Password Security

Choosing a good password: the rules to know, the pitfalls to avoid. As we all know, our world is filled with passwords and it is important that we lessen the opportunities for hackers to attack our personal information. Choosing a good password is not always easy, but it is always an important security issue. Should it be long or contain special characters? Are there techniques to generate one that is easy to remember? What are the instructions to follow? In this article, we'll help you choose the right password and avoid common mistakes.

Announcements of personal data leaks are more are happening more often than ever. Leaks are exposing millions of usernames and passwords each and every single time one happens. This makes it vitally important that you use different passwords for different services and sites. The discovery of a single password can quickly snowball and have huge consequences, especially if you use the same password for multiple services and many users have reported that they do exactly that.

There are many who seek to kill the password, replacing it or supplementing it with generated links or biometrics such as fingerprints or face recognition. However, passwords are still here and are a big part of our lives and for the foreseeable future.


What exactly is a “good password”?

Before studying the different ways of choosing a password, it is important to define what is commonly called a “good password”. The most important word when it comes to passwords is unique. A different password should be used for each different site or service that you use. Do not use personal information (such as names or important dates) to create a password.

Password strength is the ability to resist an attack. Hackers use lists of all possible combinations to attempt to find your password. The longer the password and the more special characters used, the more the number of combinations that a hacker has to attempt increases considerably.

For a four-digit PIN code, for example, there are only 10,000 combinations. For a word of four letters, there are over 450,000 and more than 7,300,000 if we add capital letters. We recommend using a password of at least 16 characters in an alphabet of 90 symbols (letters, numbers and special characters).


How to calculate the strength of the password

Now that the theoretical foundations are in place, let's move on to practice. As we have already explained, there is no one-size-fits-all method, just a little common sense and a few tips that can come in handy.

Resisting a brute force attack is one thing, but the password must also be insensitive to a dictionary attack. For this, it should not be a common word in your language (or any language for that matter). For example, the word “password" should be avoided, just like “catapult”. You should also avoid logical sequences such as "123456789", "azertyuiop", "azeqsd123456", etc. To better understand the problem, you can consult the list of the worst passwords of the year 2019 (some are actually quite scary). The most hacked passwords of 2019 are "123456789" and "qwerty". This list is based on the occurrences that most often come back to the databases that have been leaked on the Internet. If your password is in it, CHANGE IT!


Some recommendations to take into account

In addition to the elements we have just mentioned, there is a whole set of rules that can be taken into account in the quest for good digital hygiene:

  1. Use different passwords to authenticate to different systems and sites

  2. Choose a password that is not linked to your identity (company name, date of birth, first names, etc.)

  3. Never give your password to anyone, under any circumstances (even your wife or husband)

  4. Don't type your passwords on a machine you don't completely trust

  5. Do not store your passwords in clear text on your computer or on a sticky note

  6. Do not send each other your passwords by email, SMS, carrier pigeon, etc.

  7. Immediately change your passwords at the slightest suspicion of a leak

  8. Delete the service emails that send the password and / or login during registration

  9. Change default passwords for all systems / accounts as soon as possible

  10. Do not use simple expressions such as "password" and / or sequences of numbers and letters

  11. For sensitive data (banks, private correspondence, medical, etc.) we recommend configuring your software and browsers, so that they do not remember your passwords.

  12. Never tell a browser to remember your password (that annoying pop-up that asks to remember your password every time you enter one)


The Diceware Method: Five Dice and a Word List

In a slightly different register, a sheet of XKCD often comes up when discussing password. She recalls that if the first "Tr0ub4dor & 3" seems complicated and difficult to remember at first glance, it is not necessarily more robust than "correcthorsebatterystaple" which is surely easier to memorize (it is built by pasting several words together):


XKCD

This technique, derived from the Diceware method, is put forward by several organizations such as the Federation of Computer and Network Equipment of the Brest University Institute (Feiri) and the Electronic Frontier Foundation (EFF).

