Password security with short passwords

Question

I know that a long password is a good password. However, some sites require short passwords e.g. exactly 8 characters long.

Under those limitations, what is a good method of creating and memorizing a (relatively) secure password?

Answer 1

With eight characters you're extremely limited.

My advice - forget the memorisation part.

Generate an eight character string using a cryptographically secure pseudo random number generator, using letters (both cases), numbers and symbols. This will give your password 52 bits of entropy, which is the maximum you can achieve using this scheme. The alternative would be to start using unicode characters if these are supported, as a much greater key-space can be achieved. However, entry of these passwords may be difficult depending on the devices used. This would enable you to achieve the 80 bits necessary for a secure password.

Use a password manager to remember the password for you - this can be a memorable password, however make sure that this has enough entropy to make it secure. This is the best way to achieve memorability and security of your passwords, because you only have to remember one password.

For example, the LastPass generator is here. However, make sure your browser supports the Web Cryptography API, otherwise unfortunately this one falls back on current time as seed and uses a standard PRNG. You should be OK with any modern, popular browser.

Answer 2

Honestly "password security with short passwords" is an oxymoron.

On balance, if this is a site/service that you simply must use, I would just make the password as random as you reasonably can, possibly rely on a password manager app to use a random password you can't remember easily, and most importantly make the password different from any other passwords that you use anywhere else.

As long as your sessions are protected with HTTPS, preventing a man-in-the-middle from intercepting your password when you use it, you're probably reasonably safe from a brute force attack against your password agaisnt the website over the Internet. Especially if the site detects multiple failed login attempts in a short time period and impedes (slows down) or blocks further attempts from the same IP address.

But if the credentials database at that site is ever stolen, no 8 character password will hold up for long against a brute force attack.

Answer 3

When a web application limits passwords to short lengths, the user has almost nothing left in his control. The main problem of short passwords is what you already know: password guessing and password cracking.

But you never know: may be the website is hashing your password (How to securely hash passwords?), salting it (How to store salt?), using a pepper (What is the purpose of a Pepper?) or even a combination of all this (Password Hashing add salt + pepper or is salt enough?).

What is left for you as a user is:

1. Check if the web application is running over HTTPS
2. Check if the web application does not store your password in plaintext (all web applications offer the Forgotten password option: execute it and check if you receive your former password in plain text, if that is the case you can almost be sure that they store your password in plaintext, unless the reverse decryption is used, but this scenario is rather rare in web applications)
3. If the above mentioned two points are satisfied and you still like the website in question, and you do not publish within it private information about yourself then combine special, alphanumeric as well as lower and upper case characters to your password