Building a better password
You're supposed to have a different password for everything, and never write them down. Yeah, right. With all the websites, bank accounts, and and computer programs we use these days, you'd have to be a savant. If you write them down, don't write all the information. Write an abbreviation for the website, and the password, but leave out your username, since you can remember that. Even better, write some code or keyword that will remind you of the password, but that others can't figure out. If you prefer not to be referring to a list all the time, use two passwords: one for websites that don't require security, like a newspaper or forum, and another when your money and sensitive information are involved.
But most times passwords aren't stolen, they're cracked, by somebody you don't even know. A password cracker is a program that tries every word in the dictionary, then tries every combination of words, then puts numbers after each word, etc. The best protection against cracking is to use a randomly created password, something like Rc9b%mO&. The longer the better. Using small and capital letters, numbers, and punctuation. But that's hard to type, and even harder to remember.
What we need is something hard to crack, but easy to type and remember. The first solution is a pattern on the keyboard, like bgt5678uhb. Try typing that. It's a triangle, see? You can type it with one finger, without looking. To make it even better, you could press shift halfway through, producing some caps and punctuation: bgt56&*UHB. Use any pattern you can think of, as long as it includes the row of numbers for greater complexity.
But I've got something even cooler. See the number pad on the end of your keyboard? You probably have the arrangement memorized. Choose a 10-key section of the regular keyboard, such as 2,3,4,w,e,r,s,d,f,c, and imagine these keys are the 10 digits. Yes, it's slanted, but you'll get used to it. Now choose a number you have memorized, like your best friend's phone number. (assuming it's not 212-123-1213) I'll use 285-143-9246. Type the number on your imaginary number pad, and you get something like 3de2w4f3wr. Again, you can make it more complicated by holding shift for half the keys, producing 3de2w4F#WR. If ten digits isn't long enough for you, put two phone numbers together. Also note that on your password list, you could write the original phone number, and nobody but you would know how to use it.
One more idea: type your name or some dictionary word, even your username, but move your fingers up one row. kiwigeek becomes i828t33i. Of course, you need a word or phrase that will use the number row. The only drawback to this method is that shift doesn't work so well, because when you move your hands the key isn't in its usual position.
One caveat: no matter how good your password is, if somebody sees it, you're out of luck. Keystroke loggers can get into the computer through security holes and send your every move to some criminal who wants to steal your money or identity. Here's a good place to start learning how to protect yourself.
But most times passwords aren't stolen, they're cracked, by somebody you don't even know. A password cracker is a program that tries every word in the dictionary, then tries every combination of words, then puts numbers after each word, etc. The best protection against cracking is to use a randomly created password, something like Rc9b%mO&. The longer the better. Using small and capital letters, numbers, and punctuation. But that's hard to type, and even harder to remember.
What we need is something hard to crack, but easy to type and remember. The first solution is a pattern on the keyboard, like bgt5678uhb. Try typing that. It's a triangle, see? You can type it with one finger, without looking. To make it even better, you could press shift halfway through, producing some caps and punctuation: bgt56&*UHB. Use any pattern you can think of, as long as it includes the row of numbers for greater complexity.
But I've got something even cooler. See the number pad on the end of your keyboard? You probably have the arrangement memorized. Choose a 10-key section of the regular keyboard, such as 2,3,4,w,e,r,s,d,f,c, and imagine these keys are the 10 digits. Yes, it's slanted, but you'll get used to it. Now choose a number you have memorized, like your best friend's phone number. (assuming it's not 212-123-1213) I'll use 285-143-9246. Type the number on your imaginary number pad, and you get something like 3de2w4f3wr. Again, you can make it more complicated by holding shift for half the keys, producing 3de2w4F#WR. If ten digits isn't long enough for you, put two phone numbers together. Also note that on your password list, you could write the original phone number, and nobody but you would know how to use it.
One more idea: type your name or some dictionary word, even your username, but move your fingers up one row. kiwigeek becomes i828t33i. Of course, you need a word or phrase that will use the number row. The only drawback to this method is that shift doesn't work so well, because when you move your hands the key isn't in its usual position.
