Jason Landry
Senior Solutions Marketing Manager, Ixia

How to create a good password

July 11, 2016 by Jason Landry

To manage passwords today, you have to have an amazing memory. We are taught that passwords must be hard for someone to guess. Then we can’t remember them. So, we write them down, use a password manager, or click the forgot password link when all else fails. All of these create password friction, security risks, and limits access to our accounts.

Entrepreneur magazine published an article that highlights how careless we are with our passwords. 21% of people use passwords that are over 10 years old and 47% use passwords that are at least 5 years old. The five most popular passwords in 2014 were:

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. qwerty

Until the password is history, we need a different approach to passwords to keep our “stuff” secure and access to our accounts out of someone else’s hands.

But what if what we’ve have been taught about creating strong passwords is misleading or maybe even untrue? Believe it or not, creating strong passwords that are easy to remember does not require you to be a genius or have a photographic memory. It is something everyone can do.

How we are taught to create strong passwords

When we began creating accounts with passwords, we probably all start with good intentions. We follow the advice outlined in password rules and develop an 8-character password that contains a collection of random symbols, characters, numbers, and letters (for example: T^2a*qsV). Some sites have rules that are so cumbersome they border on ridiculous.

Ridiculous password rules

In the end, memorizing this type of password is hard. It is not your fault. It’s just not how human memory works. So, we quickly dismiss password rules as a suggestion and resort to something more intuitive, even if we have to give up a little security.

How we actually create passwords

To make life a little easier, we take a couple things we already remember – like our first dog’s name – and add the last four digits of grandma’s phone number (Sparky2845). This becomes our go-to password. Then we are told that we should not reuse passwords across websites or applications. Ok, that makes sense. I wouldn’t want someone to get ahold of my Facebook password and use it to login to my bank account. Should be an easy fix – just add a 01, 02, 03, etc. to the end (Sparky284501). Or, just create another password using our cat’s name and our last address (Milo1827). But this eventually becomes too cumbersome and we resort to using a few passwords across all of our accounts. According to a Telesign infographic, 73% of online accounts are guarded by duplicated passwords. And 54% of people use 5 or fewer passwords across their entire life. We are told it is dangerous to use the same password across multiple accounts because once a hacker gets your password to one account; they can target other accounts in a reuse attack. 

Which password goes where?

The problem then becomes keeping it all straight. Is my Facebook password Sparky284501? Maybe it’s Milo1827? Or, is that my bank account’s password? I can’t remember. Let me just try to guess. No luck. Time to reset my password. Hopefully I’m not locked out! The sheer number of accounts we have creates another memory problem – association. We remember our passwords, but we struggle to associate them with a particular account. This is especially true of accounts we rarely use – like frequent flyer programs or a homeowners website.

How secure are my passwords?

They might be secure. They might not. It all depends on something called password entropy. There are a lot of ways to calculate password entropy and a lot of debate online about it. But simply put, it’s a measure of how hard a password is to guess. I like this website to estimate my password’s strength.

How long would it take to guess my passwords?

We can calculate how long it would take to guess a password if we take the number 2 and raise it to the power of our password’s entropy. Take the result and divide it by the number of guesses per second. Here’s the formula:

Seconds to guaranteed crack = [(2^password_entropy)/guesses_per_second)]

Let’s take a look at the passwords I created earlier around my first dog and cat. Let’s assume that a basic brute force online attack can make 1,000 guesses per second. The following is how long it would take for a guaranteed password crack on each of the passwords.

  • Sparky2845 (40.1 bits of entropy) – 37 years
  • Sparky284501 (47.1 bits of entropy) – 4,783 years
  • Milo1827 (29.9 bits of entropy) – 12 days

In general, the longer your password and the more different characters you use, the more secure it is.

How to make a more secure password that is easy to remember

Let’s start by creating random phrases using my first dog and cat. I like using proper nouns because they will give me a capital letter, which is required by some password rules. I will add random words that I remember about their look, habits, or personality. At 1,000 guesses per second, you can see that it would take a very long time to crack these passwords.

  • Sparky food sleep (78.7 bits of Entropy) – 15.6 trillion years
  • Milo scratch furry (82.8 bits of entropy) – 266.8 trillion years

Then there are all those cumbersome password rules to deal with. So I make a quick modification to add one dollar to the end. This satisfies the number and special character requirements on most sites. I add it to the end because some accounts have password rules that require starting with a letter.

  • Sparky food sleep $1 (97.1 bits of Entropy) – 5,381.6 quadrillion years
  • Milo scratch furry $1 (100.1 bits of entropy) – 43,052.5 quadrillion years

How to associate your new password to an account

I could not find any online advice about this. So, let me tell you how I do it. I start with a password that is easy for me to remember, but hard for someone else to guess, and add the name of the site/account to it. You can create a bunch of variations but something like this is what I might come up with:

  • Sparky food sleep $1 facebook (145.5 bits of Entropy) – 1.99 decillion years
  • Milo facebook scratch furry $1 (149.8 bits of Entropy) – 39.37 decillion years

I know what you are probably thinking. This much entropy is overkill. Plus, it’s about 30 characters long and nobody wants to type that many characters on a mobile phone keyboard. So let’s shorten it by removing one of the random words.

  • Sparky sleep $1 facebook (118.9 bits of Entropy) – 19.65 septillion years
  • Milo facebook furry $1 (109 bits of Entropy) – 20.57 sextillion years

Combine an easy to remember password with an easy to remember rule

What we end up with is an easy to remember password – Sparky sleep – and our own easy to remember password rule that includes a special character and a number – $ site/account – that we combine to create a unique password for every site: Sparky sleep $1 facebook, Sparky sleep $1 google, etc. This system should help you create a very strong password that is unique across many of your accounts.

At Ixia, we think a lot about security. We are always looking for ways we can help our customers protect the devices they manufacture and the networks they manage. And while our BreakingPoint product can test how well an application or network can hold-up to a cyberattack, it cannot protect against weak or reused passwords. That is the job of all of us and we can do better.