Kids Code & Computer Science

Knowing how passwords are cracked can help you create better passwords.

Picture two Formula Ones speeding down a track. They weave around each other, locked in an intense race. The drivers must be clever. The tiniest move could lead one car to victory and another to defeat.

Password security is like this Formula One race. Hackers are constantly creating new techniques to break passwords. We, the internet users, must be clever in order to stay in the lead.

We want passwords that are easy to remember, but hard to crack. So what makes a password good? To understand this, let’s look at common hacking attacks.

Brute Force Attack

If you’re trying to rob a house, an elegant solution is to pick the lock. A brute force solution is to break down the door.

For guessing passwords, the brute force solution is to try every single combination. This is an enormous, slow job. But computers are getting faster every day. Passwords that were safe five years ago can now be brute forced in a couple days.

The best way to defeat brute force attacks is to use long passwords. That way, it takes longer for hackers to try every single combination and find the right one.

A simple trick is to use compound words, like ‘snowflake’, ‘rollercoaster’, or ‘moonlight’. String these words together for stronger passwords. For example, ‘afternoon_pineapple_sundae’ is easy to remember. And it’s 26 characters long! What about 23_afternoon_pineapple_sundae? Even more delicious!

DO

• Use long passwords — it least 8 characters!
• Use compound words
• Use uppercase letters, numbers, and symbols

Dictionary Attack

‘Pineapple’ is easier to remember than ‘usbjwlfdi’, even though both words have the same number of characters. This is because ‘pineapple’ is a real word. Our brains can picture pineapples. We can see, smell, and taste them.

Enter ‘dictionary attacks’. Instead of trying ‘usbjwlfdi’’, which is an unlikely password, hackers only make guesses using words from the dictionary.

However, afternoon_pineapple_sundae is still a decent password. Why? Because ‘pineapple’ is an unusual word. It’s not something you talk about everyday. ‘Afternoon’, on the other hand, is easy to guess. Moral of the story: use weird words. The weirder the better.

At first, people prevented dictionary attacks by switching letters with numbers. ‘O’ became ‘0’, ‘E’ became ‘3’, ‘L’ became ‘!’. Hackers figured this out pretty quickly. Now, their dictionary attacks check obvious number-letter substitutions. Instead, why not use a bizarre substitution? Switch a ’T’ for an 8! A ‘G’ for a 2!

You can also transform a real word into a non-word by placing a random symbol in the middle. For example, pineapple could become pin&eapple, or pineapp$le.

DO

• Use uncommon words, or words that aren’t in the dictionary (sphinx instead of cat, cerberus instead of dog)
• Use words that don’t make sense together. ‘Red house’ is a logical combination, but not ‘sprinkle typhoon’.
• Insert random symbols in the middle of words

DON’T

• Use common substitutions (0 for o, 3 for e)

Social Engineering

To help remember their passwords, people think of things that are important to them. This includes friends, family, pets. Even favourite bands or memorable vacations!

There’s a catch. If you use social media, what kind of things do you post? Perhaps you show off group photos of friends and family. Or you post selfies with pets, maybe pictures from concerts. All this information is now available for anyone on the internet to see — including hackers. So if your pet’s name is part of your password, that information isn’t secret anymore.

Even if you don’t use social media, it’s a good idea not to use personal information in your passwords. You never know how or when information can leak.

DON’T

• Use name or birthdays of friends and family
• Reuse passwords
• Tell other people your password

DO

• Change your password it least once a year

A Couple More Tricks

Use words from different languages in your password. In you aren’t multi-lingual, then Google Translate can help you out.

Use motor patterns when creating your password. For example, ‘vfrtyhnbv’ looks random, right? It’s actually a box pattern. Start at ‘V’, go upwards on your keyboard to ‘R’, then right to ‘Y’, then down to ’N’, the left back to ‘V’. Easy to remember; hard to guess.

Think of a sentence, then take the first letter of every word. For example, ‘I went to school riding on a dinosaur’ is fun and memorable. ‘iwtsroad’ is a confused jumble.

Putting It All Together

Which passwords are the best? How could each one be better?

• dancing_r0b0t_tutus
• caterpillar45
• pika#chu_thunderbolt!
• swanlake17
• Choco!ate_banaNa
• transformer5

Learn More

XKCD Comic about good passwords

https://xkcd.com/936/

Articles about creating good passwords

https://www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/
http://www.makeuseof.com/tag/7-ways-to-make-up-passwords-that-are-both-secure-memorable/

How to Choose a Password (Computerphile)

https://www.youtube.com/watch?v=3NjQ9b3pgIg