This is an article of mine that was published in 2600 magazine - The Hacker Quarterly, Spring 2022

The Problem of Effective and Usable Strong Passwords
Author: William Ben Bellamy Jr

Note that in this paper the word 'password' is used for both singular words (strings) 
and phrases that are used as a password.

This paper will focus on the following points;

    • How are passwords attacked
    • What makes a password strong
    • Suggestions for building effectively strong passwords

Problem Statement:

Typically, we each have dozens of passwords that we use regularly. Passwords help to 
protect the confidentiality, integrity, and availability of the systems and services 
we rely on.

For the past few decades we have been indoctrinated to think that each system requires 
a password that is;

    • unique
    • at least 8 characters long
    • composed from several character sets
    • and changed regularly

Compounding the problem is that each system/service that requires password 
authentication can enforce different requirements.

This is not sustainable. It forces the typical person to cut corners, and look for 
'easy' passwords which leads to writing passwords onto paper near their systems, 
and use easily guessable words and phrases.

I propose that a practical and sustainable solution involves taking into account 
the techniques that password attacks (cracking) employ, and avoid those techniques 
in order to produce passwords that are unlikely to be guessed.

How Passwords Work:

When you type in your password, which is simply a string of characters, your system 
immediately calculates the hash value of that string. A hash value is produced by an 
algorithm that accepts any type or amount of material an outputs a fixed length 
value that uniquely represents the input material, but that cannot be reversed to 
find the original input material. It then sends the hash value to another system 
as proof that you are who you say you are - someone with permissions to access 
that system or service. That system, and network, only ever sees the hash value 
of your password, never the actual password.

The backend system compares the hash value you provided with its own stored copy 
of your password’s hash value. If the two match, it can be assumed that you typed 
the correct password and have some degree of authorization on that system. If they 
do not match then the correct password was not provided and no access is granted.

How Passwords are cracked:

An attacker who has access to the password hash for an account/service will 
attempt to 'crack' the hash value in order to learn the original password that 
was used to create that hash value and consequently have access to that protected 
resource or system.

There are two main approaches to cracking passwords; online and offline.

    • Off-line cracking generates the hash value of each password candidate and 
compares it to the hash value being cracked. Tools include John the Ripper, 
Hashcat, and Rainbow tables

    • On-line cracking submits generated hash values of password candidates to 
an online system in real-time until access is granted. Tools include Hydra

Passwords usually are represented by their 'hash value'. A hash is a mathematical 
function that accepts any amount or type of material and produces a fixed length 
value that identifies the input material both the content and the order, and 
which is computationally infeasible to reverse the process to determine a password 
given its hash value. If any portion of that material is changed, the fresh hash 
will be dramatically different from the previous. Also, it is mathematically 
infeasible to reverse a hash back to its original input. So a hash is like an 
absolutely precise fingerprint of the original material.

'Password cracking' is the process of working through a word list, taking each 
word and hashing it in the same way that an unknown password was hashed. The two 
hashes are then compared and if they match, you now know the original password. 
If they do not match, you try the next word in your list.

In addition, 'rules' are applied to each word from your list. These rules describe 
how the initial word should be modified, manipulated, or in some way changed. 
These changes are intended to test variations on a word in ways that a person 
is likely to modify a common word in order to harden their password. The language 
used for rules is rather obscure and difficult to master. So most crackers will 
rely on existing rule sets rather than fine-tune them for a specific target. The 
actual word list, however, is often created with a specific target in mind.

These manipulations include, along with many, many more:
    • changing letter case
    • appending numerals or spaces
    • prepending numerals
    • inserting special characters

In this way a single word from a word list can be morphed into hundreds of 
variations, most of which the attacker might never think of.

What Makes a Password 'Strong'?

There are at least 3 factors that we can easily control that determine how strong 
a password is.

1. The number of characters making up the password. The more the better. Each 
additional character astronomically multiples the number of guesses required. 
Eventually the attacker will reach a point of diminishing returns and terminate 
the attack.

