Encryption programs can do alot to secure your data. A lot of time, effort, and finances are spent researching and designing secure algorithms and protocols, and even more effort is put into implementing these ideas securely.

However, all good security systems follow Kerchoff’s principle, meaning that they have one central focal point: the password. Kerchoff’s principle is simple, it merely states that no aspect of a security system should ever be designed any weaker than the user’s password could be, meaning that the password should always be the weakest link in the security chain. Thus, the user should be able to choose the level of security they have by creating a password of appropriate strength.

The password is what lets the legitimate user in, and it’s what keeps the impostor out. The confidentiality of the password is life or death, as it is usually the only manner of authentication that is implemented. Once the password has been broken, there is rarely anything left to hinder an attacker from accessing or changing everything the password protected.

From the attacker’s perspective, it’s always preferable launch a “whitebox” attack. A whitebox attack requires some knowledge of an exploit or security vulnerability and uses it to shortcut the attack process and make it as quick and clean as possible. Whitebox attacks against a password would include things like keyloggers, intercepting non-encrypted communications, etc.

But not all security systems have known vulnerabilities, or at least vulnerabilities that the attacker has the ability to exploit. In such situations, the attacker must resort to the oldest, dirtiest trick in the book: brute-forcing.

Brute-forcing is the act of trying to guess the password non-intelligently. (By “non-intellegently”, I mean that the guesses do not have any personal significance to the user under attack. Basically, the guesses would be made no matter who was being attacked, and are not personalized for that specific user. Brute-force attacks that uses guess specifically crafted for the user is probably closer to a whitebox attack, depending on how how educated the guesses are.) The attacker will pick some range of characters and start combining them in every possible combination hoping to blindly stumble across the correct combination.

Sometimes the attacker will have a large dictionary of certain character combinations that have a greater likelihood of being used. For non-creative passwords that wind up being included in these dictionaries, this can significantly speed up the attack.

However, when their dictionary attack(s) fail, the attacker must resort to linear brute-forcing, that is, literally trying every possible combination of characters.

There are only two factors that influence the strength of a password: Included character sets and length.

There are four basic characters sets on the standard keyboard:

• Lower case (26): a - z
• Upper case (26): A - Z
• Numbers (10): 0 - 9
• Symbols (~32): !@#$%^&*()-_=+`~[]{}\/|;:’”,<>.?

Simply put, your job is to use characters from as many of these different character sets (abbreviated “charsets”) as possible. For every character set that is represented in your password, your password becomes exponentially harder to brute-force.

First, let’s deal with the character range factor, as it will effect the length factor. What I mean by “character range” is the variety of keyboard characters that are used. For example, you could use the password “abc”, but that is nothing but lowercase letters, meaning that if the cracker knows this, he only has 26 possible values for each character of your password. So instead you could use “aBc” as your password, and now there are 52 possible values per character because you’ve introduced the uppercase character set. Now start throwing in numbers, punctuation, and other oddball characters (like #, %, $) and you have roughly 100 possible values per character! This may not seem significant, but it can literally take what was just an arduous task for the brute-forcer, and make it humanly impossible. I recommend doing things like simply replacing normal letters with look-a-like symbols and such, like the following: “1 @m tHe ‘8eS7′ @t Th1s!”. Or use AOL speak, “1 @/\/\ 73h 8357 @7 7h15!” That kind of password has a very high character range and is the brute-forcer’s nightmare, believe me, I would know.

A simple way to introduce abnormal characters and extra length to your password is to simply enclose what would by your normal password in the standard HTML end tag format, ie: </password>. So if your password was just “irock”, you could make it “</irock>”. By using this method, you add a bit of length to your password and introduce abnormal characters, and the idea is easy to remember if you are familiar with HTML.

Another simple advantage to using odd symbols is that few people do it, so brute-forcers, in an effort to shorten the brute-forcing process, often gamble that the password they’re trying to break won’t have them and will use a limited character set of lower/uppercase characters and numbers. Thus, simply by inserting a period or something similar in your password, you can instantly throw your password outside the range of characters that most brute-force attacks will include.

