Ah, the elusive “golden password” – the one password to rule them all. It’s the password that stands between you and potential data breaches, identity theft, and all sorts of online mayhem. Choosing the right master password is a daunting task that should not be done lightly.
Password managers have made our lives easier by giving us an easy way to avoid using the same password for multiple online accounts and helping us generate unique complex random passwords for each account we use.
These benefits are great, they help increase our password security and protect us against various forms of brute-force attacks. But at the same time, password managers put all our eggs in one basket, and that basket – our “master password” – needs to be strong enough to protect all of our other passwords, secure notes, and sensitive information.
So, let’s take a look at the critical issue of selecting a master password and also take a look at some other tips and tricks for hardening the security of our password managers.
Considering what is at risk, it’s worth taking the time to do things right and understand the whole issue. As they say, an ounce of prevention is worth a pound of cure.
Important Considerations When Selecting A Password
All passwords, not only our master password, need to be strong. So, it’s worth noting that the facts discussed in this article should also be considered when selecting any password.
So, how do you choose the right password? Let’s cover some technical details to keep in mind.
The longer your password, the harder it is to crack. Aim for at least 12 characters, but the more, the merrier. The length of the password that would be considered secure depends on the particular situation, and as technology advances, we need to make our passwords and encryption keys longer to stay ahead of the bad guys.
This is because, as technology advances, the computer CPU gets faster and can process more information per second. This means the methods used by hackers to brute-force online accounts and applications, and crack passwords and encryption keys are also getting faster.
As a result, the recommended length for secure passwords and encryption keys is constantly increasing. What was considered strong enough just a few years ago may now be vulnerable to attacks, making it important to stay up-to-date with the latest recommendations for password and encryption key length.
For example, a password of 8 characters could take anywhere from a few seconds to a few minutes to crack, while a password of 12 characters could take anywhere from a few hours to a few days. As the length increases to 16 characters, the time it takes to crack could range from several months to several years.
For a 20-character password, it could take several decades or more. A 256-bit AES encryption key (32 UTF-8 characters) commonly used to secure sensitive data is estimated to take billions of years to crack using a supercomputer.
So the key thing to remember here is; length matters. The longer your master password, the harder it will be to brute-force. OK, on to the next key element of creating a secure master password!
Keyspace Is Key
OK, now that we understand why length is important, let’s introduce the topic of “keyspace”. Keyspace is the total number of possible combinations of characters in a password or encryption key.
In fact, length is one thing that contributes to strong keyspace, but it’s not the only thing. The factor of keyspace is the number of possible characters. If you only use numbers for your password, you only have 10 possible characters, 0 to 9. This is also known as the “base”. So, a number-based password has a base 10.
If we add uppercase and lowercase letters, the number of possible characters per position increases to base 62 (10 numbers, plus 26 uppercase and 26 lowercase letters), resulting in a much larger keyspace size.
Now we have already made it much more difficult for attackers to guess or crack the password through brute-force methods. What about adding special characters? The more special characters that are used, the larger the keyspace size becomes, making the password even more secure.
The number of special characters that are commonly used in passwords is typically around 30 to 40, depending on the system being used, giving us a total base of between 92 and 102.
So, a strong master password should be long and also a mix of upper and lowercase letters, numbers, and special characters to make it harder to guess.
Consider Using A Passphrase
A passphrase is a sentence or phrase with normal spaces and punctuation that can add security by making the password longer. Using a passphrase can provide a good balance between convenience and security because it can greatly increase the password length while being easier to remember, but it might be a pain to type the whole passphrase each time you authenticate.
But, as we already covered, even with only letters and numbers, if you can get the keyspace high enough, it will be virtually impossible for even a supercomputer to crack.
The biggest vulnerability of a passphrase is its use of common dictionary words or phrases. This makes it susceptible to dictionary attacks; a type of brute-force attack where an attacker uses a list of known words and phrases to guess the password.
One way to reduce the potential for a successful dictionary attack is to create a passphrase that uses special character replacements to increase entropy. The practice of replacing letters with numbers or special characters in a password is called “leetspeak” or “1337 speak”.
Leetspeak is a system of modified spellings commonly used on the Internet and can be used to increase keyspace by introducing special characters. But be careful, because leetspeak is also a well-known method of adding keyspace, it reduces a passphrase’s total entropy because the pattern is predictable.
Overall, using a passphrase can be a strong password option if done correctly, but it’s important to avoid using common dictionary words or phrases to ensure maximum security.
The Strongest Passwords Have Randomness
In addition to high keyspace, randomness is another important factor in evaluating a potential master password. In computer science and math, randomness is a measure of unpredictability. Your password might have high entropy, but it could be very predictable.
For example, using your name, the year of your birth, and a ransom character such as “WilliamRobertson2000!” might seem like a great password if we just consider the total keyspace (length and allowed characters), and seems like a strong password, but it would also be very easy for an attacker to guess or crack because it doesn’t have randomness.
