Thursday, June 4, 2009

Good Passwords

I have recently had reason to think about "good" passwords. To begin with, passwords are like keys. And weak passwords are like leaving your keys in the ignition of your car when you are out of it -- before long, it's going to be stolen.

But while there is a lot of talk about strong passwords, I have not heard a really usable way of creating them. And by usable, I mean one that typical computer users will actually use consistently. Of course, this is leading to an algorithm I thought of recently.

First, choose three words. How they are chosen doesn't really matter, as long as they are not ridiculously obvious. I think it would be OK to use a standard theme. As an example, while I have no interest in golf, my uncle loves it. So that will be the theme, and for my first password, I will pick:


Next, pick three numbers. Once these are chosen they will almost never change. The numbers will be substituted for a letter in the words. This could be the third letter of each word or the second from the last. For this example, I will pick the numbers 4-7-4 and the third letter.

Next choose another letter position, that is not the same as the previous one. This gets capitalized (while all the others are lower case). For the example, it will be the last letter.

So now create the password:

  • plaidbirdiesand

  • pl4idbi7diesa4d

  • pl4iDbi7diEsa4D
If the site requires puctuation, simply choose a punctuation mark and insert it between two of the words:
  • pl4iDbi7diE:sa4D
Now all the user has to do is remember the three words, which are meaningful to only him or her, and should be reasonably easy to remember, even with four or five different passwords. The transformation is the same for every password. So another example is:
  • sliceironcart

  • sl4ceir7nca4t

  • sl4cEir7Nca4T
While this might not be acceptable to super top secret government facilities or financial institutions, it should be sufficient for the majority of people. And it would be a whole lot better than many passwords being used now. If you agree, teach it to everyone you know who uses passwords. Then we can start working on making sure passwords are always encrypted.

Later . . . Jim


Justin said...

This is still too difficult for the common user. The end user is typically a simpleton who even writes down easy passwords like "admin" or "Password1" so they won't forget. I typically tell them to use kids and cars that they have had and capitalize a certain letter or letters - so a Ford driver may choose 2005FocuS, then next password change they might choose one of their a children like BillyIs6.

On an amusing note, many end users have chosen something derogatory towards the computer or the IT department as a password, like DellSucks09.

These kinds of passwords are difficult for the brute-force crackers I've used (like THC Hydra), but I'd guess a savvy attacker with an intimate knowledge of his target user may eventually guess these types of passwords.

Mike said...

The way I usually compose a password is to think of a sentence. For example, "George W. Bush was the 43 President of the United States."
Now, to compose the password, I just use up the letters and numbers, and add in some punctuation here and there. Ex. GWB!wt43PotUS.
Usually my variants are a little stronger than that, but it seems to work out alright, and the passwords are really easy to remember if you know the phrase.
It has one other side benefit of being really easy to change your password too, for those of us in a domain where you can't recycle your passwords, they must be a certain strength, and they change every 30 days.

Jamie said...

The real problem is not remembering, it is to get websites and other password protected programs to allow passwords longer than the standard 6-8 characters.

My 401k fund is protected by a password 6-8 characters in length, so there is no way to make a really secure password, like my normal 20+ character password. With database/disk space being so cheap today, why do websites still stick with a truncated character limit?

Ichabod369 said...

Knowing the proclivity of people to write their passwords down and leave them in conspicuous places for differing reasons, I would suggest something similar but a little easier for these people. Choose your passwords as normal but make them at least 10 characters long and write them down as usual. Your memory isn't that good, Right? Now choose 2, 3 or more characters (or symbols if your software allows it) but don't write these down. these are the only ones you need to remember. Now when you need to set your password, use those that you have written down but intersperse your secret characters consistently in the same position with each password. For example place one in the 3rd and last position.
Making it simple like this should encourage people to change their passwords frequently and also their secret symbols. A Cracker must now attempt to break a password at least 12 digits long, a formidable task.


Mike said...

That's why I use arbitrary sentences. They could even be entire paragraphs if you'd like them to be.

Hell, you could even use a search to remember your password, like the first 4 sentences of the Constitution (for those of us in the US anyway).

I do agree with Jaime, however, that the typical application doesn't allow you to store arbitrarily long/complex passwords. One of the things I've found which frustrates me to no end is some applications complete lack of ability to support punctuation in their passwords, or to only support a subset of punctuation. Hello, what is the purpose of this? I suppose the only way to get around this limitation is to call your application provider and holler at them about their poor support for superior passwords.

But yeah, a really good, arbitrarily long and complex password is easy to come by if you think about it long enough, and it doesn't have to be hard to remember either.

Matt said...

I use keepass, a cross platform password database that stores all of your passwords in an encrypted file.
Linux KeePassX is included in many distributions. Also a USB flash drive and blackberry version.
You need only make one very good password to keep that file protected. Keepass will produce "randomly" generated passwords, which is an easier and faster way to get a good password. You must back this file up...(e-mail it to yourself often) or you could lock yourself out (most places have a way to reset a don't panic).

Ante said...

I suggest you to use keepassx or windows variant KeePass.
All my passwords are generated with this programs and usually 16 characters or longer :).

Put program on USB stick and only password you need to know is one for accessing keepass.

Jim said...

Just get Keypass.
Simple to use.
Portable. Runs from a USB flash drive.

Reteo said...

When it comes to passwords, I generally keep a simple, memorable system. First, pick two words, one that is personal to you, and one that has something to do with the website in question.

pancake google

Then, you capitalize the first letter of each (or the last), and you remove the space between them.


Finally, instead of typing the words themselves, you type the key directly above the letter in question.


If symbols cannot be used, then you can simply use a first letter that does not have a number above the key.

Then, for each site you go to, you pick a different word for the transient part, and the same, or related, word for the personal part.

pancake slashy: )qhdqi3Woqwy6
waffle digger: @qrro3E8tt34
toast facenovel: %9qw5Rqd3h9f3o
flapjack farking: Roq0uqdiRq4i8ht

Because most of the vowels are on the top row of the keyboard, this ensures a good mix of letters and numbers, and using capitals can help with case-sensitive password prompts. Either way, this will counter most brute-force attempts that probably aren't designed with this method in mind.

And all you actually have to remember are the words themselves.

Smith said...

Hey folks,
Thanks a lot for sharing such a nice information on passwords,
How to Choose a Good Password
I know that coming up with a good password can be difficult, so here are some guidelines to use.

* Choose a password that is at least six characters long. This should be long enough to discourage a brute-force attack. Currently, the maximum password length on many Unix systems is eight characters, but if you want to add a few more characters to make it easier to remember, go ahead. Just bear in mind that anything after the eighth character will be ignored (so ``abnormalbrain'' is the same as ``abnormal'').
* In general, a good password will have a mix of lower- and upper-case characters, numbers, and punctuation marks, and should be at least 6 characters long. Unfortunately, passwords like this are often hard to remember and result in people writing them down. Do not write your passwords down!

By the way for more information on Professional Training and Certification for Security courses check this link: