The (simple) math of a great password

Have you ever been hacked?

Well, I have been, and to my shame I unknowingly made it quite easy for the hacker(s). Because I never want this to happen again, I wanted to figure out how to protect myself.

After writing an article on my blog about the experience of being hacked, many people have written me that it also happened to them. Some even have phoned me from other countries to get help.

So yes, it's a real problem if you're unable to protect yourself. Also, most of us prefer to be in control rather than hoping others will always play nice. And with a great password, you can be.

Before we start, a disclaimer: No, this will not protect you from a resourceful hacker who has chosen to ruin your life specifically. But it should protect you well enough to NOT become a target of a hacker looking for low-hanging fruit.

So that's our goal here: We might not be able to stop bad people from doing bad things. But we can make it hard enough for them so they leave us alone and try to find easier targets elsewehere.

The simple math of a great password

Alright, so let's start with the simple math that will put us on the way to a great password. Don't worry: All we need is a little middle-school math.

So imagine you have a password with 1 character consisting only of uppercase letters, let's say your amazing password is "Q".

Now since you only employ uppercase letters, you get exactly 26 possibilities. Well, a disabled monkey can crack that, so we better improve it fast.

Since one letter is not enough, you might want to add another letter for additional security, say your password now becomes "QZ".

If we want to calculate the possible combinations, we now have to take the number of possibilities per character and calculate them to the power of the number of characters. So in this case: 26², which gives us 676.

A password with 4 uppercase characters would then give us 26⁴, namely 456.976 possibilities. Sounds better, right?

How you might be attacked

This might sound like a lot, if you are a human and imagine hacking to be the case of a human being trying out all those possibilities by hand. You can definitely keep someone occupied a long time if you have him try out 456.976 possibilities by hand. But a computer can try those much faster. It will be finished in much less than a second. Ouch!

And not to scare you, but a programming novice in my programming courses can usually create a program like this after 2–3 weeks of learning it from scratch. Even AI can easily do it for you. Here's a Password-cracking program in Java that works for any character and any character length - just so you see how short that is (this program just figures out all the combinations possible, it doesn't actually try them on Facebook or wherever):

int pwSize = 4;

char[] choices = "ABCDEFGHIJKLMNOPQRSTUVWXYZ".toCharArray();

char[] pw = new char[pwSize];

int[] guess = new int[pwSize];

int col = 0;

boolean foundIt = false;

int guessCounter = 0;

while (!foundIt && guess[pw.length - 1] < choices.length) {

// create pw from guess-Array

String guessStr = "";

for (int i = 0; i < guess.length; i++) {

guessStr += choices[guess[i]];

}

// check if guessStr equals pw

if (String.valueOf(pw).equals(guessStr)) {

System.out.println("pw: " + guessStr);

foundIt = true;

}

// increase by 1

guess[0]++;

// now do something if column > choices.length

for (col = 0; col < guess.length - 1; col++) {

if (guess[col] >= choices.length) {

guess[col] = 0;

guess[col + 1]++;

}

}

}

So how to defend against such an attack?

How to increase your defense using simple math

Now, mathematically, we have 2 options to increase that number of possibilities and thus the difficulty for any algorithm:

• Increase the base
• Increase the power

We increase the base if we use more than just capital letters. If for example we add lowercase letters, we incrase the base per character from 26 to 52. If we also add numbers, we increase it by another 10 to 62. Not bad!

62⁴ gives us 14.776.336 possibilities, which should take an average computer roughly 30 times longer than our original password. But my old laptop here could probably still crack it in less than a second.

The real beauty lies in the power part of our calculation. If we would keep our base at 26 and simply increase the power part from 4 to 8, we would get the huge number of 208.827.064.576 already.

If we combine the increase in the base and the power part, we get 62⁸, which gives us this huge number:

218.340.105.584.896

So, simply speaking mathematically, adding additional characters is a great way to strengthen your password.

Sadly, though, the longer the password, the harder it is for most of us to remember it.

How to make your password memorable

This is where the following nice hack comes in handy. You can use sentences as passwords. Instead of having to remember a quite random password like "AtN4$2a2_3", you can use a password with much greater character length in the form of a sentence, like "DontYouLikeMyGarage".

The problem with this approach is that it doesn't protect you from other hacking algorithms that do not simply test every possible character, but work with words. Since "You" is a pretty common word, as is "Dont", "Like", "My" and "Garage", a resourceful hacker could easily figure out your password if he just takes everything the english language has to offer on words and tries out all the combinations.

It will still take much longer than the simple passwords before, and they are still easy to remember, but rather hackable as well.

