General: Secure Password Generation

When generating a new password most people stick to using one they use across multiple websites or that's easy to remember. This can be a very bad idea because if one site gets hacked and your password is exposed, all of your accounts with the same password can also be exposed. To fix this, we could just use a different password each time. However, that's hard to do, partially for creating more combinations and also trying to remember them all. So this post is going to explore how to stay safer online with little to no effort. But before looking at how to create a better password, I first want to talk about what makes a password safe.

When you sign up for a new account, your details are saved into a database which stores information about your account such as email, password, and relevant info. Passwords generally aren't saved as plaintext (actual text) as this would mean anyone within the company with access to the database could log into someone's account. So instead, passwords are hashed. Hashing is a one-way function that turns some data into other data. The process of hashing takes any size of data, such as a password or a file, it then uses mathematical equations to reduce the size of the data to a fixed length that's dependent on the algorithm.

For example:

MD5: InJenius >>> 197CBD7B5F463CD9434CAAC8D4A28A79

Sha256: InJenius >>> 1AC30B6ED87F7DA3DB405EA3539122E80B87440C6D619B69DB77E1AA162A5337

Sha512: InJenius >>> B5CB186D047510916034F055239AED05947D64070754289F8F00FC1B2B420037CF148A631E391C0AA8CDED0170D18D451362D4D1B155C2D55EB6165510F35A3E

The trick behind hashing is that similar data is completely different. If we look at MD5 again, and try putting in InJenius with capitalisation and without we get:

InJenius >>> 197CBD7B5F463CD9434CAAC8D4A28A79

injenius >>> 01E005F7004C97942E95920F9626D118

Even though we barely changed anything, we get completely different results. This means even with direct access to the database, we don't get someone's password. Now we can do more stuff to these hashes to increase the randomness such as salting, slower hashing functions like BCrypt and more, but what's important is that hashing is used to check if one thing is equal to another.

So when you first create an account, it saves a hashed version of your password. Every time you try to login to that account, it hashes the password you put in and compares it to the one you've saved. If it's the same, login. If not, don't let them login. Now we know how they are saved, we can see how to compare passwords and generate safer ones.

You may remember from when trying to create a new account on any service, they have a minimum length for your password and most times they require you to have numbers, capitalisation, punctuation and more. This all leads into a classic argument of Complexity vs Length. The basic idea is I if you want a stronger password, what's more important. Complexity or Length? To figure out the strength of a password we look at how many possible combinations there are. We do this by multiplying the amount of possible characters there are by how long the password is. We'll first look at complexity.


Complexity

For these calculations we're going to always use the same sized password with a length of 8. First we'll look at if you're only allowed to use letters of the alphabet. There are 26 of these so we can say that there are 26 options for each letter of the password. We know the password is of length 8 so we simply do 26^8 = approximately 20 billion combinations. And that's just for lowercase letters. If we include the ability to capitalise that's 52 options, giving more than 53 trillion combinations.

However, this isn't entirely accurate. One important thing to understand here is that most services have requirements for passwords such as length as well as inclusion of specific characters such as at least one Capital, one number and one piece of punctuation. Adding these filters drastically lowers the amount of combinations as with this criteria, you can't just have a lowercase password, you have to meet each element of the criteria. So while technically lowercase and uppercase passwords have around 53 trillion combinations, the requirement of having at least one capital letter reduces this number. In order to test these differences, I built a tool that gives the amount of combinations dependent on if these limits have been set, the differences they make and also how long it would take a computer to guess your password. Check it out here.

Below is a table summarising the amount of combinations where if something is included, it has to be used at least once as this is more realistic to most websites.

Character setNumber of optionsNumber of combinations
0-910100,000,000
a-z26208,827,064,576
a-z, A-Z5253,042,074,402,304
a-z, A-z, 0-962158,820,403,109,376
a-z, A-z, 0-9, Punctuation72309,780,614,707,200

Length

Now we're going to look at how length affects the amount of combinations for a password. For complexity of the password, I am using both lowercase and capital letters, giving 52 options and I will also be using the criteria of contains at least one uppercase and lowercase character. Below is the table summarising some of these results.

LengthNumber of combinations
853,042,074,402,304
92,769,046,876,277,760
10144,272,771,757,750,270
117,509,524,820,376,990,000
12390,686,148,572,926,840,000

Summary

Looking at these tables, we can clearly see that length has a much larger effect on the number of combinations than how complex the password is. That doesn't mean to say you shouldn't have a complex password as they both complement one another, the difference being that a longer password with just letters is easier to remember than a short password with both numbers and punctuation. This post doesn't go into dictionary attacks which uses common words to guess passwords, but a mix of both complexity and length works well.


Generating secure passwords

To actually generate these passwords, you can look at a number of methods. The first being a password manager. These generate secure passwords for you and then store them for you to use on any website. Popular examples include LastPass & dashlane, both of which support End-to-End encryption meaning the companies can't see your passwords at all and make remembering your password very easy.

If you decide to not use a password manager, a popular method of generating passwords is using phrases that you will remember. An example being movie quotes or song lyrics. This is a little difficult as it's ideal not to use your favourite quotes as they are associated to you, instead a phrase that you can remember easily that isn't necessarily from your favourite media works well. You can also substitute certain letters like i for 1 to meet the requirements of the password. If the password has an upper limit, you could take the first letter of a word from a phrase in order to reach the criteria or you want to save some time while typing it in, again substituting specific characters to meet criteria. For some examples of this, check out this document that contains a variety of phrases in both word and initials form.

An alternative method is to use random words that have no association to one another with substituted characters and make that your password. For example, Find 3 objects around you right now and combine them. Substitute 's' for '5' for example, and 'o' for '.' and that is your brand-new password. It's likely above 15 digits in length and meets nearly all website criteria. This allows for extremely long passwords that are still very memorable if chosen carefully.

Finally, if a website or service offers it, use Two Factor authentication. Using this means that if someone does try getting into your account and tries several passwords, they will be either locked out or unable to login even if they guess your password. It's an extra layer of security that makes it much harder for anyone to guess your password.

If you want to see some more numbers and passwords check out my password combination tool for more details.

If you have any suggestions or improvements for the blog then please send them to [email protected].

18th September 2020

Comments 0

Comments are currently disabled but will be implemented soon.