A Master Password is a secure and easy to remember password. But how do you combine the two aspects? A common miss concept is that to be secure, a password must also be complicated enough. However, remembering complicated passwords is difficult. This leads to set a password with the bare minimum complexity. As a result, we tend to create passwords that are easy to be guessed by hackers tools.
Pattern Recognition
The tools used by hackers to guess someone’s password, consider human patterns. For example, one of the most used symbols used in a password is the hash (#) it is easy to remember, and easy to type. What happens is we tend to connect the hash with numbers. Hacker’s tools know this usual pattern, and when it comes to test a password using the hash, they also connect one or two digits after it. Another popular symbol is the at sign (@) and be sure, most people use it to replace the letter ‘a’ in their password. The same is happening with the dollar sign ($) replacing the letter ‘s’ and so on.
We need patterns to help us remember a complex password, and, as a result, this behavior is ultimately making our difficult to remember passwords weaker. A really secure and complex password is not following human patterns, and implements a high entropy. Our Secure Password Generator tool for example, will generate secure passwords with a high level of entropy. However, those password would be really hard to remember, and are not practical for everyday use.
Length over complexity
Ultimately, passwords are the result of combinations. Sets of characters to choose from, so we have 52 letters (counting lowercase and capitals as different), 10 numbers and about 22 symbols. Each character in our password can be one of 84 different possibilities. This means an attacker will have 1/84 chance to guess one character. The good new is, an attacker does not know what sets we are using for each character in our password.
Many websites, necessarily limit the lenth of our passwords, some allow for very short passwords. However, high end services, often allow us to set long passwords. A 16-characters password (8416 combinations) is fairly secure, and it will take over 194 billion years to brute force it. But we can do a lot better than this, we can easily have a 32-characters password which is both secure and easy to remember. Once we use every set of characters, length will improve the security.
A trivial trick to learn
There is a really popular comic that will explain this concept in a simple way. It sums up what we saw so far. While the password used in the comic is mathematically secure, it would make a poor choice against a dictionary attack. The solution is to find a good balance between complexity and ease to remember.
A character that is rarely used in passwords is the space. We often see password made of characters, but it is rare to see a password which include spaces. Using spaces allow us to write sentences, a sentence can have punctuation (symbols) and both lowercase and upper case letters, sewing in a number is a simple task.
A Master Password that works
There are many possible options, I will name just two to give you an idea: dates and addresses. Everyone has a date he will never forget, of course, do not pick your birthday since it would be weak against social hacking. Think of an event in your life you will never forget, and use this date. Example: Thursday, December 17, 1903 – Kitty Hawk. This is the day when the Wright brothers, Orville and Wilbur Wright, achieved the first successful powered flight. Possible combinations? It would take 8434 combinations to guess this password, about 2.14 x 1037 years. This number is vastly beyond any practical time frame.
We can do the same using an address, a song or a famous quote. We can use the first two lines of a book we love, the title of our capstone project in our Bachelor’s Degree. You can really make it very complicated while keeping it easy to remember. A password of this type, would be a perfect candidate for our Master Password, or for the password that we use to login into our system. The good thing about these passwords is that we can easily remember many of them and don’t have to worry about forgetting. A Master Password is usually used in combination with a Password Manager. To this purpose, please refer to my article: “Securing your workstation: The Browser” for a detailed guide and explanation on this point.