Use a mix of numerals, lower- and upper-case letters, and punctuation marks or symbols. And make it at least 12 characters long.

Article written for the Straits Times published on 15 August 2018.  Reproduced below for easier reading.

As a result of the recent data breach of the SingHealth computer system, the personal particulars of about 1.5 million patients have been stolen. There are signs of a determined attack to get at information on the Prime Minister, and it is unlikely that the hackers are interested in the medical conditions of the other people. Whatever the intention of the hackers, the fact is they are now in possession of the personal data of a big group of Singaporeans.

It is well known to hackers that many people use personal information such as NRIC numbers (in the case of Singaporeans and permanent residents), dates of birth, addresses and telephone numbers for their passwords. Also, the same password is used to access different online systems, portals and accounts. There is no doubt that there will be thousands among the 1.5 million SingHealth patients who do the same thing.

This means the SingPass accounts of these patients, their bank accounts and possibly their office computer systems have been rendered vulnerable to hacking attacks.

It is therefore important that immediate action be taken by these people to change all their passwords if they are based on personal information.

SINGPASS

For Singaporeans, the SingPass accounts are particularly sensitive.

They are used to access important accounts like those in the Central Provident Fund and the Inland Revenue Authority of Singapore, as well as for online services provided by government and quasi-government departments. For these accounts, NRIC numbers are the default identifier for the individuals. Although it is now possible for users to change their SingPass IDs into something of their own choosing, not many have taken advantage of it.

However, of greater assurance that SingPass accounts are well protected is the requirement for two-factor authentication (2FA) for a user to log into his account. Introduced in July 2015, the 2FA system involves the use of a time-sensitive one-time password generated by the system and sent to the user through SMS or the OneKey token issued to him.

A password with 12 characters containing all four character types will take 1.74 centuries for a massive cracking attack at 100 trillion guesses per second to break. For a password with 10 characters, the time taken will be one week.

As of now, the 2FA system is deemed to have raised the security level of online transactions substantially. However, no one can say it is 100 per cent foolproof.

So, it is back to the first line of defence – the log-in password.

COMPONENTS OF A STRONG PASSWORD

A password with 12 characters containing all four character types – numerical digits, lower-case letters, upper-case letters and punctuation marks – makes for a strong password.

It will be one out of a possible 5.46 x 1023 permutations. It will take 1.74 centuries for a massive cracking attack at 100 trillion guesses per second to break it. Offline fast attack at 100 billion guesses per second will take 1,740 centuries to run through the permutations.

For a password with 10 characters, the time taken will be one week and 19.24 years respectively. This means a strong password with more than 12 characters will be a strong defence against hacking.

HOW TO CONSTRUCT STRONG PASSWORDS

The reason people use their personal particulars for their passwords is that this information is well known to them. They do not need to remember something new, especially when they are always reminded not to write down their passwords. Unfortunately, this information is not difficult for hackers to get at these days. Your date of birth, for example, would be vulnerable from the SingHealth data breach.

The crux of the problem is how to create passwords that are strong, yet easy to remember.

Apart from what have been stated above, other common password rules include:

• They must not be numbers and names of persons, roads and places associated with your own personal particulars;
• They must not be a common name or a dictionary word;
• They must be different for different systems, portals and accounts;
• They must not be written down;
• They are changed periodically.

You will see that Rule 4 will make complying with Rule 3 difficult. Most of us will have more than 10 passwords to access the various systems that we have to work with. It will be an immense task to remember them all if they are different from one another.

To solve the problem, we will regard Rule 4 as not forbidding writing down something that can serve as a cue for the password. The cue may be part of the password and by itself will not compromise the password.

This is acceptable if the rest of the password – say, the name of a pet – is strictly secret and exists only in the memory. I will call the latter the constant and the part that can be written down the variable.

Hence this formula for the construction of a password: Password = Constant + Variable

The constant will appear in all the passwords. It is something unforgettable and does not need to be written down. Every one of us will have something of special significance that is strongly etched in our memories. It may be a word that represents the moral principle one upholds, like honesty. Or the name of a grandfather or grandmother or other favourite relative, a favourite flower, hero, pet, cartoon character, the first model of car owned, zodiac/animal sign, or a special date or number.

The variable can be written down and is different for a different password. When changing the password, only this part is changed.

To make sure that we have alphanumeric characters in the password, we make one component consisting of only letters and the other numerals. If special characters are allowed for the password, we can append them to any of the components.

Here is an example of how a password would look like using this method of construction.

For my constant, I use the word “datsun”, it being the first car I owned, something I will never forget. If my variable is 511925, my password will be

DATS%1192%unzz

I follow these rules of application:

• The constant is applied with “DATS “as prefix and “un” as suffix;
• The first and the last digits of the variable (the numeral 5) are substituted by the upper key characters corresponding to them on the standard keyboard (the punctuation mark %);
• Letter “z”, as many as necessary, is added to the end as a padding to make sure that the password has at least 12 characters. (This rule may not be necessary if you always use a number long enough to make the password exceed 12 characters.)

Alternatively, it can be

DTsn5!1925zzzz

if the first and second rules are changed to:

• The constant is placed at the front, all the vowels dropped and the first two letters in upper case;
• The second digit of the variable is substituted by the upper key character corresponding to it on the standard keyboard.

The two ways of applying the constant in the above examples show that there is more than one way to apply the constant.But once you decide on a certain way, you must use only that way at all times.

Sometimes, it is not easy to just simply think of a random number. The number 511925 is actually from the word “easy”. The digits are the positions of the letters in the alphabets.

Lastly, some words of caution.

Although by themselves the variables will not compromise the passwords, some effort must still be made to keep them in a safe place. Perhaps a rule above all rules is that we must not make it easy for the hackers.

There is no doubt that they will get to read this article. Hence, do not simply adopt wholesale the rules of application in the examples above. Devise your own set, think of a different way to insert special characters, set a higher minimum number of characters for your passwords, use a different character for padding or use a number for the constant instead.

Good luck and have fun constructing a strong password!