All About a Good Password

Many articles on the web try to explain how to create a good password. Unfortunately, they often contain many misconceptions.

Posted on
8 minutes
1547 words

We’ll try here to gather the correct information for properly managing passwords.

Note: This post was translated from french with the help of AI. The original post was written with the knowledge of a younger me.

The password to rule them all

First of all, how can you create a good password you can remember?

Replacing characters is not good

Often, a bad but seemingly good idea pops up: replacing characters with others.

For example, using “p@ssw0rd” instead of “password”.

This idea comes from the English-speaking world and is based on the fact that most passwords were composed of ASCII characters, meaning the 26 letters of the Latin alphabet plus some punctuation symbols.

This article was originally written in French and was therefore aimed at French speakers who are less affected by this issue because French contains characters not included in the basic ASCII table. Accents, for example: “à, é, è, ù…” are included in the extended ASCII table or even UTF-8 (a table that contains alphabets from all over the world: Arabic, Cyrillic, Chinese…).

This technique makes passwords much harder to remember. Because they’re hard to memorize, we tend to make them shorter, which is also very bad.

Passphrases are good

This technique is known thanks to the xkcd comic strip, often referred to as “correct horse battery staple”.

To be effective, the combination of words must be as rare as possible. In the xkcd comic, this rarity is conveyed by randomness.

But let’s not forget that this is a password we need to remember. Our brains don’t handle randomness well. That’s why, at the end of the comic, the author emphasizes creating a mental image of the passphrase.

Note: In French, word frequency and word combinations are lower than in English because French speakers are fewer and the language contains articles, determiners, and possessives that further reduce combination probability. Thus, randomness is less critical than in English.

We can therefore use grammatically correct phrases as passwords.

An example to illustrate:

Which do you think is the better password:

“!He_r@spberr1es”

or

“The Queen of the Night’s Aria, The Magic Flute by Wolfgang Amadeus Mozart”

If you like Mozart, it’s definitely the second one. It’s easy to remember, longer than the first, and the chance that two people have the same password is low.

The password manager to bring them all

Having a password you can remember is good. But even better is being able to use passwords you cannot remember yourself. This reduces the risk of accidentally revealing them in conversation.

Jimmy Kimmel has a segment on his show available on YouTube.

To avoid this risk and create passwords you can’t remember, you need a password manager.

This is software or a web service that stores your passwords and displays them when requested. You just copy-paste them or use plugins that auto-fill login forms. They’re usually encrypted, and you access them with a master password. The only one you really need to remember.

With this system, since you don’t have to remember passwords, go big. Use 50-character randomly generated passwords with lots of weird symbols. Take advantage of UTF-8, checking compatibility with your software and services (not all support it, and some don’t display Cyrillic correctly, for example).

Software or web service

The advantage of using software instead of a web service is reduced risk of attacks and leaks.

A web-based password manager attracts attackers because a breach could expose thousands of accounts instead of just one.

There are also legal conflicts between the service’s jurisdiction and users’ rights, for example, European GDPR vs. the U.S. Cloud Act. We’ll discuss these legal aspects in future articles.

The advantage of a web service is a lower risk of password loss and a dedicated team monitoring and patching vulnerabilities.

Me

I use KeepassXC.

It’s open-source, meaning the code can be easily audited.

It runs locally on your devices instead of online, reducing centralized attack surfaces.

It encrypts passwords with the master password.

Legal conflicts between European GDPR and the U.S. Cloud Act are avoided since passwords aren’t stored on U.S. servers.

However, it’s harder to share the password database across devices. You also need to manage backups of your encrypted password database yourself.

KeepassXC is a variant of KeepassX (development appears to have stopped), itself a variant of Keepass, which is Windows-only. In fact, Keepass will undergo a security audit by the European Commission.

And in the darkness bind them (attacks)

Mass attacks

Mass attacks aim to collect as many passwords as possible, without caring whose accounts they belong to.

Dictionary attacks

The most common are dictionary attacks. They require little computing power but lots of storage (time-memory tradeoff). They test the most common known passwords (from previous breaches) and move on if they fail.

