Update - April 21, 2011: This article was "featured" on Security Now, here is my reply!

Back in 2007, I wrote an article about how to make usable and secure passwords. It is one of the most popular articles I have ever written, with more than 340,000 unique readers (and counting).

The article has been linked to by a large number of sites, including several of the big security companies, and last week it was picked up by ReadWriteEnterprise.

Over the years, people have been asking the same questions time and again. So in this article, I am going to answer those questions once for all.

Why did I write that article?

The article came to life after yet another discussion with IT, who believed that everyone should be forced to use password with a minimum of eight characters, including two uppercase characters, numbers and a least one special character.

I was absolutely furious for several reasons. First, I knew it was like kicking every employee in the groin every morning they showed up for work, that it would do squat for actual security (it is likely to make it worse), and that it would completely destroy the plans I had for password free web application I was working on at the time.

So I wrote this article about how to create passwords that were really easy to use and remember. I wanted to demonstrate that complexity is a sickness of IT, and has nothing to do with actual security.

I illustrated how the simple password "this is fun" is 10 times more secure than "J4fS<2".

With this the problem was solved. Gone was the ridicules IT security crap, and we could all go on with our lives. But then people started asking these questions.

Q: What about the problem that many sites store people's passwords in clear text?

A: What about it? It has nothing to do with this. How a password is stored in a database is a server problem, something that must be solved a server level. No level of complexity by the user can solve this problem.

Every server admin has the responsibility to store people's passwords in a secure and encrypted way.

Q: Most password can be cracked using rainbow tables (or similar), will a higher complexity not solve that?

A: Yes and no.

Let me briefly explain what this is. The way hackers hack passwords today is to look it up in password tables. This was how people's password was hacked in the Gawker incident.

Basically, the hacker will take the encrypted password like this one: 4d5257e5acc7fcac2f5dcd66c4e78f9a and simply go to this site (among many) and paste it in. The site will then return the actual password (which in this case is "mickey"). They are simply looking it up in a database.

The way to solve this is to make the password so complex that it is unlikely to be in any database. More complexity = better encryption security.

However, this is not a user problem!!!

You do not ask the user to create a more complex password. You make the password more complex on the server.

Here is a simple example. Let's say that the user decides to use the password "mickey", which is completely insecure.

You then add a one-way complexity algorithm to it, effectively turning it into:

Uc([u+e>q#iZ|Xrhl@@HkCfnd=R~5"@and8T:[Z6<A|16n<nwmkwV)H4k'[@f|CRyWK;-1

Which you then encrypt, and run trough another one-way complexity algorithm - ending up with this:

Q802AlII0xEKCgjwyXL8lsteSOEftjYgyQc0FW6Dit8F0onuv0gNvv4Xm0cYwCe

This is then what you store in your database on the server. The user can choose whatever password they like. It is your job as a server admin to make sure that it is encrypted correctly.

Q: Many websites do not allow spaces in password, what then?

A: True, but again that is a server problem, not a user problem. Fix the damn server!

Q: If I cannot write "this is fun" because of the spaces, can I not just write "thisisfun"?

A: Absolutely not! The reason why "this is fun" is 10 times more secure, is simply because it is much longer (11 characters). By removing the spaces, you reduce the length and the complexity substantially. The spaces are effectively special characters, which in itself makes the password much more secure.

Use "this-is-fun" instead.

Q: If "this is fun" is 10 times more secure, wouldn't it increase security to write it as "Thi3-Is-5un"? ... That would be just as easy to remember.

A: You are kidding right?

Yes it would be much more secure, but the whole point of this is to reduce complexity. People do not like being kicked in the groin every morning.

There is absolutely no reason for adding that complexity in the first place. It takes 2,537 years to hack "this is fun"

Q: But modern computers can hack password much faster than they used to...

A: Yes and no. You need direct access to the database file or the server to hack something faster. If you got that level of access, you do not actually need the password. You can just look up the data directly.

What I am talking about in the article is hacking into remote systems (like web apps). I tested this with Google and I was not able to send more than 25 password request per second to their servers.

And even if you could hack it faster, "this is fun" is still more secure. Just because something is faster doesn't mean the math behind it changes.

Q: Even so, a BOT net could do it, right?

A: Read that part about adding delays in the article.

Q: "Well, I still prefer long and complex passwords. My previous one, for example, had mixed case letters, numbers, symbols, and spaces, and were 32 characters long. But I still could remember it easily, by using the name and ID number of an obscure science-fiction character from an uncommon book combined with a made up language."

A: Please, go away...

Ohh... and read: A template for every awful Facebook discussion you've ever witnessed.

Q: When I test "this is fun" it shows up as weak in most password testers.

A: Yes, this is simply because most password testing tools are completely useless. They measure complexity, not security.

One example. If you head over to The Password Meter, they will tell you that "this is fun" only scores 19% = very weak, while "J4fS<2" scores 60% = strong.

But, this has nothing to do with security. They specifically look for the presence of uppercase letters, numbers and symbols, which they then give a rank using a completely insane algorithm.

These guys are only measuring complexity. It is an utterly useless tool.

Mathematically, "this is fun" is 10 times more secure.

This is one of the big reasons why I hate when IT people talk about password security. They favor complexity over actual security.

-

Updated: April 18, 2011

Q: A 3 word password could be hacked a lot faster with a smaller dictionary

A: Yes, it could. But how would the hacker know what words to put in the smaller dictionary? How would what words people use? Take "this is fun" - and let instead use a dictionary with only the 500 top english words. It wouldn't work. "this" and "is" are in it, but not "fun".

It wouldn't match.

But then people go on to suggest this...

Q: But a hacker could hack the two first words using a 500 word dictionary, and the last word using the common word dictionary.

A: You are kidding, right?

I think you have been watching too many Hollywood movies. In Hollywood, passwords are hacked one digit at the time. Meaning the system would return true or false information based on partial matches.

This is not how the real world works. You cannot match a password based on a partial matches. "This * *" is not the same as "this is fun". It would return it as FALSE. You have to match all three words, all at once.

-

Q: So, are you saying we should use "this is fun" as our password?

A: No, I'm saying that you should use a 3+ word pass phrase as your password. Something that isn't linked directly to you or your immediate interests. So don't choose the names of your three kids.

Choose something like "green is wicked", "summer hammocks are fun" or "floppily floors flop"

You get the idea :)