I see it all the time: users choosing absolutely insane passwords, thinking it will never affect them. Some good examples are listed in passwords that suck by Cyt.

"But.. the word password is a good password!" they scream. "Nobody would ever think to try the word password!" **bzzzzt** wroooooong. (You think I'm kidding. I'm not. There really are some people out there that try to insist on that password.) Or the everlasting favorites, "god" , "master" , "sex" , their first names, last names... the list goes on regarding absolutely insane passwords. Some people justify their pathetic choices by stating "but who wants MY account? Its just a dialup account." Sure, until they use your dialup for something 'not-quite-legal', and the cops come to YOUR door, 'cause its your account. heh.

I remember working a late-shift one time and the female tech working nights came to me with tears of laughter. She said a guy was having problems authenticating - so she asked him what his password was, to verify. He asked to speak to a male tech. She presumed he was trying to bypass her because she was a woman, and told him he would have to talk to her, not someone else. He finally broke down and whispered his password: pussy. hehe. She had to put him on hold she was laughing so hard at his embarassment. (so dont choose passwords you'll be embarassed about later, if you need to call tech support. *grin*). Anyway, back to the issue: Dont choose crazy passes. Besides reading your mail, (and/or SENDING mail in your name, perhaps to the White House? heh), it'll eventually cause all kinds of headaches when your ISP calls and asks why you insist on portscanning secure.fbi.gov over and over. Heheh. Granted, it will be resolved, but its still not worth any sort of hassle: choose a good pass.

Some people choose a pass based on some word they think nobody will guess. Just dont. Please. For your sake.. and your ISP's. heh. Let me suggest something to you before I end this, and I hope you do consider it.

Maybe, right now, your password looks like this:

Password: fluffy (what a Ninja. Name of family cat.) What if you used this instead:
Password: FitnomcSisc

"Oh my God! There is NO way I could remember that second one. The first one is much easier! Fluffy is something I can remember!" .... ah, but can you remember the sentence, "Fluffy is the name of my cat. She is so cute." And therein lies my personal trick in choosing good passwords:

a) Always have some upper and lowercase. b) NEVER use any word in the dictionary. Instead, think of a sentence consisting of at least 8 words, and take the first letters of each word:

Fluffy is the name of my cat. She is so cute ; FitnomcSisc. Quite an improvement over "Fluffy", no? .. and its easy to remember. So next time you're choosing a password, take that into consideration. Make up an easy to remember (for you) sentence, and use the first letters, including capitalization. Enjoy. =)
Do not use a password that consists of only numbers. You may be like, ha! ha! nobody would ever guess this random string of numbers *stupid grin*.

Well guess what, it doesn't take very long at brute force crack an all number password.

At my college for instance the default password for users accounts is your student number. To make a long story short I found a nice way to brute force crack passwords and a 9 digit all number password takes all of 4 seconds to crack on a pentium 2 celeron 500Mhz.

For that matter a password of less than 7 letters/numbers or a combination of both is just stupid. With the computers avaliable to the average computer user a 6 character password is probably the most they could hope to crack on their own in a reasonable period of time, under 2-4 months.

To make your password insanely hard to crack use punctuation, numbers and letters in combination. Do not put numbers on the end of an english word, not a good idea. Most brute force or dictionary attacks will try sticking the numbers 1-99 on the end of words to catch things like omega1 or dogfeet2.

Of the best suggestions above is hamster bong's. I was the one who introduced her to it and it is a fairly safe system. The longer the password and more possible characters that could be used in it, the longer it takes to crack your password.

The relationship between the length of your password and time it takes to crack is an exponential one. With numbers it's small like (number of digits in password)^10(possible digits 0-9), not to difficult for todays computers. Add the alphabet and punctuation and it gets huge, stick in and extended ascii character and it gets even more difficult to crack.

Well I hope this helps.

This little utility will give you an idea of how long your password would take to crack.

Note: My celeron 500mhz does about 96,000 pw/sec.
http://www.soft4you.com/vitas/pswcalc.htm
Also Note: this password calculator thing isn't entirely accurate but you can get a ball park figure from it.

The best way of creating and hiding a password I have thought of so far:

  1. Take a book. Not just any book, but a book you actually own and will own until the end of your days. Like Lord of the Rings.
  2. Install some PGP software like GnuPG on your home-computer.
  3. Now open the book on a totally random page. You will find many sentences there.
  4. Close your eyes and use your finger to select a word.
  5. There are some words surrounding the word you chose. Remember these words, or go back to step 3 if they are too hard to remember.
  6. Take the ISBN number from the book and write it down. Also write down the number of the line you picked, the start of the first word and how many words you used. Be careful not give any indication that you are talking about a book!
  7. Now generate a key-pair with your PGP software. Use the words you obtained before as a passphrase.
  8. Take out your wallet. Pick a few random credit-cards, bank-cards, or passports.
  9. These will have numbers and characters on them. Pick a few numbers and characters from each card and write them down. Open a text file on you computer and think of some cryptic way to tell yourself which numbers you picked. (e.g. MC: 3-5,8 to indicate the third, fourth, fifth and eigth number on your Mastercard.)
  10. Now encrypt this file to yourself, and destroy the original
  11. Use the sequence of numbers and characters you wrote down as your password. Now burn the paper.
  12. Strap the piece of paper you wrote down the ISBN number for the book and all somewhere no one would look (except you, of course).

You are done. Now what if you forget the password?
No problem. Find the paper you wrote the ISBN number, line number, and word number on. Find the corresponding book. Find the words. Decrypt the file on your harddrive. Take out your wallet. Reassemble your password.

Make sure you chmod the encrypted file and your secret key properly!

Choose one or more from each of the following:

  • Uppercase letters
  • Lowercase letters
  • Numbers
  • Special Characters ! " £ $ % ^ & ( ) _ + etc etc

Don't choose:

  • blank passwords. You'd be surprised how many people do this.
  • Substituting vowels with numbers: p4ssw0rd. This is in most password crackers
  • 1337 speak - password crackers have this as well
  • Passwords less than 7 characters long.
  • Birthdays, names or initials of loved ones.
chinoodle's guide to creating a surprisingly secure password:

Firstly, you need to find a scrap of paper which doesn't have anything important written on it. This is crucial, as you'll be burning it later on.

Now, book yourself into a Past Life Regression therapy clinic. Explore your past lives, and choose one (not the one you feel inexplicably drawn to). Focus on that life, and find the street name on which you (as them .. ) were born. Now reverse it. Write down the resultant string of letters on your scrap of paper. If you never had a home in any of your past lives, and were always born a homeless scrounger, your god is trying to tell you something and you should probably just hang yourself in shame.

Onto the next step. Ask the Past Life therapist to put you in touch with a strange old voodoo woman. Visit her, and ask her to put a curse on someone you don't like (choosing a member of your family might be self fulfilling - see later). The 'curse' will involve plenty of weird shit, but make sure you note the number of crow's beaks she uses.

Now you have two parts. For the third part of the password, win the lottery. It's very important that you win the jackpot for this. When you get your winners cheque, note down the tiny reference number in the bottom corner. It should have plenty of letters and numbers. Make sure you use the real cheque, and not the novelty giant one they use for the presentation.

You should by now have a reasonable length alphanumeric string written down on your scrap of paper.

The next stage is more tricky. You need a member of your family (you should have plenty to hand after winning the lottery), a stopwatch, and a very tall building (15 stories or more). Use the promise of free money to lure one family member onto the roof of your chosen building, and throw them off. Take out the stopwatch and start the counter from the exact moment they hit the ground. Keep counting the seconds until the first police officer arrives on the scene (if they land on a police officer, make yourself scarce and try again later). Note down this time, and also the time taken from the first police officer arriving on the scene, to the moment they find and arrest you (you are allowed to move through the building to lengthen this period).

And now the final step. The first time you meet your lawyer (he should be a very expensive one considering your lottery win) deck him. Then remember the name of the first police officer who jumps on you to restrain you.

Write all these text and number strings down on your scrap of paper, and lo! You have your new password. This password is guaranteed to be fully secure.

Your last act as a free man should of course be to burn the scrap of paper.
Are you afraid that your current use 5 passwords around various sites on the net and on your computer are not enough? Computer security analysts recommend using a minimum of 10 different passwords, with a maximum of 3 re-uses of each password! You're in luck because I've spent the last 5 years researching this and I've found your next 5 passwords (case sensitive, each is 8 characters long and created for maximum memorability!):

  • iLiKEIKe
  • tYson8bt
  • 3p141I59
  • kraq1337
  • KARLmarx
Now I've been to every single security convention ever organized, and I've gotten positive feedback on of each of these passwords! I asked over 100 savy Defcon specialists what they thought of these fabulous passwords and they all thought they were marvelously crafted for memorability and hard-to-crackness. Here is what some of them had to say:

  • "These beat the hell out of 'drowssap' and 'mypass' that I've seen used."
  • "And all this time I've been using variations of my dog's name! You are my god!"
  • "Wow! My old password was just my birthday plus "hot"! I'll start using yours though! Thanks "
  • "Genius. Pure genius."
As you can see, these passwords are obviously for those geared toward hard-core privacy and security. If you're interested in using one or all of my passwords, contact me with your name, e-mail addy, and the site(s) you will be using my password(s) on.

You're welcome.

An actually good technique for creating passwords that are easy to remember and hard to guess: think of a memorable phrase, like "have fun storming the castle". Now take the first letter from each word. Mix the case in a way that you can remember (alternate letters, e.g.). Now add your favorite number (2-3 digits) to the beginning or the end. That's it.

If you have multiple accounts, assign a different number to each one. Change out the letter stream once a month, but keep the number assignments the same. Then you'll never forget the password to a given account.

The best method I've found for choosing obscure passwords is to take the initial letters of a phrase that's easy to remember.

Password crackers like John The Ripper have a hard time cracking these by brute force.

For example:

InsamesmCW

is a stone bitch to remember, even if you saw me type it over my shoulder, but I know it stands for:

I've never seen a man eat so many Chicken Wings

Even if you could read the surface of my mind, all you'd get would be an indication my unhealthy South Park fixation.

Had a problem comming up with strong passwords for a long time -- it was nearly impossible for me to think of a password that conformed to the requirements of whatever system I was using ('must contain a number', 'must be mixed case', etc). The best way, in a pinch, I found is to use serial numbers and product codes.

They're usually very random, many are mixed case and have good lot of numericals in them. for example, I have a box of candies next to me, and the weight measurment is "NET WT 2OZ 60g", and my changing that a bit you get "WT2OZ60g", which is a mighty fine and mighty strong password. Just make sure you don't copy them verbatim -- change a character or two, just to be on the safe side.

Semprini's password generator is insecure and should not be used. The first thing a cracker will try is a dictionary attack to guess passwords. My /usr/dict/words file has 45402 words in it, but only 536 three-letter words. Semprini's password generator program is using less than 1.2% of the possible words, thus reducing the search space required of a cracker. The program adds one of thirty randomly chosen characters to the end of each three-letter word. This might seem to make the passwords unguessable, but let's analyse the size of the search space:

Random Printable ASCII characters between "!" and "~": There are 94 characters in this range. If a password is eight characters long, chosen randomly from this set of characters, there would be 94^8 combinations, or 6095689385410816 different passwords.

Using Semprini's algorithm, there are: 536^2 * 30^2 = 258566400 different passwords. The search space for a brute force crack is more than 20 million times smaller.

Suppose a brute force attack could try ten passwords per second. Using Semprini's scheme, it would take less than ten months to crack a password in the worst case. Using random printable ASCII characters, it would take almost 20 million years.

The first thing to realize in selecting a good password is how password cracking works. At the core of any password cracker is a dictionary and a set of rules.
Dictionary files
Dictionaries range from the small (the one that comes with Linux at 45407 words) to large (ok, so a a guy I worked with wore a gray hat (it used to be very dark gray) and liked to assemble large dictionary files - 111284 words). I am certain there are larger ones out there.

Macro rules
The macro rules for crack are probably the best known and most common. The operations available to crack include

The classic first rule for crack is '!?Al' which translates to 'not-contain non-alpha, lowercase', or in English 'force every pure alphabetic word lowercase'. Crack will then go on to try words of length greater than 2 that don't contain non-alpha characters and pluralize them. It also tries tacking on a single digit and punctation.

Very often, people change letters in passwords with well known substitutions. Within the crack rule-set these are written '>2/asa4l', which means 'Take a word longer than two letters that contains "a", substitute "a" for "4" and force lowercase. The list of standard substations:

  • a / 2
  • a / 4
  • e / 3
  • h / 4
  • i / 1
  • l / 1
  • o / 0
  • s / $
Realize that 'password' is a bad password, as is 'pa$$word' and 'p4$$w0rd'. Don't do this - you will be sorry.

Another simple rule would be '@?vl' - purge all vowels and lowercase the word. 'psswrd' is not a good password either.

Crack, for all its power is a rather old program and has a 'flaw' in that it only looks at single words. There are other password crackers that are probably more powerful than crack and have a more expressive rule-set language. Unfortunately the rule-sets of these are kept hidden from the browsing sysadmin - probably so that he or she can't adjust the anti-crack rules to account for it. Still, you can get a fairly good idea of what can be done in the password cracker by looking at its language.