To measure the randomness of a particular password, we use statistical tests that analyze the distribution of characters and patterns. These statistical tests can evaluate a specific password to determine how random it is.
The Chi-squared test is a common statistical method for calculating true entropy. The Chi-squared test assesses the characters in a given password and compares them to the expected character distribution based on the frequency of each character and character group.
Software tools can also use artificial intelligence (AI) machine learning (ML) algorithms to analyze the patterns and structure of a string and predict its level of randomness or predictability.
Randomness analysis can be useful to evaluate the strength of a user’s password as they enter it and give them feedback and provide feedback on how to improve its randomness and security.
Also, when password generators such as the PasswordHero password generator are developed, they are designed to randomly select each character of a password to provide the highest possible entropy. So, your best bet to ensure strong entropy is to use a random password generator.
What’s The Difference Between Keyspace, Randomness, And Entropy?
Keyspace, entropy, and randomness are all important factors in determining password strength. They are related concepts but measure different aspects of password strength. Let’s briefly summarize the differences between them.
Password keyspace refers to the total number of possible combinations of characters in a password. Keyspace uses the number of possible characters and the length of the password to calculate the total possible combinations. The keyspace represents the total number of unique keys that could be generated using a given set of characters and password length.
Password randomness, on the other hand, refers to the degree to which a password is generated using random or unpredictable methods. A truly random password is one that is generated using a source of entropy, such as a random number generator and has no pattern or structure. Dictionary words or 4 digits representing a year reduce the randomness of a password.
Password entropy, on the other hand, measures the total amount of uncertainty or unpredictability in a password. Entropy takes into account the randomness or distribution of characters in the password, as well as the keyspace size (the length and number of possible characters). So, entropy is like calculating a combination of both keyspace and randomness.
A password with high entropy is long, has a large number of possible characters, which are organized in a highly random way, and therefore less predictable, and therefore harder to guess or crack.
When selecting a master password, the keyspace is somewhat controlled by the app developer who designed the authentication system. They select the allowed and/or required password lengths and special characters.
The user can control keyspace in one way by deciding how long to make their password. Randomness is mostly controlled by the user who chooses a password according to the app’s password rules.
However, in some cases, system administrators can also force randomness. The most strict password systems have rules that even prevent users from creating passwords with too many numbers or letters in a row. When assessing a particular password and calculating those two things, the keyspace and the randomness, the result is the password’s entropy.
Calculating The “Crackability” Of Your Master Password
Now let’s apply some basic math to the situation. This will help us get a better grasp on how we can evaluate a great master password. The estimated average time it takes to crack a password that uses truly random characters can be estimated using the following equation:
In this equation, the keyspace size is the total number of possible combinations of characters in the password, and the guesses per second are the rate at which an attacker can guess passwords. Calculating the keyspace is like this:
In this equation, the number of possible characters is the total number of unique characters that can be used in the password (including uppercase and lowercase letters, numbers, and special characters), and the password length is the number of characters in the password.
For example, if a password has a keyspace size of 10^12 (1 trillion) and an attacker can make 10^6 (1 million) guesses per second, it would take approximately 10^6 seconds (11.6 days) to crack the password on average. However, this is just an estimate, and the actual time it takes to crack a password can vary based on the complexity of the password and the strength of the attacker’s hardware and algorithms.
What If Your Password Still Gets Stolen
Let’s say you have listened attentively and worked it all out. You generate a great master password for yourself. Your password’s keyspace size is big, and it’s really random. Well, this means it’s probably complex and hard to remember. So, you might be tempted to write it down – or store it in a file on your computer or mobile device.
Remember, you can’t store THIS password in your password manager because it’s your master password. But it’s important to note here that you should not write this password down or store it in a file on your computer.
In another scenario, a cyber attacker gets access to your computer and installs a keylogger to track every key you type and snags it as you type it into your password manager. These are all realistic scenarios where an attacker could gain access to your master password. So, what can you do?
- Use Multi-Factor Authentication (MFA): Any good password manager has the option to enable multi factor authentication. This can help protect your account against a stolen password. Considering how valuable all your secrets and online accounts are – it’s worth it! Biometric MFA is perhaps the easiest form of MFA. On many devices, you can just scan your fingerprint, and presto you are done. Other options for MFA include a One-Time-Passcode (OTP) or a hardware security key such as the Yubico.
- Harden your password manager settings: Each password manager comes with its own settings that can be hardened to increase security. In addition to adding MFA to protect your login, you can also ensure your password manager will log out after a specified amount of time, or when the browser is closed. It’s a bad idea to allow your password manager to auto-login every time you log into your computer account.
To sum it all up – it’s all about keyspace and randomness. These two things combined can define a password’s entropy. The higher the entropy, the harder it is to guess or brute-force your password. Keyspace refers to the total number of possible combinations of characters in a password or encryption key. It represents the total number of unique keys that could be generated using a given set of characters and key length. Randomness refers to whether the characters have any patterns or predictability. Strive for high entropy!