Now if we want to step up our password skills a bit more without sacrificing memorability, we can add numbers, other characters, language-specific characters or (my greatest idea yet) dialect.

Unhackable password sentences

Let's start with numbers. Say you have a number combination that is easy to remember for you, like a birthday or your zipcode. Say your birthday is the 22.1.1987, then you could easily add it to your former sentence password either at the end or, even better, in between the words:

Dont22You1Like19My87Garage

Now try to hack that, hacker!

If you want to go even another step further, you can also add special characters like _, ?, ) and so on:

!Dont22You1Like19My87_Garage?

A very effective trick, though it doesn't work for every system, is to use language-specific characters. Since I live in Austria and my native language is German, I do have access to a few special German characters like Ä, Ü, Ö and ß that are not used and thus pretty much unknown in the English-speaking world.

Now if you were an English-speaking hacker and wanted to try out all possible characters for passwords, would you think of those German-specific special characters in your algorithms? Probably not. Same of course would be true for any other non-English language.

Sometimes it's not allowed to use those characters in password fields. But if it is, they can be a great addition!

One last idea I want to share with you is to use region-specific dialect as passwords. Even if a hacker would use a German dictionary to figure out my German sentence password and try out all the combinations, he wouldn't be able to figure out that sentence password if I am using the way certain words are spoken in my Austrian dialect. There's not even a comprehensive list of words or how to write them correctly anywhere, because people just make those up, including how to spell them (that's why even Germans - who speak German as well - sometimes do not understand us when we speak in too heavy a dialect).

Just to give you an example, the phrase "to put it there" could be translated to "hier hinstellen" in official German. In my dialect you could write that as "umidoa". Nobody trying to hack this could guess that. Well they might be able to guess one short word written like this just trying out all the characters available, but not a whole sentence. For example, "Can you put this here?" would become "KaunstDesDuatUmidoa?".

Can you still hack that, hacker?

Create and maintain your own password ecosystem

Now using all the above, I'm sure you can think of several nice ways to create multiple passwords for different tasks for yourself. Once you find one particular system that works for you, you can then use it for all your passwords. Obviously I won't share mine here (as you shouldn't share yours), but this makes it very easy to come up with new passwords on the fly that are both a) secure and b) easy to remember.

Even with the best passwords ever, you will still have to remember 2 things, though:

- Do not use the same password for multiple places

- Change them every now and then, especially if you erred on point 1

The by far easiest way for a hacker to know your password is to just look it up. If you now wonder how a hacker might do that, head over to haveibeenpwned.com and enter your email address. It will show you whether your email address has been part of any of the latest known data breaches. If it was, you should definitely change all your passwords as soon as possible:

Here's the problem, in case you didn't know:

A while back, most websites where you could have an account saved your username, password and email address as plain text in their database. So if any hacker got access to that database, he would be able to download a huge list of plain text passwords next to the username and email-address.

In the above case (I input one of my email-adresses), that's roughly 15 billions of userdata sets. Probably not plain text in this case, but even if you have just the encrypted one, you can still break that given you invest enough time.

Now if you're a hacker and you're not stupid, you next want to try out this huge list of userdata on big sites like Facebook or Gmail and such (that's what happened to me). If anyone has used a username-email-password-combination on the hacked site and has used the same combination on any of the other sites as well, then they are easily hacked because then the hacker already knows your username-password-combination.

All the big sites should have changed to encrypted password storing by now, so if for example Facebook was hacked, that shouldn't happen anymore. But there are millions of old sites still online, and many times the owners have just forgotten about them, so they are still unprotected. And if you have used a password back then on those sites, and use the same somewhere else, you might be in danger.

So better create a nice, working password ecosystem, and keep it up to date and easy to remember.

Your future password ecosystem

So, to sum it up, here's what you can do to create a great password:

• Use as many character types as you can to increase the base
• Use as many characters as you can remember ton increase the power
• Use sentences to increase the power while still being able to remember them
• If allowed, use special local characters or dialects for extra security

To make it work not just for one, but for all your passwords, invest 5-10 minutes to come up with a system that works for you and also:

• makes it easy to create a great new password should you need one
• not repeats any password
• makes you change passwords every now and then

If you can do that, you should be golden for the near future

Keep safe,

Niklas

P.S.: If you want to check how long it would take a hacker to crack any of your passwords, you can input it here on this site and get an estimation. But NEVER EVER INPUT ACTUAL PASSWORDS! Otherwise it could be added to a list of known passwords, shared and making your password obsolete again ;)

(This post has originally been posted on Medium)