Passwords: The how and why of choosing them and when not to

Why is it important?

Since the Snowden leaks it has become clear that various governments have been routinely collecting your data along with credit cards and other personal information.

“the vast majority of human communications are automatically ingested without targeting. If I wanted to see your emails or your wife's phone, all I have to do is use intercepts. I can get your emails, passwords, phone records, credit cards,” Edward Snowden 6 June 2013 1)

This in itself may not worry you. You should know though that the techniques used can just as easily be used by a criminal organization. Even than only when that data is used, as Israel used passport details belonging to citizens of other countries to get Israeli assassins into Dubai 2), is there a problem. Unfortunately it is a problem the people affected will have to deal with every time they travel.

Unfortunately the people collecting the information, are not the people that are going to use it, and that is the issue. The people collecting may be working for a good cause but once its collected, anyone with access can use the data for whatever reason they see fit. The recent leak of client data 3) from Barclays Bank is an example of this. Even if your government is competent and honest and has everyone's differing interests at heart, governments have not proved them selves good with data 4) 5). So it is up to us to ensure that your information cannot be abused to further the political agenda of extreme 6) or rouge organizations7).

Your government may tell you that “if you have nothing to hide then you have nothing to fear” 8) 9) 10) as is blazoned on the home page of the USA's Homeland Security Directorate web site 11).

I include a screen shot12) in the hope that the slogan will be removed out of embarrassment if nothing else…

This argument does not hold even for the most basic of acts. You do not see politicians walking around in the nude do you. In fact its probably illegal to walk around nude, in public, where you live. So the statement, if you have nothing to hide you have nothing to fear, is complete rubbish. Our laws say: no matter if you have nothing to hide, fear the law. Apart from my very basic example of why the 'if you have nothing to hide you have nothing to fear' statement is wrong, you can find a reasonably well reasoned talk 'Why Privacy Matters' by Glenn Greenwald, published by TED13).

Unfortunately every time you hear someone hide behind the phrase “If you have nothing to hide, you have nothing to fear” you can be sure you do have something to fear. For example your credit card details may seem benign. You would not mind your government taking a look would you? But if I (a part of the government) need to create a new identity, or just need some cash and I have your details, then I will use them. I may try to be picky about who I use, choose a minority group perhaps or avoid citizens of my country as Israel did 14). But you are in a minority group and you are only affiliated to one country. So why shouldn't I choose you?

Ultimately it is your responsibility to protect yourself from abuse by people and organizations, that do not care who you are, but do care what they can use you for.

How do you reduce the risks?

Your first step is one that you may think is remarkably dull given the above. The first step is to make sure the door is locked or in computer terms make sure your Passwords are good enough for the job.

Not all Passwords Protect you

First thing to know about passwords is that not all passwords are created equal. There are 4 categories a password can fall into. These categories are defined by 2 properties:

  1. The Password Is hashed (Yes or No).
  2. The Password is transmitted in readable form (Yes or No).

Hashed means the password is recoded into a new sequence which (in theory) cannot be converted back to the original. 15)

This hashed version is stored in the database of the service you are logging into and compared to the hashed version of the password you type in when you log on. If the original password were stored in the database then anyone who can gain access to the database can get your password. This includes hackers but more likely dishonest employees of the company running the web site or the company hosting the website which may be different. Just image a big database of user passwords and details that someone can use to make money with, sitting on a computer, available to anyone who is dishonest enough to take it. Do you want your password on that server?

If a Passwords is transmitted in readable form then everyone else on the path the password is transmitted over can read the your password and use it to log into your account. This can be done with a hashed version of the password as easily as with the original password. Just imagine you login at an airport, but just imagine there is a hacker there watching the network traffic. He can read your password and the website details and when you are finished he can login and do what ever he wants with your account.

Rule 1 Make sure your password is treated securely when logging in.

How to detect Poor Password security

You can perform a few easy tests to see if your password is treated securely or can be accessed easily by someone else. To detect if the Password is not hashed, go to the login page of your account and pretend you have forgotten your password. Follow any instructions given to recover your password. If after going through the lost password process you get your original password back then your password is not hashed and you are at risk.