2. The size of character sets. A character set is a collection of related 
characters. For example; uppercase English letters, lowercase English letters, 
Arabic numerals, Roman numerals, special characters, and so on.

The more character sets we use in a password, the stronger it will be.

It takes 10 symbols to represent the Arabic numerals 0-9. It takes 26 symbols 
to represent the lowercase English alphabet. So, in general, it is better to use 
larger character sets, and several of them.

    • Alpha (upper and lower) = 52 (a-z and A_Z)
    • Numerals = 10 (0-9)
    • Roman Numerals = 3 characters in 4 combinations and 1-4 symbols (I-X) 
        (there is no zero)
    • Typable special characters = ~32
    • Alt-characters (extended ASCII) (~129-255) 126 
        (http://symbolcodes.tlt.psu.edu/accents/codealt.html, 
        http://www.alt-codes.net/)
    • Unicode - astronomical count, but often impractical to type. (Unicode charts - 
        http://www.unicode.org/charts/) 
        (Typing Unicode http://en.wikipedia.org/wiki/Unicode_input)

So the size of a character space composed of upper and lower alpha, numerals, 
and special characters combined is ~94 potential characters.

2. Length of the password. It is that simple, yet extremely powerful. The longer 
the better. Every additional character dramatically increases the number of 
possible character combinations (complexity) making it increasingly computationally 
infeasible to successfully crack/guess.

3. Frequency of Change. A password is effective only for as long as it takes to 
crack/guess it. The previous steps will increase the time necessary to crack/guess 
your password to the point it is no longer feasible for an attacker to continue.

A Suggested Solution:

The following suggestions will help create effectively strong passwords. You can 
use some or all of these to build a password. Remember that the key to an 
effectively strong password is the length of the string, and the size of the 
character space.

Assuming your password is effectively attack resistant to the point is is 
unlikely to be cracked, you can consider using a single password on many systems, 
and for a long time. And in any case, if it is cracked the information about 
you on one system usually does point to the other systems you use.

General Suggestions:

    • Use all the character sets you can. This increases the over all character 
        space size
    • Build a password that is at least 16 characters in length. Preferably > 24. 
        More on how to make that usable and practical towards the end

The detailed steps:

    • Decide on > 2 core words/strings that will makeup your password. Select 
        words/strings that together give you at least 16-24 or more characters. 
        When choosing these words, try to have the first word begin with a 
        lower case letter greater than 'm'. That way, if the word list is 
        sorted, about the first half of the word list will be processed needlessly. 
        Consider the following:
            • an obscure word you would like to learn to spell
            • the name of a plant, insect, location, star, element...
            • a favorite song title or phrase, a short portion from a 
                poem, scripture...

    • Include a random string at some point. Consider:
        • a car license plate number, or portion, you happen to see (ie; YEO-862)
        • random keystrokes
        • keyboard geometry
        • product serial number
        • a MAC network address
        • the year of your favorite movie

    • Include spaces as delimiters between the words. For extra strength, use 2 or 
        more characters (space, underscore, hyphen...) as mixed delimiters.

    • Include an alt character. This is very powerful since it is seldom in a 
        password cracker’s rules set, and it expands the character space 
        astronomically. You will need to research how to enter ALT characters 
        on your particular system. *

    • Even better, include an obscure Unicode character. Again, you will need to 
        research how to enter Unicode characters on your particular system. *

    • Use geeking. Geeking is the practice of exchanging regular characters for 
        others of similar shape or sound. When using geeking, do not use the 
        first opportunity, or all opportunities. For example, if you could geek 
        5 characters, then actually only geek 2. Below are just a few examples.

        • 0 <--> O        • 7 <--> T
        • @ <--> a        • Vv <--> w
        • Nn <--> m       • $ <--> S
        • / <--> l        • ( <--> c

In addition, you can use the core portion of a password over and over and simply 
increment one character, the salt:

    • Increment a special for each new password. For example, left to right across 
        the shifted top row of numerals (~...+). This is much more powerful than 
        simply incriminating a numeral.
    • Increment through the alphabet (a, b, c…) rather than numerically.