Now let’s deal with the password length factor. Being as how there are a certain number of potential values per character, the total number of guesses that will have to be made to guess every possibility increases exponentially (literally) with every character that we add to the password length. Assume that we’re using a 62 character value range for our brute-forcing (we’re assuming that the user didn’t use anything outside the upper and lower case alphabet, plus numbers). For a one character password, we will have to simply guess 62 times, but for a two character password, we will have to guess 62 values for the first character, but since there is a second one with an equal number of possible values, we will have to make 62 guesses at the first character for ALL of the 62 values of the second one! That means that when the second character is 1, the first one will have to cycle through all 62 different values, when the second character is 2, the first one will have to cycle through all 62 values again, and so on. This means that we have 62 * 62 (62 ^ 2) possibilities, which equals 3,844. This doesn’t look too shabby, until you realize that my computer alone can make over 8,000,000 tries a second. So let’s introduce a third character, now the number of possible combinations is at 62 * 62 * 62 (62^3) which equals 238,328. Ok, but still nothing really secure. Let’s jump ahead and try 5, which results in 916,132,832 combinations. Not bad, but it could take me as little as 7.5 minutes to break that. Let’s skip to 7 characters, which has 3,521,614,606,208 (over 3 thousand million, yes, that is correct, “thousand million”) combinations. Not bad, eh? This could take days to break, which few brute-forcers are willing to do. But just for fun, let’s bump the character range up to about 100 and our password length up to 24, so that we can see the number of combinations for the example I used earlier: “1 @m tHe ‘8eS7′ @t Th1s!” This would generate a range of about 1,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 (one thousand billion billion billion billion billion) combinations. No computer now or anything along the lines of what we could soon have could ever come close to possibly breaking that! And not only do you have that total many combinations for that length of characters, but, assuming that the brute-forcer does not know the length of the password (they rarely do), they will have start with the least number of characters and work their way up, so they will have to generate all the combinations for a length of 1, and 2, and 3, etc, which adds up really big, really fast. Hopefully now you realize why longer passwords are so much more secure. Even one character on the end, like a period, helps tremendously, as it can throw millions of more possibility’s onto the brute-forcer’s shoulders. On a side note, I actually personally recommend adding periods on the end because periods are easy to remember, they add one character in length to your password, and very few people include punctuation when brute-forcing.

Keep this basic fact in mind: If you use a full ASCII character range for your password, for every character you add to your password’s length, you make the password about 60 times more complex! This means that a password that would take one minute to brute-force, with the addition of another character, would take about an hour. (If you’re using non-ASCII data (pure binary values with a full 256-value range) for the password, the result is even more dramatic. Every extra character makes the password 128 times more complex!)

Also, notice that the password I just used as an example is actually a short sentence, not really a word. This is commonly referred to as a “passphrase” rather than a “password”, because you’re using a phrase instead of a word. Passphrases are much better then plain passwords, because they are MUCH longer and make it easier to include punctuation and other odd characters. Plus, they can also be easier to remember. Try remembering “Brad” versus “I visited Brad’s site” for a week and see which one phrase you remember best. You will likely be able to remember both, but which one is more secure by a very, very large factor? Use passphrases, they make getting length into your passwords a farily easy task. Plus most words out there are only 7 or 8 characters long, and all in the same case, do you know how easy that would be to brute-force? Passphrases aren’t just a nice idea, with the speed of the computers that crackers have access to, they’re starting to become a necessity.

Crackers who are brute-forcing your password know that they are oftentimes up against a potentially endless problem. So they, like everyone else in the world, try to find shortcuts. The most common shortcut is simple, they generate “wordlists” of commonly used words and/or combinations of letters that they manipulate and use to provide their brute-force guesses. They figure, and rightly so, that not many people, realistically, use passwords such as “Aab89$skl”, so instead of trying every possible combination of letters they will try only somewhat sensible combinations of letters and words. This can cut their work down by thousands of times, while still keeping a very good chance of finding the password. Your job, then, when creating a password, is to thwart this process. Make the attacker sweat for his money, don’t give him anything easy. Make it a long passphrase and use characters instead of letters, inject numbers and punctuation, and avoid common words like “the” and common letter sequences like “tion”. Use characters that make no sense in the order they appear in.

• Use lots of different characters in your password, like ending it with a period and switching normal letters for numbers and/or symbols.
• Use long passwords.
• Don’t use common words or phrases.

Follow these basic tips and you should have a password that you can engrave in stone (not literally, of course). Just don’t make the mistake of using it too often in different places, so that if someone gets a hold of it, which usually by accident or chance, they don’t have access to everything you have.

Oh, and just in case it needs to be pointed, out, make sure that your password is something you can actually remember. Many services use a form of hashing/encryption that cannot be reversed easily, and they are not willing to try and break it for you, which, since you did chose a good password, should be virtually impossible anyway. So if you lose your password, you’re screwed. Just don’t forget it.

Hopefully you can see that designing a secure password is not a daunting task, but neither is it a trivial one. You should spend a minute or two thinking about them before creating them. In fact, do that right now, so that next time you’re in a hurry and need to create one you already have an idea started. If you have any insecure passwords now, change them. It’s usually far easier to change a password than to have it compromised.