If you get a different password to use then there is a good chance that the original was hashed. But you cannot be sure. To be more certain, check if there is a length restriction on the password. If there is a length restriction then, more than likely, the password is not hashed and is not secure. The Hashing process turn a password of any length into one of fixed length, there is no need to restrict the password length. If there is no mention of a length restriction, try making a 20 character password and then login. If you cannot login then the password was truncated and again it was not hashed because there is no need to truncate a hashed password. Note, however, that there will be a limit on the password length set by the web page but this is arbitrary and should be large. Unfortunately there is no definitive test for whether the password is actually hashed but the tests described above will detect most cases.

On finding a password system that is not hashed email the company and complain, tweet to your friends, put it on Facebook, say how disappointed you are. By doing so, eventually Businesses will work out that they have to take your security seriously.

Detecting whether your password is sent in a readable form over the network is even easier to do. Just look for https in the address of the login page. If its https then the communication between website and your computer is encrypted if its only http then it is not. Look for the s for secure. If you are using a web browser that hides the s or displays a graphic instead (which can be faked well enough to fool some people) then un-install it and install a different browser; there are plenty to choose from, Firefox is a good example but there are plenty of others. Again tweet, facebook your friends to tell them how disappointed you are that browser X is not showing you the s.

If the Web Site fails these tests then reconsider using it as it offers you the opposite of security.

The Web Site passed the test am I safe?

Quick answer is no. You have avoided the easiest ways for an organization to get your password but there is still one left. Brute force, as computers have got faster the speed it takes to test every possible password with a given number of characters in it has decreased. This is what a Brute force attack does but even then you can make it hard to access your account.

How to think about passwords

The ease at which a password can be recovered by Brute Force is defined by how long it is. But hackers are clever they no we tend to use words and so they look for them before they look for random sequences. As a consequence the number of discrete parts in your password is more important than the length. For example:

123456 has 6 discrete parts
HumptyDumptySatOnTheWall also has 6 discrete parts
Now there are 10 numbers and so 10^6 combinations of those numbers that are 6 numbers long. There are considerably more than 10 words so you may think that there are many more combinations. Most sentences, however, use a very small subset of common words. In the above example the only uncommon words are Humpty and Dumpty. The rest are very common short words and the difficulty in finding the correct password is not as high as it first seems.

Rule 2 Use a large number of distinct parts

It is your job to create a password that has a large number of distinct parts. The parts you use should not be commonly used. Following this rule we find passwords such as:

4jf=ewfm)7fbn/w.eq2-=oeUihxSJdpaidu09*89vt6pom yt. 
But this is not exactly easy to remember is it. As a result a copy tends to get stored on the computer that the password is used. This is not at all desirable. So you need a way of creating a password the is easy to remember and also has the maximum number of discrete parts in it.

Rule 3 You should be able to remember the password

To do this you have to think like a hashing algorithm. A hashing algorithm performs random transformations on the characters of a password. If, say, you started with a password 1234567890 and randomly added a number between 0 and 35 (representing 0 – 9 and a – z) you could end up with a password 3fj8xqiom4 all you need to be able to do is reproduce the hashing process. However this sequence is too short. Since the hacker is busily creating a table of all possible sequences of size 10 he will eventually be able to crack your password.

Worse still he will be trying to create the most likely sequences first. This means you should not use 1234567890 because that will be one of the first sequences he tries.

Rule 4 be original

So you need:

  1. Check your password is treated securely once handed over.
  2. Use a password the contains as many distinct parts as possible.
  3. Use a password that is easy to remember, or a password that is easy to recreate if you forget
  4. be original.

is 25 characters long but only has 6 distinct parts
is 11 characters long and has 11 distinct parts but would be one of the first passwords used by a hacker.


has 23 distinct parts and is 36 characters long. Each 2 letter combination is not random however and a hacker knowing the method of creation could create a table of hashes that follows this rule and eventually find your password. Hence you should only use this if you are confident the password is treated securely.