One caveat: no matter how good your password is, if somebody sees it, you're out of luck. Keystroke loggers can get into the computer through security holes and send your every move to some criminal who wants to steal your money or identity. Here's a good place to start learning how to protect yourself.
posted by Kiwi the Geek at 11:11 PM
7 Comments:
A year or two ago I was reading that pass phrases are actually far more secure than passwords. A pass phrase can easily be 15 to 20 characters long and it is easy to remember. Mine happens to be two words for a total of 11 characters. It is the length of a password that makes it harder to crack, not the complexity.
By pass phrase, you mean multiple dictionary words, separated by spaces? So I could make multiple 'words' by the above methods, and still type them fast with one hand.
Length is definitely a factor, at the least. Every additional character multiplies the possibilities, which I should have mentioned.
I use the pass phrases thing too along with some numbers that relate like a very important date.
"But most times passwords aren't stolen, they're cracked, by somebody you don't even know."
The idea that most passwords are cracked rather than stolen is just bogus. Unless you count trying the person's birthday, anniversary, and kids' first and middle names as cracking, which I don't.
You'd be shocked at how many passwords are stored as cleartext somewhere; either on a computer system or in a filing cabinet somewhere. The ISP I used to work for had people write their passwords on a sign-up sheet, so we could enter them into the system. A stack of those sheets would yield most everybody's current password, probably for every account of significance they had.
Many passwords are stored as cleartext somewhere in a logfile on a server. Any server that can send you your password in an e-mail is effectively storing that password as cleartext. Even if they're using two-way encryption, the hacked server will contain all the info needed to decrypt it. So....if you say "I forgot my password", and they send you your actual password (rather than a link to reset it), there's a copy of that password that's vulnerable.
Another large amount of password theft comes from social engineering, or technical engineering. Keyloggers are part of it, but so is calling a CEO up on the phone, saying you're from IT downstairs, and saying that you need his password to do some account maintenance.
Same with credit card numbers. They're typically stolen in mass quantities from hacked servers, just like passwords.
I won't go into the process of social-engineering credit card numbers.
As for pass phrases, pass phrases are typically far, far longer than 15-20 characters. I remember a system that wanted a 64 character pass phrase, and accepted close to twice that. I seem to recall that the phrase that was being used was a complete sentence from a novel. The problem is, pass phrases have to be accepted by whatever system you're operating on. Many password systems have a character limit. On some, it's as low as 8. So the issue really does become creating a short, secure password.
Length does not necessarily equal complexity. A purist dictionary attack will take out a 12-letter word (that's in the dictionary) faster than 8 random characters. It's just math.
62^8 (26 characters lowercase, 26 upper, 10 numbers) is 218340105584896. There just aren't that many words in the English language.
If they know you're using a word (or combination of words), that reduces the possibilities down to purely alpha characters, which is a maximum of 53^8 (26 upper and lower, plus a space), which eliminates well over half of their work.
The math on how many possibilities there are if you're using up/down/left/right keyboard combos is left as an exercise for the reader. The number has to be significantly lower, as the next character is, by necessity, somewhat predicable.
The math on how easy it will be to crack your password once you post your password generation preferences on a public forum should have been done by the reader before they reported to class.
At the ISP I used to work at, we had to create passwords for multiple systems that would be able to be predictably remembered, but not hacked. We came up with some interesting methods. Unfortunately, I'm not discussing the here.
My standard advice is to come up with a random password, try to figure out how to pronounce it (including numbers), and commit the word to memory.
Just my $0.02
You'd be shocked at how many passwords are stored as cleartext somewhere
Well, that's just dumb.
The math on how easy it will be to crack your password once you post your password generation preferences on a public forum should have been done by the reader before they reported to class.
Oh, like it matters if somebody cracks my password! I who pick up pennies off the floor of your apartment! Whose credit is so abysmal I can't get a cell phone! You're very funny, Princess!*
*Extra points if you can identify the movie I quoted.
Sounds like a tweaked line from The Princess Bride, but I could be wrong.
Whether or not passwords are stored as cleartext or not isn't "dumb" or "smart"; it's usually a matter of "practical" or "impractical".
Our consumer-driven society has determined that they want to be told what their password was, and management decides that info is something that should be filed somewhere, in case a customer calls and asks.
The customer is always right, y'know.... :P
Okay, let me rephrase. Any customer who prefers an insecure password over the minor inconvenience of resetting a forgotten password is dumb.
And that is a quote from Princess Bride.
Post a Comment
Links to this post:
Create a Link
<< Home