law was on her side"
janet (my sister) ono!Wswlmmshcohh Oh no! When she was little my mum spilled hot custard on her head.

Mistakes leading to weak passwords

Do not make these mistakes when choosing a password:

  • your username as a password (even backwards or mixed up).
  • using any name, or any word in any language.
  • obvious personal information (your year of birth, phone number, national insurance number, address, etc.).
  • all digits, or just one letter.
  • real words with only one or two obvious digit substitutions, like 'p4ssword' or '5ecret'.
  • fewer than eight characters ("brute force" attack cracks 7 letters in a few minutes).
  • any word you might find in a dictionary (including foreign language dictionaries).
  • characters from books, films, etc. (Gandalf, Sherlock), band names, song titles etc. (no matter how obscure).
  • passwords that are too easy or too difficult to type: an easy password can be guessed by anyone who sees you type it, and you will only be able to type a difficult password slowly - with the same result.

Ways that hackers steal your passwords

Password theft is one of the favourite pastimes of hackers. The easiest way to steal your password, is to watch (or film) you while you type it. Other methods are:

  • shoulder surfing: looking over your shoulder while you type your PIN or password
  • taking a seat behind you, and filming your reflection in the train window
  • confidence tricks, (also known as social engineering)
  • finding copies which have been stored insecurely, on a bit of paper or in a file that they get access to
  • establishing fake WiFi networks and using these to capture your password
  • stealing password databases from poorly managed on-line services
  • guessing, based on your pet’s or your children’s names, or by learning about your hobbies, previous aspect of your life, etc …
  • doing a brute-force attack: trying all words from all on-line dictionaries (including trying millions of passwords already stolen).
  • enticing you to click on a "phishing" link.