So You have followed rule 1 to 4 are you safe yet?

No the hacker can still access your account by luck. The next step is to see if the Website does anything to prevent a Brute Force attack. Most common and easily implemented approaches to this delay or stop the login process after a number of failures. So if you can only login once a minute or you get blocked after your 4 try then it is much harder for the Hacker to use a Brute Force attack. Of course you have no control over this but you can write to the site and explain you disappointment in the Businesses lack of regard for the security of you account of Facebook, twitter etc.

Rule 5 Complain if your website does not prevent multiple failed logins.

Suggest they block the account for a minute after 3 failures. This is easy to do and stops Brute Force attacks instantly.

So you have an account that stops Brute Force attacks and you have followed Rules 1 to 5 are you safe now? Simple answer is no. In some ways it is actually easier for the hacker not to know your password and gain access to your account. If the hacker can access the database of login details then all he needs is a reverse Hash function. In fact our industrious Hacker has been creating a database of the most common passwords and their Hashes for some time. With this he need only search the Database of logins for a match with his database of hashes. This is why the companies you deal with should use more than one method to identify you.

Rule 6 Use two factor identification

Two factor identification adds a new level of difficulty for the hacker because there are now 2 different forms of security to by pass. A well used but poor form of two factor authentication is to ask you a question at login such as what your mother's maiden name is. This is poor because anyone who was targeting you would be able to find out this information. In fact you should assume that the person trying to access your accounts knows more about you than you do at all times. When confronted by this question based second factor never answer the question correctly.


'What is your Mothers Maiden name?'
in this way the more information the person trying to access your account has the less able they are to access it. Make sure you can answer the question though…

Rule 7 Assume all your personal information is public knowledge do not use it.

Google Authenticator 16) is another example of the second factor. There is a shared secret between Google the Website and your smartphone. This secret is used to create a new code every minute which you enter after you have entered your password in the Website you are logging into. The web site sends the code to Google who recognizes the code and tells the Web Site it is correct and the Web Site believes it is actually you logging in and not a hacker who has discovered your password. Since the code changes every minute it is quite hard for a hacker to find out what it is in advance. This means that anyone trawling for details will not be able to use them if they find them. Of course if someone were targeting you then it is just one more hoop to jump through to get what they want.

Another example of a second factor is SMS messages. In this scenario an SMS message is sent to your phone with a code for you to enter into the Web Site when you do something like transfer money for example. Again the hacker has another hoop to jump through which is not worth the effort unless he is targeting you.

The only time a Hacker might target you is when they have a valid password. Then it may be worth them trying to steal your phone to get the second factor of authentication. Should you worry, it depends what the reward is for stealing your phone. I guess carrying that second factor around is not really a good idea…

Rule 8 Change your password occasionally

So you have followed the rules and you are logged in. Are you safe?

Simple answer is no. Just because you logged in does not mean you logged into the real site. Phishing scams rely on sites that look like the real thing but are not. So in an ideal world you would want the site you logged into to prove to you that it is the real one by greeting you in a unique way.

Rule 9 Get the website or service to respond to you in a unique way

Sadly this is not under your control, however, if enough people request it then you may be able to get the feature added. You know the drill Tweet, Facebook your disappointment….

Are you safe now?

Probably not but it will be a lot harder for anyone to empty your bank account. If they did you can be pretty confident it was an inside job.

Rule 10 Security is a process

If you want your accounts to be secure then you need to improve there security as time passes by. For example take a Bank account, transferring to a new bank makes all data about the old bank redundant. This can make the account more secure. Similarly for an email account, changing the password occasionally and adopting any new security technology will help improve the security of the account. Some technologies work against you. An email account that automatically logs you in or a web browser that stores passwords can undermine all your good work creating secure passwords.

When not to use passwords

Clearly if you have determined that the site is not secure you should not use it or if you have no choice such as for government sites. Any password should be unique to the site.