One of the docs for a password cracking program that I have found will do multi-word cracks separated by some character. It also has the possibility of working from the language itself and attacking non-sense passwords made up of pronounceable syllables.

Often system administrators try to write rules about how a password is to be created. The unfortunate side effect of these rules that if they are known to the attacker, they reduce the search space that the program needs to attack dramatically.

True story: One of the labs I know of had a rules 'the password may not be a dictionary word or contain a dictionary word'. What does that mean to the cracker?

  • 'a' is a dictionary word - the password may not contain an 'a'.
  • 'i' is a dictionary word - the password may not contain an 'i'.
  • There are 49 two character words in the standard Linux dictionary (and 164 in that larger one I happen to have). The password may not contain the pattern 'in', 'to', 'pi', etc...
Taking this into account, we have now drastically reduced the search space necessary. Even rules such as "Your password must be at least this secure to ride the internet Your password must be at least 4 characters long" reduce the search space - '>4/asa4l' has to search fewer words than '>2/asa4l'.

Other times, programs create passwords that look like vaguely pronounceable line noise. VMS has this capability as part of the basic password system (note: one of the meanest things a VMS admin can do is to set a users password to: expires once used, password must system selected, min length 32 characters, max length 32 characters, require a second password with same restrictions). The difficulty with this is that once the rules are known of how to generate passwords, it becomes trivial to search that space.

We are given an example above of how to generate such a password.

  1. Select 2 unique random 3 character words from the dictionary
  2. Select 2 unique random characters from a character set
  3. password = word1 + char1 + word2 + char2
Using the larger dictionary: 1038 words (lets call it 1024) and a character set of 30 (lets call it 32), the size of the possible words is: 1024 * 32 * 1023 * 31. This is (only) 1,039,171,584. The smaller dictionary is a measly 284,465,920 possible passwords.

A quick benchmark of crypt in perl (slow by comparison to optimized C programs and crawling compared to hardware designed for encryption) shows that 2000 crypts of different passwords can be done and printed in 1 second on my system (a three year Pentium II). To attack a password known to be in the smaller search space would only take a day and a half. The larger search space would take about a week. Scale this up to a nice alpha or MIPS R10k and the password might as well be stored in clear text in the password file.

Another suggested piece of code (by comp.sci in choosing a password) to generate passwords selects four consonant vowel pairs and concatenates them. Frankly, this is worse than the above example having only 21^4 * 5^4 (121,550,625) possible combinations - the brute force search space for this is less than a day.

So how should I pick my password?
Take a sentence - for example "So how should I pick my password?" - and convert it into letters of mixed case and symbols. One possible transformation on this sentence would be "Shs1pmP?". Because this password is not based upon a dictionary word or combinations of a small number of dictionary words it is fairly much immune to an intelligent brute force attack that is based off of a dictionary. It is also easy to remember - it is a sentence that you came up with. Do not use this password - it has been printed somewhere as an example now and that would be a 'Bad Thing'.

Bruce Schneier has estimated that in two to five years time, computer hardware will be powerful enough to search through the keyspace of an 8-character password (such as that used by Linux) within an acceptable amount of time.

This is why programs such as GPG, PGP etc. now have a space for a passphrase. While this could be a sentence, this again may be vulnerable to dictionary attacks from determined attackers.

Of course, remembering a whole sentence of line-noise may be tricky for those of us who aren't uber-geeks. How does "WA1d!nT04"W<N^w15#h0v>1db@pdi4%b+-4d0tt?" strike you?

The decreasing levels of protection normal passwords provide is one of the driving factors in research such as biometrics.

The important thing to remember is that even if you keep your password in your head, anyone with read access to either /etc/passwd1 or the SAM files in which WinNT/2000 keeps the hashed/salted passwords will, if determined enough, eventually gain access to those passwords. Which is why our sysadmin measures his passwords in the time it takes for them to be broken. Eight hour passwords are considered generally acceptable for normal users.

1: Or /etc/shadow, depending.

A "good password" depends on what you want it to be good for. If you want it to be good in terms of "I will never forget this password, even when I've not logged into this system for four years" then a password you'll always remember is just the ticket.

I have a few standard passwords that I re-use from machine to machine. If I find myself in front of a system I've not used for a long time and wonder what my password was, I invariably try the two or three standard passwords I reserve for these occasions.