Things not to include in building a password:

    • unaltered dictionary words, even in combination
    • regional terms ('go cats', 'go cards')
    • simple misspelled words (hackorz)
    • nomenclature (leet, script kitty)

An Example:

In this example, note that I am not using all of the possible suggestions. Use 
those that will help create a long and complex string that frustrates the 
techniques attackers use to crack/guess passwords.

Choose 3 Core words: Let's use 'mood hack coffee'. In this case, 'mood hack' 
is a phrase with meaning, and coffee is (sort of) unrelated. This also starts 
with an 'm' or beyond.

Add a random string (keyboard geometry): '[poi' This give me 'mood hack [poi coffee'

Mixed letter case: 'mood Hack [poi Coffee' Here I change only 2 letters to uppercase.

Geeking: 'nnood Ha(k [poi Coffee' Now I change 'm' to 'nn' giving me an extra 
character along with geeking, and is also later than 'm' in the alphabet. I 
also change 'c' to '('.

Include numerals: 'nnood Ha(k [poi C0ffee' Simply a 'o' to an '0'. Again geeking, 
but for the purpose of including at least 1 numeral.

Large string length (> 16): is now 22.

Use > 1 character sets: Here I have uppercase, lowercase, special characters, 
numerals. That is a character space of ~94 characters.

Then for good measure, I append 2 spaces: 'nnood Ha(k [poi C0ffee  ' This 
gives me 24 characters. That means that this password is 1 out of ~94 to 
the power of 24 (divided by 2 if you want to account for the average number 
of guesses) possible combinations. That is a really big number of guesses 
on average to discover this password.

How to Remember a Strong Password:

So far, great. We have the information for developing a functionally strong 
password, one that is crack/guess resistant. But, now we have to remember 
that long string of characters. Regardless of how effective a password is, 
if it is not easy to remember and use, it won't be.

Fortunately there is no real difference between the words and phrases we 
have already learned as language and those that are contrived for use as 
passwords. So to 'learn' these stronger passwords, simply use the 
techniques we used to memorize all of the words and phrases we already know.

1. Keep the length relatively short, 24-32 characters. Balance the number 
or words with their aggregate length. For example, 2 short words and 1 
long word, or 2 long words and 1 short word. I find that < 33 characters 
is comfortable as long as their is a meaning underneath that makes sense to me.

2. Make the component words memorable. The password needs to be thought 
of as a single idea rather than a bunch of keystrokes.

In the example 'nnood Ha(k [poi C0ffee  ' the core idea is 'Mood hack with 
coffee'. 'Mood' uses 'nn'. 'Hack' uses '('. '[poi' is just easy to type 
filler. 'Coffee' simply uses a zero. Then end with 2 spaces. And spaces 
used as delimiters. Just a few tweaks on 3 words that constitute a 
meaningful phrase.

3. Muscle memory. Open an editor and type your new password over and over 
until your fingers are comfortable with the movements that are used. Start 
slow and deliberate, and increase the speed as you are comfortable. The key 
is that after a short while you will stop thinking about the individual 
characters you are typing and begin to understand them as a few words, and 
finally as one movement.

For example, type the following;

    the dir path xcopy format python list computer host

Notice how your mind and fingers know commonly typed material as a single 
movement (each word is a single movement) - you do not think about each letter 
or the order of letters, you simply think about the word. It is the same as 
playing a musical instrument. Your hands know how to play an F chord rather 
than getting each finger to a particular place on your instrument. A G major 
scale is one long movement rather than a bunch of delicate movements.

So practice typing your new password until it is more automatic than deliberate.

Conclusion:

This approach, or some variation on it, should allow you to consider using a 
single password on several systems, and for a longer time. That is because 
if your password hash is stolen, the attacker is unlikely to crack/guess such 
a long complex password.

This approach should also help make longer more complex passwords memorable 
and usable.

*One way to make entering ALT and Unicode characters easier is to, in some 
very secure way, save your full password and simply copy and paste it when needed.

---[End of Paper]---