There is another issue with signing up for accounts. At the time of writing it is common practice for companies to include advertising scripts17) on all there pages. This is because they are being lazy and using the advertising companies machines to track your use of their site. Apart from the huge environmental impact this waste has on the worlds resources, which we can do nothing about, there is a down side to your privacy. If you are doing anything (good or bad) that could get you into trouble, were it revealed, then consider this, the advertising company knows who you are and that you were using a particular site and will sell that information on to anyone for a profit. So lets say you were playing with the idea of an affair to make life more interesting. You sign up to an account and this is connected to your profile. I buy that information and post adverts which will appear in your web browser saying 'Dear dating site user. Not getting the results you want? Why not try our premium dating service'. I can make this appear on your tablet or laptop because advertising companies stalk the people that they have details on. Where ever you go they are pasting adverts that companies have paid them to deliver.

So before you use an online service for something you should not, remember Google and its competitors are watching and ready to make a buck out of you.

Types of company to avoid or at least have a separate account set up for.

All of these companies act as a portal which other organizations use to sell through. As a result some of your details are passed on to a third party and you have to rely on their integrity. Your password is not passed on, however, your contact details can be used in a Phishing attack and you may give away your password by accident if you are not prepared.

From personal experience eBay is the worst offender. I just received a Phishing email from my eBay account address and this is why I am including the section about Portals. Since eBay is a problem it is wise to ensure your PayPal account uses one email address for processing eBay payments and a different one when emailing you.

All shopping portals suffer from this security flaw not just the ones listed. In an ideal world you would not give your email address to any company, since this is not practical at the moment18) you would be wise to use more than one email address. If you do not think you can recognize a Phishing attack do not open an account with shopping portals.


I do not recommend using any of the techniques discussed to produce your passwords. They are to help you find a way of making Passwords that is unique to you and not known to any hacker. I take no responsibility for the consequences if you do use these techniques. I do, however, encourage you to think up ways of mixing up your passwords to make them more unique and harder to guess.

Summary Choosing a good password

  1. Check your password is treated securely once handed over. Ask for It.
  2. Use a password that contains as many distinct parts as possible.
  3. Use a password that is easy to remember, or a password that is easy to recreate if you forget.
  4. Be original.
  5. Complain if your website does not prevent multiple failed logins.
  6. Use two factor identification. Ask for it.
  7. Assume all your personal information is public knowledge do not use it.
  8. Change your password occasionally. Especially if you have been using other peoples computers.
  9. Get the website or service to respond to you in a unique way. Ask for it.


3) 2700 financial histories of Barclays Bank customers were either sold or stolen depending on who you believe. Either way the security of the people involved was compromised.
5) 2013 database losses. Note this does not include stolen passwords!
6) Extreme: this could be any type of extreme behavior, financial and political being the worst in that order
7) Rouge organization: meaning an organization that is not acting in your interests, this could be your government, your bank, or your corner shop as well as foreign organizations.
8) for more on the stupidity of this argument.
10) for a more reasoned legal point of view.
11) Unbelievably the USA's Domestic Surveillance Directorate used “If you have nothing to hide, you have nothing to fear” as its slogan, at the time of writing.
12) image taken 11 Feb 2014
16) Google and many other US tech giants have been implicated in the Snowden revelations and so it may be wise not to use Google Authenticator as governments and anyone else prepared to put the effort in may already have a way to bypass it.
17) Google may have a script from or GoogleAdSyndication on the sign up page or they may be part of the sign up process. I had to set up a Twitter account today and they follow this practice, which means Google knows who twitter's whole user base is, good thing we all trust Google? In all cases it is trivial for the advertising company to identify the page as an account sign up page and collect your new interests for later resale.
18) With the advent of crypto-currencies it is possible to hide your personal details, email and address from the retailer. At the time of writing, however, I do not know of an implementation of this.

QR Code
QR Code passwords-the_how_and_why_of_choosing_them_and_when_not_to (generated for current page)

Advertise with Anonymous Ads