Of course, password aging defeats this approach. Which is another point entirely. Data is only as secure as the system on which it resides. The best password in the world won't protect your data if the system on which it is stored is a UNIX machine with no root password set, to use an extreme example.

Did you know that the most common password that people choose is "password"? The problem these days is that every website under the sun wants you to log in, and requires a password. I don't know about you, but remembering twenty password mnemonics is beyond my limit.

Ideally, a password should be easy to remember for you, impossible to guess for anyone else, and impossible to discover by trial and error by the fastest computer to be invented in the next fifty years.

For most of us, these three requirements are not consistant, and a compromise is necessary. A password that you need to write down is much less secure than a shorter and simpler one you can and do remember. For most purposes, a random sounding sentence which doesn't relate to your personal life, such as ohgeewhizasaladbar is secure enough. After that, you should concentrate on other precautions, such as never typing it when people are watching, never telling anyone you shouldn't, never writing it down, and not storing it on any medium not as secure as the computer it protects. As a general rule more passwords are compromised by the above methods than by any other.

How long of a password do you need to be safe?

Say you start with a typical password of six characters. When you enter this into your computer's authentication mechanism, it is hashed and stored in a database. The hash, a fixed-sized string derived from some arbitrarily long string of text, is generated by a formula in such a way that it is extremely unlikely that other texts will produce the same hash value--unlikely, but not impossible.

Because passwords are not arbitrarily long--they are generally 4 to 12 characters--this reduces the search space should someone else try to find a matching hash to that of your password's. In other words, an attacker's password-cracking program does not need to calculate every possible combination of six-character passwords. It only needs to find a hash of a six-character ASCII-printable password that matches the hash stored in the password file or sniffed off the network.

Because an attacker cannot try to guess passwords at a high rate through the standard user interface (the time to enter them is prohibitive, and most systems can be configured to lock out the user out after consecutive wrong attempts), one may assume that the attacker will get them either by capturing the system password file or by sniffing the network segment.

Each character in a password is a byte. Printable ASCII characters are in codes 32 through 126. ASCII codes 0-31 and 127 are unprintable characters, and 128–255 are special ALT-characters that are not generally used for passwords. This leaves 95 printable ASCII characters.

If there are 95 possible choices for each of the six password characters, this makes the password space 95^6 = 735,091,890,625 combinations.

Modern computers are capable of making more than 10 billion calculations per second. It has been conjectured that agencies such as the NSA have password-cracking machines (or several machines working in parallel) that could hash and check passwords at a rate of 1 billion per second.

How fast, then, could an attacker check every possible combination of six-character passwords? 735,091,890,625/1,000,000,000 = about 12 minutes (See table below).

Mind you, this is the time needed to brute force every possible combination of passwords. In reality, password crackers first use dictionary and hybrid attacks before resorting to brute force. Thus, if your password is weak (i.e., easily guessed and not sufficiently random), the time to crack it will be much shorter.

What if the system forces users to have a seven-character password? Then it would take an attacker 19 hours to brute force every possible password. Many Windows networks fall under this category due to backward compatibility issues. Passwords on these systems cannot be much stronger than seven characters. Thus, it can be assumed that every password sent on a Windows system using LAN Manager can be cracked within a day.

What if the system enforces eight-character passwords? Then it would take 77 days to brute force them all. If a system's standard policy is to require users to change passwords every 90 days, this may not be sufficient.

It looks like nowadays, you need at least a nine-character password (which is not easily guessed or social engineered) to be "safe." This is at the upper limit of normal human memory, according to Miller's magic rule of "seven, plus or minus two".

Help desk, better get ready for more password reset calls!

Table of password-cracking times*

#Chars       #Combinations                   Time to crack (hrs)

0                1                                        0.0

1                95                                      0.0

2                9025                                  0.0

3                857375                              0.0

4                81450625                          0.0

5                7737809375                      0.0

6                735091890625                  0.2

7                69833729609375              19.4

8                6634204312890620          1842.8

9                6.E+17                               2.E+05

10              6.E+19                               2.E+07

11              6.E+21                               2.E+09

12              5.E+23                               2.E+11

13              5.E+25                               1.E+13

14              5.E+27                               1.E+15

15              5.E+29                               1.E+17

16              4.E+31                               1.E+19

 

*Assuming 1 billion hash and check operations per second

Keyboard Vector Passwords

It's commonly accepted that the use of random strings including special characters makes for a pretty strong computer password. There is a nearly-infinite variety of algorithms you can use to generate these passwords, most involving a step of obfuscation like 1337 speak or remembering a mnemonic. One weakness inherent in these passwords is that the obfuscation technique or mnemonic can be difficult to remember, and so the resulting password is often written down (ironically, because it appears to be gibberish, it calls more attention to itself as a potential password). On systems requiring frequent password changes, even the best password creation techniques can come up dry after six or seven cycles. Below, I present a method for the easy creation of passwords that can be remembered as vectors. For those users of secure systems who have good spatial skills but poor language skills, this technique can be a lifesaver.