A yearly list of the 25 most popular passwords is published (here’s the 2018 list, with 2017 comparison):

  • 123456 (unchanged)
  • password (unchanged)
  • 123456789 (+3 spots)
  • 12345678 (-1)
  • 12345 (unchanged)
  • 111111 (new)
  • 1234567 (+1)
  • sunshine (new)
  • qwerty (-5)
  • iloveyou (unchanged)
  • princess (new)
  • admin (-1)
  • welcome (-1)
  • 666666 (new)
  • abc123 (unchanged)
  • football (-7)
  • 123123 (unchanged)
  • monkey (-5)
  • 654321 (new)
  • !@#$%^&* (new)
  • charlie (new)
  • aa123456 (new)
  • donald (new)
  • password1 (new)
  • qwerty123 (new)

The issue with this list, present in all “how to make a good password” articles, is that it’s from the English-speaking world and doesn’t reflect the most common passwords in other languages (as french). If you have sources for other languages passwords, I’d love to see them.

Of course, there are also lists with 100, 1,000, 10,000, 1 million, or more passwords circulating online.

Rainbow tables

The second type is the rainbow table attack. It’s more computationally expensive but requires less storage. It only works if the attacker has obtained a database of password hashes (we’ll explain “hash” in a future article).

A rainbow table compares its stored hashes with those in the hacked database. If they match, the password is the same.

Example:

The attacker has a rainbow table with these md5 hashes:

  • password: 5f4dcc3b5aa765d61d8327deb882cf99
  • sdhfksdkfh: e2a1dbf388e7a7e87dc02943e3521036
  • raspberry: 54a9fc48a5b664772e2ca06d1e0772d9

They hack a site’s hash table and get:

  • Bob: 098f6bcd4621d373cade4e832627b4f6
  • Alice: 54a9fc48a5b664772e2ca06d1e0772d9
  • Lee: 190a16e29799b184d9900690ee04438a

The second hash matches the third entry in their rainbow table, so Alice’s password is “raspberry”.

Passphrases counter both these attacks. If the passphrase isn’t in the dictionary or rainbow table, the attack fails.

In a future article, we’ll discuss strengthening hash tables for website developers.

In the hash article, we’ll also see how to reduce rainbow table storage needs.

Brute force (grrrr)

The last technique is brute force: trying every possible combination. It’s the most computationally expensive but requires the least storage.

It’s the oldest method and why we started adding special characters to passwords.

But attackers have long used extended ASCII (with uppercase and accents) or UTF-8 (all alphabets worldwide: Arabic, Cyrillic, Chinese…) to test everything.

To counter it, use longer passphrases and the full alphabet (not “aaaaaaaaaaaaaaaaaaaaaa”).

This increases entropy (we’ll explain entropy in another article). French, with its accented letters, provides even higher entropy than English.

Example:

“!Es_fr@mbo1ses” has 72.1 bits of entropy, which is strong (good for most cases).

“The Queen of the Night’s Aria, The Magic Flute by Wolfgang Amadeus Mozart” has 475.8 bits of entropy, making it ultra-strong (obviously good).

The higher the entropy, the longer brute-force takes. The goal is to make attacks take years or centuries, not seconds. And with a password manager, take full advantage of UTF-8 (checking compatibility).

Targeted attack

A targeted attack aims to hack a specific user.

Keylogger

This involves infecting the user’s device with a tool that records every keystroke. When the user types their password, it’s captured.

This is outside this article’s scope and will be covered in future articles.

Social engineering

Through social engineering, a hacker may obtain your password from friends, family, or even you. Remember Jimmy Kimmel.

First, never share your password with anyone. Many services (including email) allow account sharing without sharing passwords.

Second, a password manager helps here too. If you don’t know your own password, a hacker can’t extract it this way.

For your master password, try a unique word combination or phrase no one knows.

Tools to find them

Yes, for those catching the title reference, I had to swap titles for coherence.

Once you have passwords for online services or devices, you must monitor them and track their lifecycle.

Make sure deleted passwords are truly deleted.

Expiration

You can set an expiration date for passwords. I don’t recommend this unless you’re sure because it often clashes with human behavior.

People quickly create slightly modified versions of old passwords or stop changing them altogether. Since password expiration handling isn’t standardized, this can create security flaws.

Breach monitoring

You should also ensure your password hasn’t been breached. Use monitoring tools for this.

A great service is haveibeenpwned by Troy Hunt. You can monitor your emails, and if they appear in a breach, the service notifies you.

It even provides tools to integrate into your website or app. However, I have serious GDPR concerns about it (to be discussed later).

Lastly, here’s a Twitter account showing how hard it is for services to handle passwords correctly:

https://twitter.com/PWTooStrong

Well, I’ve promised a lot of future articles. Great, more work for me. Pfff…

For developers, here are some tips on implementing passwords.