Passwords: make them complicated

The question I'm asked more than any other by clients is: 'I've forgotten my password to the content management system, please could you remind me.'

The login screens of the systems I use do have password reminder links, but they are not necessarily easy to spot, so I understand how the reminder option might have been overlooked.

I'm rather more vexed by the fact that so many people are trying to remember their passwords, rather than keeping a written record. Perhaps it's because I've been self employed for a while and cocooned from the advice of IT departments, who still, it seems, are advising against keeping written records of passwords.

So I really appreciated the fine article that appeared on The Guardian website the other day, Online passwords: keep it complicated, by Oliver Burkeman, which pours cold water on the notion of trying to remember complicated things like passwords, and suggests that we keep make a note of them (with the help of some useful software which I discuss below). I really recommend that any user of online services (nearly all of us) with an interest in security (everyone) read Burkeman's piece.

To initiate armageddon, type '00000000'

It starts with some alarming stats about the dreadfully insecure passwords chosen by most of us, and, until relatively recently, by rather important organisations that should really know better:

Last month, an analysis of leaked pin numbers revealed that about one in 10 of us uses '1234'; a recent security breach at Yahoo showed that thousands of users' passwords were either 'password', 'welcome', "123456" or 'ninja'. People choose terrible passwords even when more is at stake than their savings: among military security specialists, it's well-known that at the height of the cold war, the 'secret unlocking code' for America's nuclear missiles was 00000000. Five years ago, Newsnight revealed that, until 1997, some British nuclear missiles were armed by turning a key in what was essentially a bike lock.

Online security systems wisely encourage us to choose much less obvious passwords, incorporating combinations of upper and lowercase letters, numerals and special characters, but injunctions against writing them down force us into choosing rather predictable amalgamations of proper words and dates, typically a name followed by a significant date (in many cases the user's first name or surname followed by date of birth). Burkeman writes:

Nobody thinks up passwords by combining truly random sequences of letters and numbers; instead they follow rules, like using real words and replacing the letter O with a zero, or using first names followed by a year. Hackers know this, so their software can incorporate these rules when generating guesses, vastly reducing the time it takes to hit on a correct one. And every time there's a new leak of millions of passwords – as happened to Gawker in 2010 and to LinkedIn and Yahoo this year – it effectively adds to a massive body of knowledge about how people create passwords, which makes things even easier. If you think you've got a clever system for coming up with passwords, the chances are that hackers are already familiar with it.

We can make things much more secure by making our passwords as long as possible:

For a hacker with the computing power to make 1,000 guesses per second, a five-letter, purely random, all-lower-case password, such as "fpqzy", would take three and three-quarter hours to crack. Increase the number of letters to 20, though, and the cracking time increases, just a little bit: it's 6.5 thousand trillion centuries.

But the longer the code is, of course, the harder it is to remember, so few users take the trouble to concoct long, recallable strings of characters.

Promising alternatives on the (somewhat distant) horizon

Burkeman discusses the hope of many security experts that before too long we'll be able to ditch text passwords altogether:

One day, we may not have to worry about any of this: there are innovations in development that might replace passwords entirely. Touchscreens could be configured to detect subtle aspects of your interactions with your computer – the distances between your fingers, the speeds at which you tap and scroll. Technologists at Rutgers University in New Jersey have built a prototype of a ring, worn on the finger, that would send tiny bursts of electricity through the user's skin to the screen, vouching for his or her identity. Fingerprint readers, built into some laptops already but with too many flaws to be taken seriously, could be improved.

Indeed one major operating system, Windows 8, includes a picture password option, which allows the user to select an image that activates login by gesture. To set it up the user simply records a 'gestural' password - a series of swipes, lines and circular movements performed on any areas of the image they wish - then repeats it each time they wish to login.

Windows 8 picture password gestures

Text passwords will be with us for some time before these alternatives become mainstream, however, so in the meantime Burkeman, on the advice of a couple world-weary security pros well aware that there's no silver bullet, recommends that we devise complex passwords and simply write them down on well concealed scraps of paper, or, better, use 'password wallet' services such as LastPass or 1Password:

These generate fiendishly random passwords for each of the sites you visit, storing them all behind a single master password. I installed LastPass and chose a fairly long sequence of English words with digits. I am now in the disorienting position of not knowing, and never having known, the password to my email, for example, but it doesn't matter: LastPass provides it whenever it's needed.

I can vouch for these as I'm using one myself: provided you're using a device with access to your password wallet you just need to remember a single password, which gives you access to all of your accounts: like a master key to a medieval fortress. LastPass and 1Password are available for both Windows and Macintosh: I recommend you check them out if you're not using them already.

If you would prefer to create your own passwords and write them down there are some handy online password generation tools: have a look at Strong Password Generator and genPassword.