windows-password-feature-image

Ultimate Guide To Create A Master Password – Part 1

This is Part 1 of a 2-Part article. In Part 1, I’ll explain why most passwords are not very strong and the methodology hackers use to crack passwords. In Part 2, I’ll explain how you can create passwords that are much harder to crack, how to measure a password’s real strength, and how strong a password should be.

Overview

Using a password manager is an essential part of internet security. Password managers give users the ability to have strong and unique passwords for each site they visit on the internet. Two good cloud-based password managers are Bitwarden and 1Password. I personally have a premium subscription to Bitwarden, while Jim Hillier recommends Bitwarden’s free version if you do not need the premium features. If you prefer a password manager with local credential storage, the DCT recommended KeePass is an excellent choice – I used it for years before switching to Bitwarden.

However, the key to the secure use of any password manager is a strong master password. The master password is not just any password, it is the key to your kingdom. It is the one password you need to memorize. With the recent breaches of LastPass, Norton Lifelock, as well as other password managers, a strong master password is more important than ever. But how do you create a strong password? How do you measure password strength? How strong is strong enough?

Password Entropy

Password Entropy

To measure a password’s strength, we need to know its entropy. Password entropy is a measure of how unpredictable a password is. Password entropy predicts how difficult a given password would be to crack. Password entropy is usually expressed in bits. A password that is already known has zero bits of entropy. A password that can be guessed half the time on the first try would have one bit of entropy. Increasing the entropy of the password by one bit doubles the number of guesses required, making an attacker’s task twice as difficult. Increasing the entropy by ten bits makes it 1,000 times more demanding to crack. A 20-bit increase in entropy is 1 million times harder to break. The formula for this is:

E = L * log2(R) 

Where:

      • R – Size of the pool (the unique character set used)
      • L – Password length

    A pool using lower case (26), upper case (26), numbers (10), and special characters (13) is a 75-character set pool.

    n5A*&VqW?XZj is a uniquely and randomly generated 12-character-long password that uses the entire pool. Its entropy is 12 * log2(75) = 74.745.

        • UK^aR2$b = 49.830
        • P@ssw0rd = 49.830

      As we can see, both of these have the same entropy but the first is clearly better than the second.

      How A Hacker Cracks A Password

      Password Hacker

      There are many theories on how to make a password strong and memorable. Here are a few:

          • Make the password look complex by using l33t substitutions – @ for a, and 0 (zero) for 0. (eg,  P@ssw0rd for Password)
          • Use song lyrics, quotes from books, and common phrases. (eg, Call_Me_Ishmael  tobeornottobe)
          • Use the first letter of each word from a phrase

        The reason these do not work well is because of the way a hacker will try to crack a password. For example:

            1. The hacker checks the lists of the top passwords. There are lists of real passwords that have been breached.
            2. The hackers check wordlists. Lists of English words, foreign words, names, dates, sports teams, celebrities, pet names, TV/film characters, places, countries, cities, landmarks, hobbies, animal names, etc.
            3. Next, they may try all the words again with common substitutions: capitalizing the first letter (sesame → Sesame), making common letter-for-number swaps (sesame→ s3s@me), etc.
            4. Next, they may use various number, date, and pattern combinations.
            5. If all else fails, they will be forced into a brute-force search.

          If your password is based on any kind of pattern, using some combination of the above steps will eventually crack it. Some password hash cracking rigs can perform over 100 trillion password hash guesses per second. Attackers can even purchase the ability to perform many trillions of guesses per second at low dollar rates using popular cloud providers. Many nation-states are believed to be capable of many hundreds of trillions of guesses per second. Even a single modern home computer can make hundreds of thousands (or more) of guesses per second.

          Passwords & Human Weaknesses

          So why are most passwords that people create not strong? Because they are not unique or random. Many think the most important factor when it comes to passwords is length, but this is not true. It is the uniqueness or randomness of your password that is most important. After this comes length. Let’s take song names as an example, according to Google there are 80 million songs in the world. Using a random lyric name should give an entropy of 26.2 but no one knows all 80 million songs. A human is likely to pick from the top 2000 songs, giving an entropy of 10.9. Most human-created passwords, no matter how clever the individual thinks they are, do not have a lot of real entropy. They are simply not unique, and hackers know all the methods that humans use.