Take a look at your keyboard. Unless you've got a really bizarre one, the keys are in five or six major rows, and because of their slight horizontal offsets, the columns are slanted. For example, after those dark gray keys on the left, you could call the keys 1, Q, A, and Z a column. You could also call 7, Y, G, and V a column. On their own, these columns each look like gibberish, and when you combine them, you get 1qaz7ygv, a pretty nice password. Need it to be stronger? Hold down SHIFT while you type the first column. Now you've got !QAZ7ygv, which almost certainly doesn't appear in any dictionaries.

There are two strengths to this system that set it apart from other password generation methods. First, if the user is not in front of a keyboard, the user will be hard-pressed to write down the password. Because the user will never see it written in plaintext, the user may not even recognize his password if asked to choose it from a list! This is a minor strength, mostly for systems where a user might be placed under duress. The other benefit of this system is that it allows for a password to be "rotated" when it expires. After ninety days, the user simply holds down SHIFT for the other half of the password, and the above password becomes 1qaz&YGV. Ninety days later, switch the first and last columns, and get &YGV1qaz. Ninety days later, travel up the keyboard, and get ZAQ!vgy7. Ninety days later, shift every character to the right: @WSX8uhb. The user has only to remember which two characters are the basis of the password, whether by name ("one-shift-seven") or by visual position.

This method comes with one large weakness. If the limited version I propose above becomes widespread, it could conceivably be cracked by adding the 38 four-character "vectors" from a standard QWERTY keyboard to a dictionary file as "words". If one assumes that a user is using only this method to create passwords, and holding down SHIFT in only whole-vector increments, then the search space is trivially small (5776 possible passwords) and can be cracked easily.

Luckily, key vectors don't need to be straight lines of four characters. Variations that reduce the weakness of my four-character vectors include chess moves (particularly the knight's tour) or other non-random walks around the keyboard. A chess buff like gitm might decide to encode the first four moves of The Immortal Game, The Ruy Lopez, or The French Defense into this method, placing his rook (a1) at "Z" and his opponent's (a8) at "1". Further, to add special characters and mixed caps, he might hold down SHIFT to signify picking up a piece. An opening pawn move (e4 ... e6) would then be "F4" (white's fourth pawn moves forward two squares) followed by "Rv" (black's pawn in the same file moves forward one). To rotate such a password, the player could simply play the next sequence of moves every ninety days. Because good chess players have excellent spatial memories, it is not impossible that some of them already use a similar technique.

Using the vector method above creates memorable passwords that appear random and are unconnected to the language. By adding vectors other than the trivially simple ones, pseudo-random passwords can be created that defy dictionary attacks and forestall brute force attacks. Further, the ease with which vector passwords can be rotated can help increase user compliance for password policies requiring frequent changes.

While they are now universally employed, passwords are a fundamentally weak form of security. Supposedly, we are all meant to have different passwords for every site, so that one database being compromised by an external hacker or malicious insider won't lead to our email and other sites being at risk. Also, we are supposed to use long and complex passwords with case-changes, numbers, punctuation, etc. (Think 'e4!Xy59NoI2') Together, these two requirements far exceed the capability of most human beings.

The real solution is to back up passwords with something else, so that they don't need to be so strong. This is called two-factor authentication, and it could include something like a smart card that people carry and slot into computers along with a password so as to authenticate themselves. This is already used in cars. Inside the key or newer cars is a little chip with a radio antenna. When you try to use the key to start the car, a radio message is broadcast by the car. The chip detects it, does a bit of thinking to generate a response that authenticates the key, and re-broadcasts it. Using both the physical profile of the key and the radio challenge-response authentication system, attacks based on picking locks or freezing and cracking the cylinder inside them can be circumvented. The system obviously isn't impossible to foil, but it is substantially more difficult in relation to the additional cost.

