The Password Formula

Posted on Aug. 28, 2019

Ah, passwords, that one thing we love to hate. Today, it is often still the primary defense between your account and a malicious hacker. So why do we hate something that is meant to protect us? The answer lies in the way in which we are told to create passwords or the ‘password formula.’

For those of you who would like tips on creating easier to remember, but still strong, passwords, skip ahead to the section ‘Tips for Creating Strong & Memorable Passwords.’ If you’re interested in a more detailed look at passwords, continue reading.


Contents

The Password Formula

Length: As the length of a string increases, so does the combination of characters. Because of this, many enforce a size of 8-16 characters for a password. 

Complexity:  Sometimes, one of the hardest criteria to meet; we introduce complexity through the addition of different case characters, numbers, and special characters. It’s common for most services to require you to have at least one of each of these character types.

Reusability: It’s discouraged to reuse a password for the same account or even another account. While it’s impossible to enforce, it’s discouraged because if one of your accounts is compromised, it leaves any others with the same passwords at risk.

Update: A less common but still used policy, is forcing you, the user, to update your password every ‘x’ amount of days. The thought behind this is that the more frequently it changes, the less likely the password, if discovered, will be the same password to gain access to the account.

When it comes down to it, the password formula is frequently this:

This formula leads to passwords like sDxFF87k&%d#13GH or Password123!

The Problem

The general idea, as may be evident from the above practices, is to increase the complexity to make the password harder to crack. After all, increasing the number of characters increases the number of possible combinations, and it makes sense. However, this also makes it difficult for a human to remember. As it stands, a human’s memory has its limits. We’re not machines that can add more storage or computing power like a computer.

The question eventually becomes this; how can we increase complexity, still remember the password, and not lose password strength?

The Solutions

Up to now, the password formula has one thing in mind: making it difficult for machines to guess. As we’ve already discussed, this ignores the fact that humans have memory limitations and therefore, create security holes. Recognizing this means reevaluating the formula to include memorability and perhaps removing ‘change.’ 

A study from 2011 took a look at several of the password rules listed above. A result of that study found that updating of passwords every so many days didn’t provide users with better security. Often it led them to create new passwords more often,  appending another number to the end of the password (e.g., Password1, Password12), or writing them down.

Tips for Creating Strong & Memorable Passwords

The biggest challenge for remembering passwords is complexity and reusability. It’s hard to remember a bunch of passwords, but that task is even more difficult if what we have to remember has no meaning. So how can we create a password with meaning? How can we accomplish ‘meaning’ without using personal information? Moreover, how can we obfuscate the meaning enough to make it difficult to guess?

Words

Using dictionary words is generally discouraged, but they have the benefit of having meaning on their own since it’s something familiar. They can be useful if implemented with some of the below suggestions. If you’re a vocabulary buff, perhaps use larger words that are less common.

Phrases

One thing we can do is implement something you probably learned in school. Many of us learned phrases to remember an order, for say, planets and the order of operations. The phrases were silly but helped recall something with meaning. In fact, making the sentence ridiculous could make it easier to remember (e.g., AvacadosLoveLizards).

Create Personal Patterns

Utilizing the above two suggestions is not enough to create a strong password. We’re still missing some complexity. To increase that, we need to add numbers and special characters. The need for complexity is where personal patterns can come in.

Some suggestions could be:

  • Capitalize the last letter of every word
  • Place a number between each word
  • Place a number after the first letter of a word
  • All ‘L’ characters will be ‘_’
  • And many more

Utilizing our previous phrase, we could get something like this: A1vacadosL2ove<3L3izards$$

Notice that this password takes care of all our enforceable password rules (length and complexity). However, it also is much easier to remember than something like ‘sDxFF87k&%d#13GH.’ The words are something familiar. It has meaning, even though it’s ridiculous, and the personal patterns add both numbers and special characters.

The key here is to create a pattern you feel you could remember that is unique to you. It will be different for everyone. Avoid a pattern like adding incremental numbers (123…) at the end of the password.

Avoid Common Substitutions

There are common letters or words that you’ll find substituted with numbers, such as replacing the word “for” for 4 or “L” and “i” with 1, among others.

Passwords aren’t Perfect

The fact is that today, it’s probably impossible to have a password alone be your only defense. Computing power increases, and it seems like hackers are always one step ahead. When creating a password, your goal should be to make a hacker’s job difficult, not impossible. Impossible for them usually means it will be impossible for you. 

Implementing another line of defense is the next step, so even if they manage to guess your password, it won’t give them access to your account.  This requirement of a password and ‘something else’ is called Multi-Factor Authentication.

Multi-Factor Authentication

As stated above, Multi-Factor Authentication is a way to prove you are you with more than just a password. It can be having a code sent to your phone or email, or having an additional pin, use your fingerprint or even facial recognition. All of these methods add an extra layer of protection. So if you have the option of adding any of these methods, or another to verify your identity, we recommend setting it up.

Password Management Tools

We could argue that length, complexity, and not reusing passwords are crucial to making passwords hard to crack. Therefore, software has been developed to help the user manage and generate passwords. This eliminates the need to remember them or create passwords themselves.

We will take a closer look at password management tools in our next blog post.

Conclusion

Today, passwords aren’t meant to be the sole defender of your account and information. Due to the limits of the human mind, it’s difficult to maintain security without forcing a secondary method of keeping track. Hopefully, with some password creation tricks and by adding more than just one way to authenticate, we can mediate some of its weaknesses and frustrations. 


Sources:
https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=907615
https://www.us-cert.gov/ncas/current-activity/2018/03/27/Creating-and-Managing-Strong-Passwords
https://www.us-cert.gov/ncas/tips/ST04-002
https://www.us-cert.gov/ncas/tips/ST05-012
https://www.it.ucsb.edu/password-best-practices
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
https://techspective.net/2018/05/23/10-best-practices-to-secure-and-protect-passwords/
https://smallbiztrends.com/2019/01/password-best-practices.html
https://www.pandasecurity.com/mediacenter/security/10-memory-tricks-for-creating-safe-and-easy-to-remember-passwords/
 

Back to Blog