What makes a good password?

Jul 22, 2016 01.00PM |

by Glenn Ong

“DADADA”. That was reportedly the password of Facebook’s co-founder and CEO, Mark Zuckerberg, whose Twitter and Pinterest accounts were hacked last month. The hackers claimed that they retrieved his passwords – often reused – from a massive LinkedIn password dump that took place in the same month. This was not the first time that data was leaked from LinkedIn – more than six million passwords were stolen back in 2012.

Frankly, with a password like that, “password dump” is a really flattering, generous, and face-saving reason for the success of the hacking. It implies that if not for the information leak, Mr Zuckerberg’s personal accounts would have been impenetrable. For more on data protection and end-to-end encryption, read our report here.

If even the man behind the world’s most popular social network couldn’t be bothered to devise different sophisticated passwords to secure his own accounts, it really sends a message about how seriously the rest of us should (and aren’t) treating cyber threats – you can read more about them here.


Why bother?

Why and how do we fall prey to cyber attacks? Gullibility, greed, and ignorance, it seems, are as big a danger to cybersecurity as crime and malice. According to a press release by the Singapore Police Force published this February:

…online commercial crimes comprising cheating involving e-commerce, credit-for-sex and internet love scam saw the largest increase of 95 per cent from 1,929 cases in 2014 to 3,759 cases in 2015

Determined hackers will study your routines and that of your friends, figure out your schedule, and tailor their approach to make it look so innocuous that you won’t notice anything amiss even after being hacked.

Others will make requests from you on social media while impersonating your friends, hoping that you will let your guard down when you see a familiar name or picture. Or, they will try time-tested methods of either promising you large sums of money (or sex) or threatening you with fake allegations and prompting you to click a link to a “government” website, where your personal and bank account details will be stolen. Why bother attacking from the front when your back is left unguarded?


What makes a good password?

“Password must include upper and lowercase letters, and at least one numeric character.”

Creating strong passwords is key to reducing your susceptibility to such crimes. A good password meets four criteria: complicated (vary its components, don’t use dictionary words), memorable (easy to recall), exclusive (don’t reuse), and regularly revised (at least twice a year).

A common advice is that complicated passwords should have an even spread in the variety of their compositions – meaning that they should have:

  1. Upper case letters (e.g. ABCD)
  2. Lower case letters (e.g. abcd)
  3. Numbers (e.g. 1234)
  4. Symbols (e.g. !@#$)

The above, however, is a necessary but insufficient criteria to meet. Clearly, something like “paSsw0rd!” would pass the checklist, but nobody in the right mind will use it (and yet, some do). A good variety of these letters, numbers, and symbols should be arranged in a seemingly random manner – or at the very least, it should be arranged in a way that wouldn’t be obvious or intuitive to anyone but you.

Linux password file by Christiaan Colen
Image Linux password file by Flickr user Christiaan Colen. (CC BY-SA 2.0)

But how do we create passwords that seem random but can be easily recalled? The key to this is meaning. Professor Simon Chesterman, the dean of the National University of Singapore’s Faculty of Law, wrote on Tuesday (July 19) in The Straits Times that a sufficiently complex yet memorable password can be crafted from a phrase rather than a word.

For example, think of an interesting (or eccentric) phrase like, “Wow! These 8 muffins are not enough for the 12 of us #Hungry” and take the first letter of each word to form your password (i.e. W!T8maneft12ou#H).

Prof Chesterman is not the first to suggest such a method, though – many too have been urging for people to create stronger passwords in the same way.

“You’ve Been Misled About What Makes a Good Password.”

However, there are experts who say that the above is still insufficient. A study published last October by Symantec Research, a global online security research organisation, found that numbers and upper case letters do little to deter successful hacking. Said Symantec researcher Mr Matteo Dell’Amico: “Attacks are more sophisticated now, and those best practice countermeasures are a little bit out of sync.”

He said that the idea that complicated passwords are the best rests upon the assumption that the strongest passwords are those that are unlikely to be guessed by “software that systematically tries every combination of characters”.

Checking Footprints by Adam Greig
Image Checking Footprints by Flickr user Adam Greig. (CC BY-SA 2.0)

However, researchers have found that password-guessing software has grown more complex. Instead of blindly trying every conceivable permutation, they now plow through lists of leaked passwords to determine common patterns, or to simply try the most common passwords first.

Their conclusion? The length of the password and the usage of symbols make a password stronger than upper case letters and numbers do. In other words, not all complications are equal – some matter more than others.


Reduce, reuse, recycle (not)

While most of us are tempted to choose the easy way out and repeat passwords across multiple accounts, we shouldn’t. Doing so makes us vulnerable to a hacker seeking to wreak havoc on every possible aspect of our lives.

Some websites have completely given up on the hope of their users having discipline, and have enforced mandatory password resets and disallowed users from reusing old passwords. The National University of Singapore, for instance, has a password policy including but not limited to:

  1. Your password cannot contain your userID or any part of your name. 
  2. You cannot re-use any of your 6 old passwords. 
  3. You cannot change your password more than once in a day.


Two-factor authentication (2FA)

Oftentimes, a good password is one that is reinforced by another password. By now, you would probably have grown weary of nagging reminders from SingPass asking you to set up and verify the 2FA process. No idea what that is?

According to IT security company SecurEnvoy, two-factor authentication is:

… an extra layer of security that is known as “multi factor authentication” that requires not only a password and username but also something that only, and only, that user has on them, i.e. a piece of information only they should know or have immediately to hand – such as a physical token

2FA can come in various forms, from having to key in a second, self-generated password, to using a random password-generating device for a unique one-time password (OTP) at every log-in, as banks such as DBS do.

There are drawbacks that come with 2FA, though. Physical tokens must be reissued or have their batteries replaced when they run out, and they can be easily misplaced as they are usually no larger than a credit card. The costs associated with the production and distribution of such tokens can also be prohibitive for companies to adopt. 2FA is no miracle pill either. A determined hacker may still be able to steal or gain access to your 2FA token, rendering all your efforts null.

Though if you are really such an interesting target for hackers, it’d be best if you hire armed guards to protect your information instead.


Want to find out more about protecting yourself on the Internet? Read the following:

  1. Malware, phishing & other cyber attacks – explained
  2. What is end-to-end encryption, and can the G circumvent it?


Featured image locked by Flickr user debaird(CC BY-SA 2.0)

If you like this article, like The Middle Ground‘s Facebook Page as well!

For breaking news, you can talk to us via email.