Thursday, January 12, 2012

Easy ways to make and remember secure passwords

Ok, so you're one of those people who uses something like "dogdog", "qwerty", "password", or part of your name for your password and you use it for absolutely every site you log into.  And nothing bad has ever happened - at least that you know of -, right?  Well, you're playing with fire folks and it's just a matter of time.  Thanks to some new ideas about password security, it's not all that hard to make secure yet memorable passwords.

You may have heard advice like this:  "In order to be truly secure, your password should resemble random gibberish and be very long."  Well that is true but the problem is we can't realistically remember a random gibberish password like "Jd5=-Wds1`XC[iu".  And then to complicate things, we need to use a different password at every web site (also true).

As it turns out, length of the password is much more important than complexity.  If you want to truly understand this, there is an article at Gibson Research ( that explains why.  You have to skip about two thirds of the way down to get to the relevant portion (it's here: so to save you time, here's a quote from Steve Gibson:
"The problem has always been that we've assumed that user-friendly passwords, things we could remember, were probably also weak. And what I hit on is that's not necessarily true. What matters when, as soon as the attacker has exhausted all of his lists, common password lists, maybe site-specific likely passwords based on the site they're trying to hack, or the specific user. You don't want to use your own name as a password because that might be your username also, so it might be that the bad guy knows something about you. Then they'll fall back to dictionaries. Then maybe dictionaries with a digit tacked on the end because we know now that some password policies require at least one digit.

So users who don't really, I don't know what it is, they don't think it's ever going to happen to them, or they're just trying to create a throwaway login because they want to post a comment on a blog and this dumb site requires them to create an account in order to do so, whatever, they'll just tack a zero on the end, or a one, or whatever their favorite digit is. So the bad guys who want to get in will try those tricks, too. So you can imagine there are things that bad guys could do, attackers, to try to figure out something that the lazy user has done.
When all else fails, when all of that fails, they fall back to the traditional, often spoken of, brute-force attack. Because we understand how it's possible to create every possible password, first you start with A, then B, then C, then D and so forth, up through Z. Then AA, AB, AC, AD and so forth up to AZ. Then BA, BB, BC, BD and so on. So it's possible, given time, to run through every possible password. That's why, in the past, we have chosen passwords that are nonmemorable, these horrors like what you get from the Perfect Passwords page at GRC, because they are just absolutely off the map. They're ultra-high entropy, and there is no way to guess what they are.
So what this means is that the only vulnerability after your password isn't going to be quickly found in a list is the bad guy trying them all. Trying them all, since they don't know how long your password is, and the only feedback they get back is yes, that was a match, or no, that wasn't. One of the most often seen lies told by Hollywood is when the cracker uses some algorithm, and one by one determines what the digits of the combination is."
So what to do?
The simple answer: "padding"
     Add memorable "junk" characters to the beginning and/or middle and/or end of your passwords.  Another way to put it:  For raw, let's call it "crackability", you would be better off with a long password like *(*(*(*(dog--dog  than total gibberish like Jd5=# that is very short.

The complex answer:
     Well, it's not quite that easy.  You still have to follow the rule of not using the same password at different sites.  And if someone were to discover one of your passwords, you don't want them to be able to figure out all of them.  So one idea is this:
  1) Have a password that is somewhat random like J3dx5=-
  2) Pad it with some characters of your choosing: zxzxzxJ3dx5=-
  3) Make one or more of the letters an abstraction from the web site's name.
     example:  web site address is "".  Your rule could be that the 3rd letter in the "gibberish" part of your password is 4 letters in alphabet after the third letter of the web site address.  So the third letter of the web site address in this case is "b".  The 3rd letter of my password would be "f", so my password would be zxzxzxJ3fx5=-
     Instead of a complex base password like the example above, you could do something simple like zxzxzxm.ybaNk .  While this is not easily crackable by brute force, someone looking at the password might easily guess your scheme:  Your passwords are zxzxzx plus the web site name with a dot after the first character and the 5th (or second to last) letter in caps.

No comments: