The starting point of security are passwords! A lot of services are only granted to users which provide a valid password. Everybody uses passwords, every day. From time to time we even have to define new passwords in order to use a service. How can we choose passwords? What are secure passwords?
Let's have a look at information theory:
For ordinary English text of, let's say 8 letters, the information content is about 2.3 bits per lette, perhaps less. We thus have an effective key length of about 19 bits. To attack such a password, we would have to try 2^19 combinations istead of 2^56 (a single, isolated letter has 7 bit information, 8*7 is 56!), as we might have thought. So our first conclusion:
Don't use ordinary words a passwords!
There are a couple of other things to consider: Let's have a look at an attacker. If he assumes that a password is a word that is listed in a dictonary (e.g. the webster English dictionary), he could take all those words and execute a so called dictionary attack, thus reducing the amount of possible combinations of letters by magnitudes. So our next lesson:
Don't use words listed in any dictionary!
Now, how DO we choose our passwords and how long SHOULD they be? Here is my suggestion:
A password should be at least 8 letters!
Choose your password as easy that you can remember it without having to write it down!
Don't use anything that an attacker could guess easily (birthdate, names, licence number, ...)
It should contain at least 2 digits and possibly special characters as #*%/()=?
A sample password creation schema could be the following (take a variant of this for your own purpose!):
Chosse a sentence (e.g. The cryptojail is a jail where you do crypto.)
Choose the first or the last letter of every single word (this would be for example: Tliajwydo).
Change some of the letters to special characters. (e.g. T#1i4j\/\/ydo ).
Try to remember your password ! and DON'T write it down!
One last thing to rememger is that passwords must be CHANGED frequently. If an attacker would be able to get our password, he would only have access as long as we did not change it! A good period that I would suggest is 2 months.
A very good paper about Passwords can be found on this Webpage.
