blog.
As a website developer, I'm often
asked to fix problems caused by
passwords that have been broken.
A frequent problem, in this regard,
are websites that have been broken
into and compromised for the purpose
of spreading malware to other people's
computers.
But I'm not here to talk about that.
I'm here to talk about making your password
unbreakable so that no one can compromise it.
Here are the steps:
- Pick a saying that means something special to you.
- Take the first letter from each word in the saying
- String those first letters together to make a password
OK. I've reduced it to 3 simple steps. Now let's
expand on these 3 steps with a little bit of explanation.
Let's say your saying is Mary had a little Lamb.
By the way, that's probably not a very good choice as
it is too well known.
Perhaps you have a saying you like that no one else
knows, for example, something your mother used to say
to you.
In any case, I'm going to stick with Mary had a
little lamb for my saying.
OK. Here are the 3 steps above adapted to Mary
had a little lamb:
- Choose Mary had a little lamb as your saying.
- Take the first letter from each word in the saying
- String those first letters together to form a password, mhall.
As you can see, Mary had a little lamb
has been transformed into a password, mhall.
Let's ignore the fact that mhall could mean
Mary Hall. Since the word hall can
be found in the dictionary, this is another reason
that this is not a good password.
But, hey! I'm using it as my example anyway.
We're not done yet. We now have a good password,
in theory, but it is not good enough.
We need to improve our password a bit.
Here's the two-step process for a slightly improved
version:
- Take a favorite saying and
turn the first letters of that saying
into a password. - Capitalize one of the letters.
OK. So now we are going to capitalize
one of the letters. Which one?
We'll capitalize the first letter of the
word we deem to be most important.
In the saying, Mary had a little lamb,
perhaps the thing that is most important
to us is the fact that the lamb is little,
just like Mary is.
Let's assume that the word, little,
is the most important one. In this case,
our password becomes mhaLl.
Notice the mixed case in the password.
One of the l-letters is capitalized but
the other is not.
Let's think about this some more. Perhaps
the words Mary and little are
equally important. If so, you might choose
to capitalize them both.
If you capitalize both Mary and little,
then the password becomes MhaLl.
OK. Now our password is much much better.
Let's do some mathematical analysis of this
password.
Basically a mixed case password is a password
that has 52 possibilities for every digit in
the password.
I say digit because I'm thinking mathematically.
Basically, the range of possible characters in your
password are digits.
If we used lowercase letters alone, as we did
starting out, we have 26 digits available for
our password.
There are 26 letters in the alphabet.
Having mixed case doubles 26 digits to 52 digits.
Why am I emphasizing the number of digits available
to us? Because it will tell us just how unbreakable
our password really is.
By using 52 digits on a five letter password, we end
up with 52 to the 5 power.
What is 52 to the 5 power?
It is 52 X 52 X 52 X 52 X 52 equals something.
Whatever we get when we multiply 52 times itself
5 times is the number of possibilities someone will
have to consider should they try to break our
password using brute-force techniques.
OK. Let's do the math:
52 X 52 X 52 X 52 X 52 = 380,204,032 combinations.
That is to say, someone trying to break our
password has to consider approximately 380
million different combinations in order to
break it.
I'm speaking loosely here. I mean there are
380 million possibilities, only one of which
is right.
The only right possibility is MhaLl
which stands for Mary had a Little lamb,
capitalized as shown.
OK. We are now ready to raise the ante a
bit. We're now going to add one more layer
of complexity to the password.
We're going to add numbers.
Let's say you met a girl named Mary when you
were both 19 and her mama and papa raised
lambs on a farm.
You now have a basis for adding a number to
the the password.
Since Mary was 19 at the time we met her, we'll
place a 19 after her name.
The saying now goes like this:
Mary, 19, had a Little lamb
The new password is:
M19haLl
This password is getting really hard
to break. How hard?
Let's see:
62 * 62 * 62 * 62 * 62 * 62 * 62
OK. That's 62 to the 7 power or
3,521,614,606,208.
That's roughly three trillion
possibilities. Not easy, is it?
Let's take one more step that I
sort of consider unnecessary but
cannot hurt.
Let's add to the complexity by adding
punctuation:
Here's the saying with punctuation:
Mary, 19, had a Little lamb
Here's the new password with new punctuation:
M,19,haLl
I'm not going to bother to do the math. Since
we've already gone beyond the one trillion
mark, this is more than good enough for me.
The only reason I mention punctuation is
that some automated password-picking software
packages require punctuation. Rather than fight
this, I suggest you go along with it by putting
punctuation in your password somewhere.
After all, punctuation can only make your
password more random and harder to break.
OK. Let's go over the advantages of this
system:
- Your password cannot be found in any
dictionary. This is critical! - You can easily remember it. This is
also very important! - Even though the password is sophisticated,
it can be typed very very quickly because it
is based on a mneumonic, a memory aid.
It's critical that your password not have
dictionary components as this is how some
password-breaking tools work. They try
running the dictionary against the system
in order to break into the system.
It's critical that you be able to easily
remember your password so that you can go
away for 2 weeks and come back and your
password is still in your memory without you
having written it down.
You want a password that you can type as
fast as you can say, Mary, 19, had a
Little lamb. This is what you get
when using this system.
All in all, this is a very hard system to
break.
The only way to break this password is to
obtain it directly by stealing it. Otherwise,
it is almost impossible to break in any other way.
One more thought.
As said before, Mary had a little lamb,
may be too common a saying. However, there
must be some saying out there that you like
that is a bit more obscure.
Find some saying that brings up pleasant memories
for you. Maybe something your niece said when she
was 3 years old that struck you as both unique and
profound.
You already recall the saying, so why not use it?
Recall that saying and use that.
Also, don't forget to do a better job than I did
in making sure that your password does not have
dictionary words in it.
As you recall, we started out with Mary had
a little lamb. This saying has two problems:
- It's too common
- It spells something
What does Mary had a little lamb
spell? It spells mhall or
Mary Hall.
mhall or Mary Hall is just
as bad as rjohnson or Robert
Johnson.
So for at least two reasons, don't pick
Mary had a little lamb. Instead,
use it as a basic model that you can use
to pick your own password that does not
inadvertently spell something.
The great thing about this password-picking
system is that not only does it keep your
computer data secure, it also provides you
with a saying that can give pleasure for
years.
Ed Abbott