The principle is simple: you roll a six-sided die five times in a row, to obtain a five-digit number (from 11 111 to 66 666). You then retrieve the corresponding word from the list of words in the Diceware dictionary and repeat the operation five times in a row to retrieve five words which, put together, constitute your password. EFF recently offered its own updated version of this list (in English) to include slightly longer words on average. For its part, the Feiri de Brest offers a French version for those who prefer the language of Molière (French playwright). If you know of any other lists like this, please post them in the comments so the rest of the community will benefit. But this method is not unanimous either. For specialist Bruce Schneier, XKCD's famous “correcthorsebatterystaple” example is “no longer good advice” because password cracking software has already been used on this system (and has been for a few years now).


An interesting indicator to take into account: entropy

It is therefore not always easy to find your way around, but techniques allow nevertheless to get a more precise idea of the robustness of a password: entropy (expressed in bits). Behind this name, hides an indicator which makes it possible to more precisely measure the strength and the resistance of a password by not being based only on its length, but on the number of possible combinations.

On Dotnico's blog we can find more details on the definition of the entropy of a password, as well as on the mathematical formulas behind this notion. We find this method more and more, without necessarily always realizing it. For example, when a service displays color codes based on the password you type (red, orange, and green), it might be based on its length only, but also on its entropy. Thus, a password of 12 characters can be indicated as bad, while another of 8 will be validated.

In 2012, Dropbox distributed on GitHub the code of a small password test tool which was based in particular on this notion of entropy (but not only): "zxcvbn". This gives valuable information on the estimated time to find it, its robustness and, if necessary, offers ideas to improve it.


Testing the strength of a password with "zxcvbn"

Enter "123456789" and he will answer that it will generally take less than a second to find it and that it is part of the top 10 of the most common passwords ... in short, to be avoided as you can imagine. The same goes for the “aqwzsxedcrfvtgbyhn” suite which takes between a few seconds and months to be broken.

With the example "correcthorsebatterystaple" proposed by XKCD, the tool detects that it is four words stuck together and indicates that it would take 8 hours for a computer capable of processing 10 billion operations per second, while it would only take 10 seconds for "Tr0ub4dor & 3".

If we take the example of the formula "sin ^ 2 (x) + cos ^ 2 (x) = 1" proposed by CERN, the processing time increases to 31 years whereas it would take centuries to break a password such as “InXanaduDidKublaKahnAStatelyPleasureDomeDecree!".


Enable two-factor authentication ... when possible

It is possible to go further and strengthen the security of a password with double authentication. For this, the service can send a code by SMS or use a mobile application. Thus, the password alone will not be of much use to a hacker. Several large services have already taken the plunge such as Amazon, Dropbox, Google, etc.

The use of a U2F USB key begins to spread

In addition to the methods we have just mentioned, other solutions are developing rapidly in recent times. This is for example the case of the U2F (Universal 2nd Factor). In practice, all you have to do is connect a U2F USB key (you can find it for less than 10 euros) to your computer and press a button to generate a code that can be verified by a third-party service. Several services such as Dropbox, GitHub or Google support them, as do many more.


Choose services that have a good password management policy

Whenever possible, use services offering a secure connection (HTTPS) from the password entry form to prevent it from being broadcast. Especially if you are on an open public Wi-Fi network (which you should avoid if possible).

Watch out for online tools to test and generate your password. NEVER enter a password that you use on an online site which intends to verify its strength, even if the site seems trustworthy. The site owner may very well save it in a database and add it to his dictionary for later use. It is the same for the generation of a password. Many sites will offer to do this for you, taking care to apply strict rules and provide a password that indeed seems strong. However, nothing prevents it from being added to a homemade dictionary to keep it warm for later.


Do I need to change my password regularly?

Now that you have found a good password, repeat the operation as many times as necessary for each service. Everyone agrees that a password should only be used for a single service in order to avoid a cascade of hacks in the event of a leak.

The explanation is in fact simple: yes, changing your password regularly is a good idea, but on condition of doing it well. You should not go back to your old one by simply applying a small modification (capital letter on one of the letters, repetition of a character at the end, etc.). Everyone agrees on certain points. In the event of a data leak (even just suspected without confirmation), it is imperative to change your password.

We recommend use of password managers to avoid having to memorize dozens

In short, security is a point that should not be taken lightly. It is better to spend some time finding a password, rather hours of playing firefighter in the event of a hack. It is not always easy to remember dozens of different passwords, each with at least 16 symbols and unrelated to each other. Yet, as we have just explained, it is a healthy lifestyle that everyone should adopt to enhance their safety.