19 April 2006 | 38,968 views

Good Password Guidelines – How to Make a Strong/Secure Password

Check Your Web Security with Acunetix

It’s common sense for most people on the hacking side of computer security as we know how easy it is to break a password when it’s only a few characters long or it uses a dictionary word (even if it is postfixed with a couple of digits, a hybrid dictionary attack breaks it pretty fast).

Even more so if you are utilising some decent Rainbow Tables and the RainbowCrack method (time/memory trade-off).

The basics of creating a secure password:

  • Include punctuation marks (,.;), special characters (!#$%^) and numbers.
  • Mix capital (uppercase), lowercase and space characters.
  • Create a unique acronym.
  • Short passwords should be 8 chars at least.

Some potential weaknesses to avoid:

  • Don’t use a password that is listed as an example or public.
  • Don’t use the same password you have been using for years.
  • Don’t use a password someone else has seen you type.
  • Don’t use a password that contains personal information (names, birthdays or dates that are easily related to you)
  • Don’t use words or acronyms that can be found in a dictionary.
  • Don’t use keyboard patterns (qwerty) or sequential numbers (12345).

Once you have a good password it’s equally important to keep your password secure:

  • Never tell anyone your password or use it where someone can observe it.
  • Never send your password by email or say it where others may hear.
  • Occasionally verify your current password and change it to a new one.
  • Avoid writing your password down. (Keep it with you in a purse or wallet if you have to write down the password until you remember it.)

And never label that scrap of paper in any way, write it down on an the back of an old businesscard or something that doesn’t indicate it’s a password.

Don’t give anyone who finds (or gains access to) your purse/wallet any clue of what the password means or what it is related to.

128 bit entropy in a password requires a long randomized passphrase, which wouldn’t be very usable, there has to be a trade somewhere between security and usability.

You can also use online password generators such as http://makemeapassword.com/, the problem with these however, is that they do create strong passwords but they aren’t easy to remember, which kind of defeats the purpose.

Another thing you can do is use something like a password safe to keep all the hard to remember passwords in one place, the one I would recommend is from Bruce Schneier and is actually called “Password Safe”.

Password Safe is an Open Source (free) tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords. Password Safe runs on PCs under Windows (95/98/NT/2000/XP).

You can find it here:

http://passwordsafe.sourceforge.net/

Any other inputs?

Digg This Article





                

Recent in Countermeasures:
- Sandboxie – Sandbox Your Browser / Software / Programs In Windows
- AxCrypt – Open Source Windows File Encryption Software
- Smooth-Sec – IDS/IPS (Intrusion Detection/Prevention System) In A Box

Related Posts:
- Using Cloud Computing To Crack Passwords – Amazon’s EC2
- lm2ntcrack – Microsoft Windows NT Hash Cracker (MD4 -LM)
- Password Hasher Firefox Extension

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 118,946 views
- Password Hasher Firefox Extension - 116,821 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,521 views

Low-cost VPS Hosting

14 Responses to “Good Password Guidelines – How to Make a Strong/Secure Password”

  1. Jeroen 19 April 2006 at 6:39 am Permalink

    We (my colleages and I) use longer sentences which can’t be calculated because they are very long, but still easy to remember.

    Example: The name of my kitten is “Tiger”!

    It has a ! and “” and even lower and uppercase characters.

    Still your other rules are very important, don’t tell them to anybody and don’t choose an to obvious sentence. Proverbs work great b.t.w.

  2. Darknet 19 April 2006 at 8:54 am Permalink

    Jeroen: Yah I agree, quite a lot of people use the passphrase technique as it yeilds very complex passwords with only a little effort

    Like your examples you can do:

    “My car is red with plate 3456″

    Which would give you the pass Mciswp3456

    Of course must use in combination with the other rules!

  3. Jeroen 19 April 2006 at 8:59 am Permalink

    Yes Indeed!

    Another: replace parts of the sentence with numbers

    Example: This 1 is hard 2 crack!

  4. John Preston 19 April 2006 at 10:53 am Permalink

    Personally, I prefer ‘KeePass’ as my password safe. It uses AES and Twofish, allows use of a passfile aswell as a password. And because it doesn’t hook into the registry and saves the passwords to a database, you can stick it on your USB stick aswell!

    KeePass Homepage

  5. Ubourgeek 19 April 2006 at 6:19 pm Permalink

    I use the previously mentioned passphrase technique, hash it using leetspeek (may be lame but it works) ’cause I’m a Geek, then toss a “special” character and an extra number on either end.

    e.g.

    Passphrase: Did you get four hundred thousand computer viruses?

    Number of words in passphrase: 8

    “Special” Character: ?

    Resulting Password: ?dygfh7Cv8 or 8dygfh7Cv?

    Cheers,

    U.

  6. Darknet 20 April 2006 at 8:05 am Permalink

    John Preston: Thanks for that, Keepass looks pretty neat.

    Ubourgeek: Yah that really does make a strong password, it’s good to combine all of the above techniques..end up with something memorable yet very strong!

  7. Richard Harlos 25 April 2006 at 2:34 pm Permalink

    My preferred method of password generation is to take a sentence or line from a song and then use the first letter of each word in that sentence/line, putting vowels in one case and consonants in another, finally postfixed with numerals that indicate how long that password is including the numerals, e.g., if the line I wish to use is:

    “You and me against the world”

    My password would be “YaMaTW7″

    The longer the line/sentence, the more difficult to brute-force crack it.

  8. Danilo Cicerone 28 April 2006 at 8:29 am Permalink

    Try this passwords generator too:

    http://www.digitazero.org/?p=30

    for testing and fun!

  9. Daniel 4 June 2007 at 9:05 am Permalink

    i usually make a simple hash of the site domain and like … my phone number with the shift key

  10. Tara (PassPack) 4 June 2007 at 11:58 pm Permalink

    A recent password hacking contest showed that “complexity” actually matters less than length. I just posted about it here:

    Choosing Passwords: Long is Strong

    Jeroen has got the right idea – pass phrases are a best bet.

    Cheers,
    Tara Kelly
    PassPack Founding Partner

  11. Torvaun 5 June 2007 at 7:47 am Permalink

    Being a math geek as well as a computer geek, I tend to use mathematical expressions or constants for passwords. ‘e=2.71828′ ‘answer:42′, that kind of thing. Hard to brute force, easy to remember. And of course, being a security minded geek, neither of those is used for a password for anything Internet accessible.

  12. Tara (PassPack) 5 June 2007 at 2:30 pm Permalink

    @Torvaun
    That’s actually a good method. Here’s another good one over at Significant Figures that uses molecules: http://www.sciencetext.com/passwords-for-scientists.html

    But still – how do you remember which formula you used on which site? Why not come up with a great master pass for a password manager, and then forget about all the rest.

    Just an idea ;)
    Tara

  13. Torvaun 5 June 2007 at 2:59 pm Permalink

    @Tara
    Remembering what I used where is the biggest problem I have with this system, but I’m pretty good at remembering the passwords I use most often. The rest, I just run through all of my passwords until I get the right one.

  14. Tara (PassPack) 6 June 2007 at 9:44 am Permalink

    @Torvaun
    You’ve got a good memory then – I’d never manage. Just make sure you have a lot of these passwords though. Ideally you should have a different one for every site. But at the very least, make sure that you have unique passwords fro each banking and email account.

    Cheers!
    Tara