In the computer context, such two-factor authentication could take other forms: for instance, a little card that listens to a series of tones from an external source (over the phone, or from a computer), passes them through an algorithm and emits a series of tones in response to authenticate. This is just doing with audio what a smart card does with electricity. Ideally, the second factor would be like a credit card, in that you could have it cancelled and re-issued in the event that it is lost or stolen, immediately disabling the missing unit.

Until such a system emerges, it seems sensible to have tiers of passwords. I have two really weak passwords for things that I sometimes share with close friends. Then, I have a password for low-risk sites where there is no real harm that can come from my account being compromised. Then, I have a cascade of ever-stronger passwords. Something like LiveJournal has a pretty strong password, because it would be a pain if somebody took it over. The general vulnerabilities of passwords are:

  1. Someone could guess it (either manually or with a brute force attack)
  2. Someone could watch you type it in
  3. Someone could install a hardware or software keystroke logger on a machine where you enter it
  4. Someone could break into a database that contains it, then try using it on other sites you use
  5. Someone could extract it from a program on your computer that stores them in an insecure way (like Windows screen-saver passwords, which can be learned using a simple program)

Most of these require physical access to a machine that you use. I would guess that the most common of these is number four. Given that most people use the same password for everything, some underhanded employee at your ISP or webmail provider could probably grab it pretty easily, as well as information on other sites you use. (Hashing algorithms are one way this risk can be mitigated, on the server side, but that's a node for another day).

At the top level, there are things that demand a really strong password: for instance, webmaster control accounts or anything connected to money. For these, I use random alphanumeric strings of the maximum permitted length, never re-using one and changing them every month or so.

Obviously, I cannot remember these for several banks and websites. As such, I write them down and guard them. I am much better at guarding little bits of paper than at remembering random strings of data. I regularly carry around little bits of paper worth tens of Pounds, and little bits of plastic worth thousands of Pounds, if only until disabled. Indeed, I have been guarding bits of paper for well over a decade.

When you pick a password, even using the fairly secure means above, you are unlikely to have an even character distribution. That is, some characters will be much less likely than others. To give some perspective, there are 26 lowercase alphas, the same uppercase, 10 numerical digits, 32 punctuation marks, and the space. How much punctuation do you generally put in your passwords? Especially the obscure punctuation like '{' or '\' or '~', or '"' will be used rarely. So, it seems reasonable that many of the brute-force attacks will avoid such characters because they are so uncommon even in non-dictionary passwords. If you use these less common characters, it will take longer for them to find your password.

If you use them in proper proportion, the search space crackers must cover widens up a great deal (it increases the base of the exponent by a substantial factor, and this is taken to the power of around 8... a noticeable improvement!). As pointed out above, if an administrator requires passwords to be very close to even, that would shrink the search space down again (though if done with a reasonable degree of leeway, it would be excluding a very small fraction of search space in doing so); but here I'm talking about actual passwords that you pick. There are several ways to do devise a suitably punctuation-laden password:

Remembering the punctuation

If you are using an abbreviated phrase, pick one which includes punctuation, or words that can be concisely represented as symbols. Try to use this to get reasonably close to proportional representation of characters:

  • Invention is ninety-nine percent perspiration, one percent inspiration
    I=n-n%P,o%I
    Note the non-usage of 99% literally, which would be too attractive to a dictionary, and the capitalization of nouns. Having capitals that are not the first character helps.
  • Sir, at long last: do you have no dignity?
    S,@ll:dyh0D?
    zero for 'no'. Including a trailing end-mark is debatable. This one is a little short on capital letters and numbers, but it's doing okay on punctuation. Do not be afraid of the double letter.

To aid in this, it may help to think of some word mappings to punctuation. If you play roguelike games (e.g. nethack, adom), punctuation already has lots of additional meaning for you, but these meanings are not optimized for constructing meaningful phrases. More useful would be a shorthand created for this purpose:

  • @ I, me (borrowed from said games)
  • ? question, ask, debate, thought...
  • ! aha! surprised, realized, resolved, fought
  • * star; words associated with 'Star' as a tarot card
  • ~ 'well' or any other ambivalence
  • # sharp, hash, textile, pound
  • ` grave (this is the grave accent)
  • etc.

If you have a hard time remembering your entries as a mapping from character to concept, don't worry; you'll mainly be doing the reverse, easier mapping. That is, though any character could have many ideas it stands for, there are not so many characters an idea could be represented by.

Key Shifting

If your pass phrase does not have many numbers or punctuation marks in it, you can shuffle the keyboard around somehow. This would be pathetic encryption on a message, but as a method to expand the search space of passwords, it works admirably. How could you shuffle the keyboard?

