It’s common sense for most people on the hacking side of computer security as we know how easy it is to break a password when it’s only a few characters long or it uses a dictionary word (even if it is postfixed with a couple of digits, a hybrid dictionary attack breaks it pretty fast).
Even more so if you are utilising some decent Rainbow Tables and the RainbowCrack method (time/memory trade-off).
The basics of creating a secure password:
- Include punctuation marks (,.;), special characters (!#$%^) and numbers.
- Mix capital (uppercase), lowercase and space characters.
- Create a unique acronym.
- Short passwords should be 8 chars at least.
Some potential weaknesses to avoid:
- Don’t use a password that is listed as an example or public.
- Don’t use the same password you have been using for years.
- Don’t use a password someone else has seen you type.
- Don’t use a password that contains personal information (names, birthdays or dates that are easily related to you)
- Don’t use words or acronyms that can be found in a dictionary.
- Don’t use keyboard patterns (qwerty) or sequential numbers (12345).
Once you have a good password it’s equally important to keep your password secure:
- Never tell anyone your password or use it where someone can observe it.
- Never send your password by email or say it where others may hear.
- Occasionally verify your current password and change it to a new one.
- Avoid writing your password down. (Keep it with you in a purse or wallet if you have to write down the password until you remember it.)
And never label that scrap of paper in any way, write it down on an the back of an old businesscard or something that doesn’t indicate it’s a password.
Don’t give anyone who finds (or gains access to) your purse/wallet any clue of what the password means or what it is related to.
128 bit entropy in a password requires a long randomized passphrase, which wouldn’t be very usable, there has to be a trade somewhere between security and usability.
You can also use online password generators such as http://makemeapassword.com/, the problem with these however, is that they do create strong passwords but they aren’t easy to remember, which kind of defeats the purpose.
Another thing you can do is use something like a password safe to keep all the hard to remember passwords in one place, the one I would recommend is from Bruce Schneier and is actually called “Password Safe”.
Password Safe is an Open Source (free) tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords. Password Safe runs on PCs under Windows (95/98/NT/2000/XP).
You can find it here:
http://passwordsafe.sourceforge.net/
Any other inputs?
Jeroen says
We (my colleages and I) use longer sentences which can’t be calculated because they are very long, but still easy to remember.
Example: The name of my kitten is “Tiger”!
It has a ! and “” and even lower and uppercase characters.
Still your other rules are very important, don’t tell them to anybody and don’t choose an to obvious sentence. Proverbs work great b.t.w.
Darknet says
Jeroen: Yah I agree, quite a lot of people use the passphrase technique as it yeilds very complex passwords with only a little effort
Like your examples you can do:
“My car is red with plate 3456”
Which would give you the pass Mciswp3456
Of course must use in combination with the other rules!
Jeroen says
Yes Indeed!
Another: replace parts of the sentence with numbers
Example: This 1 is hard 2 crack!
John Preston says
Personally, I prefer ‘KeePass’ as my password safe. It uses AES and Twofish, allows use of a passfile aswell as a password. And because it doesn’t hook into the registry and saves the passwords to a database, you can stick it on your USB stick aswell!
KeePass Homepage
Ubourgeek says
I use the previously mentioned passphrase technique, hash it using leetspeek (may be lame but it works) ’cause I’m a Geek, then toss a “special” character and an extra number on either end.
e.g.
Passphrase: Did you get four hundred thousand computer viruses?
Number of words in passphrase: 8
“Special” Character: ?
Resulting Password: ?dygfh7Cv8 or 8dygfh7Cv?
Cheers,
U.
Darknet says
John Preston: Thanks for that, Keepass looks pretty neat.
Ubourgeek: Yah that really does make a strong password, it’s good to combine all of the above techniques..end up with something memorable yet very strong!
Richard Harlos says
My preferred method of password generation is to take a sentence or line from a song and then use the first letter of each word in that sentence/line, putting vowels in one case and consonants in another, finally postfixed with numerals that indicate how long that password is including the numerals, e.g., if the line I wish to use is:
“You and me against the world”
My password would be “YaMaTW7”
The longer the line/sentence, the more difficult to brute-force crack it.
Danilo Cicerone says
Try this passwords generator too:
http://www.digitazero.org/?p=30
for testing and fun!
Daniel says
i usually make a simple hash of the site domain and like … my phone number with the shift key
Tara (PassPack) says
A recent password hacking contest showed that “complexity” actually matters less than length. I just posted about it here:
Choosing Passwords: Long is Strong
Jeroen has got the right idea – pass phrases are a best bet.
Cheers,
Tara Kelly
PassPack Founding Partner
—
Torvaun says
Being a math geek as well as a computer geek, I tend to use mathematical expressions or constants for passwords. ‘e=2.71828’ ‘answer:42’, that kind of thing. Hard to brute force, easy to remember. And of course, being a security minded geek, neither of those is used for a password for anything Internet accessible.
Tara (PassPack) says
@Torvaun
That’s actually a good method. Here’s another good one over at Significant Figures that uses molecules: http://www.sciencetext.com/passwords-for-scientists.html
But still – how do you remember which formula you used on which site? Why not come up with a great master pass for a password manager, and then forget about all the rest.
Just an idea ;)
Tara
Torvaun says
@Tara
Remembering what I used where is the biggest problem I have with this system, but I’m pretty good at remembering the passwords I use most often. The rest, I just run through all of my passwords until I get the right one.
Tara (PassPack) says
@Torvaun
You’ve got a good memory then – I’d never manage. Just make sure you have a lot of these passwords though. Ideally you should have a different one for every site. But at the very least, make sure that you have unique passwords fro each banking and email account.
Cheers!
Tara