Technology

A new ‘best’ method for creating passwords?

Chris Bowers discusses how padding can make your passwords more secure and easier to remember

“Your password will expire in 10 days. Would you like to change it now?” This is the message that greets me when I log on to Outlook Web Access. I was first told my password was going to expire at the end of January, so why have I not yet done so? The act itself of changing the password is by no means a complex task – but instead it’s the creation of its replacement that takes time and effort.

The problem is, of course, security. While I don’t think my accounts are going to be the targets of everyday hacking, I still wouldn’t feel comfortable leaving my emails open to anyone who tried “123456” in the password field. We have all been encouraged to conjure up complex combinations of upper and lower-case letters, numbers and symbols, but these tend to be less than easily memorable. This has led people to possibly not bother with anything complicated, or leaving a note of their password lying around.

New discussion in the area, however, hopes to alleviate these issues greatly. Many of you will be familiar with the xkcd comic about password entropy, I’m sure, but it seems this also isn’t the answer. The problem lies in finding a good balance between memorability and security. Unfortunately, many hackers aren’t stupid, so “Pa55w0rd” isn’t going to fit the bill – that and its variations would be tried in most dictionary attacks. “P@s5w()r1}” is considered much stronger, but is far less memorable.

Instead, the solution relies on ‘padded passwords’. The concept is simple – take a fairly memorable password (let’s use Lond0n as an example), and add a small ‘pad’ to it, increasing both the length and complexity of the finished product. In our example, we could pad with “.**” and end up with “.Lond0n.”. Of course, the padding doesn’t need to be the same everywhere, nor does it need to be at either end. This is the key to the system – you could give away the base password to anyone, but as long as they don’t know your pad(s) and where padding exists in the password, they still wouldn’t be able to access your account.

In technical terms, there are a few factors at play here. It is still highly recommended to use a combination of alphanumeric characters and symbols, as this massively increases the search space that a hacker would need to test every combination of. However, a hacker would only resort to this brute forcing when simpler measures – such as dictionary attacks – have been exhausted, but the padding essentially forces any hacking attempt into that huge domain. Once this technique is being used, the biggest factor in the security of your password is its length, which of course the padding only helps.

The memorability of the password is also not too bad – “Lond0n” by itself isn’t too taxing for example, and it’s easy to pick a pad that suits you – “&*(“ are neighbours on the keyboard, but still an effective pad. Additionally, those without a great memory for passwords could write down either the pad or the base password without fear, as discussed before.

In essence, these passwords are not too different from a random, strong password with all the right elements. However, being easier to think up and remember brings them to more people. Given their security, this can only be a good thing.