  • Push everything three keys to the right. 'a' becomes 'f', but more importantly 'p' becomes '\'.
  • Roll the keyboard up-left or up-right one.This is easiest for those who can touch-type; just use 'qwer' and 'uiop' as your home row. This gives a lot of numbers and the number-based punctuation.
  • Roll the keyboard one more every character. 'asdfgh' would become 'aw3vgy'. This is not so easy.
  • Reflect the keyboard. That is, look at the space between y, u, h, and j on a standard qwerty. Reflect your character across this point. 'z' becomes '=' and 'x' becomes '-'; 'm' becomes '6'. This may be a bit of a pain in the neck, but it does hit a lot of the more obscure characters. So, it is usable for passwords that are both important and do not need to be entered often.

Shifts

You should have about half your password typed with the shift key down. Doesn't matter whether it's a letter or not. Alternating isn't particularly strong, but it's better than nothing. You could instead follow the stress of the phrase, or capitalize the nouns as I suggested. This should come naturally to German speakers.

Really long passwords

If the maximum number of characters in the password is large, use your room! You can deal with a small character set and even sticking with proper english words if you use enough of them. If you use a complete sentence, it'll mean something, which will help keep it memorable. Just don't pick famous sentences for this.

I have a technique for making passwords.... I'll share it here in part because I actually kinda deviated from it in making my password for E2, but in general it works well -- least ways, I've never had a problem. It will sound complicated, but if you use the method regularly, it'll just get incorporated into your thinking and remembering your passwords with no difficulty.

Now here's the starter advice. You should never use the same password for two different websites. You don't know who from Microsoft can access your Hotmail password, or what Facebook employee can see your password there, or who has that privilege on any random forum to which you might post. That doesn't mean that you have to come up with something completely novel for every website either -- instead, you'll need a basename, an algorithm, and a formula to bind them.

The basename will be a set of 6 to 8 letters and numbers that is a constant. Do NOT just throw the numbers at the end, that's what people trying to hack your stuff will look for. Do NOT use a word that relates to something close to you -- your pets name, your mother's maiden name, the street you grew up on. Don't even pick the word consciously, because even your tendencies can be hacked by a clever enough social engineer.

Here's what you do. Pick a book off of your bookshelf, doesn't matter which. Flip it open to a random page and put your finger on that page in an equally random way. Whatever word you're pointing at, scoot over to the nearest 4-5 letter word. Doesn't matter what it is, you own that word now. That's part of your basename -- but words are easy even if they are random, so make it NOT a word. Spell it in reverse, then mix it up a bit more. I just did this and the word I picked was merit, so I'm flipping that to tirem and then, just to make it even less wordlike, I'm pretty much randomly moving the first letter to the next-to-last position: iretm. Nothing I have ever told anyone about myself, posted on the Internet, or discoverable through any public document, connects that string of letters to me.

Now we add numbers, and we scatter them inside the word. Any two numbers will do, so long as you do NOT use a sequence in your birthdate. I just picked 56 at random, and the thing to do is insert these numbers in random positions in your string of letters: i5re6tm. Now, you're not done yet, but getting close. Pick two more random positions and add blank spaces there, these will code the specific website the password is for. So now I have i5_re_6tm. The underscores are not part of the code, they just stand for something that will be stuck in there, namely an algorithm for the website to which this particular password applies.

Take Everything2, for example, if I want to use this as my password for E2 then I'll be substituting a shifted E and a shifted 2 in those spaces. Shifted how? One or two letters up or down is the easiest, and since the exact letters won't be in the blanks, an outsider looking at your password will have no starting point for figuring out that you are using a pattern at all, much less what the pattern is. I'll downshift by two (I think downshifting is less intuitive than upshifting), and E2 becomes C0, so my password for this site under this construction would be i5cre06tm.

Seems like it would be hard to remember, but once you start using variations of that for every website, all you need to remember is i5_re_6tm, and that you are downshifting your website identifiers by two. G-mail will be i5erek6tm (e and l substituted for g and m). If you still have fears of someone figuring it out, do the website identifiers backwards (i5kree6tm).... If the website is just one word, use the first two letters (so Google = go = em = i5erem6tm; IBM = ib = gz = i5grez6tm; Mac = ma = ky = i5krey6tm.

That's all there is to it; now go forth and get thine passwords hacked no more.

Log in or registerto write something here or to contact authors.