## Wednesday, July 20, 2016

### Guessing Games

I have three simple rules for constructing passwords. They must be easy to remember, hard to guess and quick to type. Inspecting this a bit closer, the “easy” and “quick” are about me, and I can decide what is and isn’t. But the most important, “guess”, is not about me, it’s about the person trying to hack my account. So I can’t decide if my chosen password is “hard” until I get into the thoughts of the hacker. Since that is literally quite impossible, we’ll have to substitute a little research, and a little deduction, to come up with some ways they might approach their guessing. Then we can match a chosen password against these methods to see if they stand a good chance of succeeding. If they might, find another password. If they can’t, sleep easy.

For this analysis, we’ll assume the password needs to be 8 characters in length and contain at least one letter and one number. That results in 2.8 trillion possible combinations, the result of each position having 36 potential (a-z, 0-9) characters.

The most obvious method, but also the most useless, is to programmatically generate guesses. We’ll call this one “random”. Each attempt to guess has a probability of 1 divided by 2.8 trillion, or roughly ten times less likely than winning the Powerball Jackpot (1 in 292 billion) with one ticket. If your thief can try one million guesses every second, it will take about two years to try all the possibilities. So while it’s highly improbable this method could work, it’s also the only method that nobody can protect against, no matter what obscure 8 characters you pick. But this is also the method the “experts” want to make harder by making the password longer, include a capital letter or some special character. Ludacris, in my opinion. 2.8 trillion choices is tough enough.

Since most people think in similar ways, it’s not surprising that they tend to pick similar, simple passwords. We’ll call this one “popular”. Trying only a few thousand of these passwords will likely let a hacker into someone’s account. If your password looks anything even close to “password”, “12345678”, “baseball”, “football”, “superman”, “trustno1”, “sunshine”, “whatever” or “startrek”, stop reading this and change your password now. Anything you use that looks simple is a bad choice. And that rule, “not simple”, is really the only thing you really need to remember.

If a hacker is specifically targeting you, they have the time and motivation to research your life to formulate likely guesses. We’ll call this “targeted”. If you’re a big Bob Seger fan, they might try “bobseger”. If you’re Donald Trump, they might try “melania1” (his wife’s name). If you’re password is built around your personal information or interests, change it now.

The final method is based upon my observations of passwords I’ve encountered, which are very often based on a dictionary words or people’s names, followed by a number, normally “1” unless they are forced to change periodically, then between “1” and “9” (only geeks use “0”) . This final method we’ll call “dictionary”. While the English dictionary contains a little over a million words (who knew?), only 3,000 or so are commonly used. And a fraction of them are seven characters long. And while fewer in number, that’s still true for baby names. If your password starts with a 7-character name or word, again, change it now.

Based the above, and while I don’t claim it’s perfect and will always be a work in progress, it’s a good place to start, and we now have six objective tests to compare our password against. Given the way I construct my passwords, here is my score.

Easy to remember - pass
Quick to type - pass
Popular Attack - pass
Targeted Attack - pass
Dictionary Attack - pass
Random Attack - fail (but everybody fails)

So yeah, I sleep well. I hope you do too.