          So, how do you create a strong password? How do you measure password strength? How strong is strong enough? I’ll explain these concepts in Part 2 of this article. Stay tuned!


          1. Ultimate Guide To Create A Master Password – Part 1  ⬅ You are here
          2. Ultimate Guide To Create A Master Password – Part 2 

           

          6 thoughts on “Ultimate Guide To Create A Master Password – Part 1”

          1. Good essay. But, the ultimate master password would not be a password and would not require a password vault app. It would be a password pattern based on a formula that would apply to virtually every account you have. The pattern itself would depend on the domain, app or business name and all that would be required is to apply the formula to each login. So, the only thing that needs to be memorized is the formula, not the pattern. The formula determines the patter. For example: https://hdf.net/password-formulas/

            1. Hi Been There, thanks for the comment. This strategy is exactly the strategy I used for years 20 years ago or so (and I’m pretty sure I wasn’t the first to come up with it). It has pros and cons.

              Pros:

              A different password (PW) is used on each site.

              Cons:

              It could be hard to come up with a formula that would work on all your current accounts and all future accounts since each account requires different specifications.

              It requires a lower-quality PW at each site than one that is created by a password manager (PM). For example, your formula may create a 12-char PW, but I can create a 128-char PW with a PM.

              A PM can remember extra features that I would be forced to remember using the formula-based system i.e. For the username, I can use a unique email alias at each site or treat it like a pw (ex. beenthere4278394db983248tygehgr4i instead of beenthere), there may be extra security keys that need to be entered, answers to login questions, etc.) I don’t want to remember all that.

              The site may require changing PW every X months. Then the formula will not work.

              PW is breached on one site. A hacker can use that to figure out PW at other sites (they know the formula system too!).

              A formula-based system is, by definition, programmatic. Therefore it lacks randomness and entropy.

              PM can auto-login for me, formula-based system, I have to type it in myself.

              Finally, I think it is easier to just remember 1 PW instead of a PW and a formula.

          2. I would hope that many sites give password attempts of just 3 and then locked out so that password hackers cannot try trillions of attempts or even 4. Isn’t this a better way of protection

            1. Hi Otto, thanks for the comment.
              We are not talking about protection from an individual sitting at a computer and typing keys into a website login screen. We are talking about a data breach where a hacker gets a data vault (like what happened to LastPass last year) or files with password hashes on them. The hacker would have the file on their system. There would be no login screen lockout etc. to slow them down. They would be able to process attempts at the speed of their equipment.

          3. Thanks for responding. I don’t understand the ‘hash’ bit. Aren’t they a long string of characters? What does a hacker do with that? What is the relationship between the PW and its hash in terms of complexity? What really happens at the hash stage for a hacker.
            When advice about a strong PW is mentioned I assumed the hacker tries to crack the PW itself (don’t use simple PWs etc.) but it seems a data breach to the hash stage is the problem, yes?

            1. Hi Otto, what the hacker hackes depends on what they were able to get in the breach. If they have files with hashes, they will hack that. If they breached a vault, they may try to hack the password itself. etc. A strong, random password with a lot of entropy will protect against both. And yes, you are correct, usually (assuming the breached company is not completely incompetent), when hackers breach a company, what they find and steal isn’t stored in a form that’s readable by humans. Passwords are converted into a group of cryptographic hashes. There are different types of hashing schemes. When you enter a password it is essentially checked against the hash. That way, your pw is not stored. In theory, a hacker should not be able to take those hashes and convert them back into passwords. But, there are weak hashes and strong hashes. Also, if a hash scheme is known and has been broken, there are sites on the darkweb selling rainbow tables where a hacker can buy millions or trillions of hacked hashes and essentially look up a password. Hackers also pool and share their findings. Once hackers have weak password’s hashes cracked, they can use that info to analyze and crack stronger password’s hashes. It’s kind of a loop, they start off with a small amount of data that enables them to crack a small number of weak passwords. Those passwords then give them insight into how passwords are created, which enables them to crack more sophisticated passwords. The more randomness and entropy in the password, the harder it is to crack that password’s hash. It is very sophisticated.

          Leave a Comment

          Your email address will not be published. Required fields are marked *

          Scroll to Top