How to create good passwords

One of the most important topics in security is creating good passwords.

OK, what is a “good” password?

1. A password that is EASY for the user to remember.
2. A password that is DIFFICULT for someone else to guess.
3. A password that is DIFFICULT for someone to hack by trial and error, “dictionary lookup”, reverse-engineer, or whatever.

The problem is that - for most people - “easily remembered” passwords are based on common words - your wife’s name, your pet’s name, your grandkids name, your anniversary date, etc.

This is a problem because most - if not all - of these words are easily suceptable to being hacked fairly easily. Computers are fast, and “the bad guys” have sophisticated password hacking programs that love to eat these simple passwords for lunch!

OK, that would seem to leave us with passwords like “JUNK@45&1!zz” - not so easy to hack, but even more difficult to remember.

RULE #1:
If a password is so wierd that users write them down on sticky-notes and paste them to their monitors, that password STINKS!.

So, what’s a good password?

1. It should be (at least) 8 characters in length.
2. It should contain both capital and lower-case letters
3. It should contain one or more digits (numbers)
4. It should contain one or more special characters (things like &%#@! - and so on)
5. It should NOT contain words that can be easily “looked up” - dictionary words.

Items 1-4 are easy to do, but it’s item #5 that really kills us. We remember people’s names very easily, but they’re also easily cracked.

How do we bridge this?

Several ways:

1. reverse-order (or scramble) the letters of the word you want to use, in a way that is easily reproduced by you, but difficult for someone else to figure out.

2. “Key-Shift” (this assumes you’re a touch-typeist) You do this by moving your hands up (or down) one row on the keyboard, and then typing as if that were the “home row” - result is (apparent) gibberish that is easily reproduced by you.

3. (My favorite) - transliterate using a different alphabet:

Example: Let’s assume my wife’s name (in Russian) is Yelena. (not true, but it’s a good example)

In Cyrillic, it would look like this “Елена” (“E” is pronounced “ye”)
In “Latin” characters, I would think of it like this: “E” - “not-v” (upside down “v”), “e”, “h”, “a”
I would then create a password from her name like this: “E!veha”

This is good because

• “Eveha” is not a common “dictionary word”.
• Using the “■■■■” (!) to represent “not” is a common programmer’s notation, but not common in passwords.

If I add an aditional special character - and some digits - the password is even better. For example, say we were married in 1975, I could create a password like this “E!veha#1975” - which has lots of characters (more than eight), contains upper and lower case letters, numbers, and special characters.

It is also useful because it requires the potential hacker to know more than one piece of information.
(a) The “key words” you’re basing your password on

---- AND ----

(b) The special “encoding” scheme that you’re using to scramble the letters.

If the password has enough characters - you can even add the month you created this password, making it become “E!veha#1975-03”

If your native alphabet is non-latin (hebrew, hindi, thai, cambodian, etc.) you can write the word you’re using as your key in your native alphabet (it doesn’t matter if you write left-to-right, or right to left) - and then look at what you wrote… What latin letters does it look like? Does it look like any special characters? (the Hebrew “aleph” may look to some like an “x”, or a “%”)

Be creative! Just remember how creative you were - so you get it right!

Another thought:

Windows allows you to install differnt language keyboards - Russian, Polish, French, German, etc. - and it will be noted by a little box next to the clock in the system tray. If you switch to a non-English keyboard (French, for example), and type in your English password, you get gibberish (because the keys are in different places).

Summary:

Good passwords are
(1) Longer than 8 characters (the longer, the better)
(2) Easy for YOU to remember
(3) Hard / impossible for someone else to guess
(4) Hard for someone to “reverse engineer” using hacking software.
(5) Contains both upper and lower case letters, numbers, and special characters.

Note that these example are not exhaustive - but should serve to stimulate thought - what’s obvious to YOU will (hopefully) not be obvious to the hacker trying to eat your lunch!

Jim

Here’s another thought - a take-off on the transliteration scheme…

Let’s say my wife’s name is “Heather”… I go to an online translation site, and discover that the Russian word for Heather is “вереск” This gives me “Bepeck” as the initial keyword.

Other phrases can be handled the same way: “Good Dog!” becomes “Хорошая Собака!” - and I am sure you can figure out a way to turn that into a easily remembered password!

Likewise, if you wanted to use German, “Heather” becomes “Heidekraut”, or your good dog becomes (in German) a “Guter Hund!”

You could try an English - Korean online translator - and then re-cast the korean letters into their nearest “latin” look-alikes - requires imaginantion, but it’s doable…

Jim

Don’t forget, if you run a copy of XP/vista/2000/2003 you can enforce password complexity via either group policy or local security policy.

Password Complexity mandates passwords be composed of the following:

Password must not contain significant portions of the user’s account name or full name
Password must be at least six characters in length
Password must contain characters from at least three of the following categories:
Uppercase characters (A through Z)
Lowercase characters (a through z)
Base 10 digits (0 through 9)
Special characters (for example, &, $, #, %)

This can be used in conjunction with other password policies, to create pretty strict passwords.

My name is Al Sacco, and I’m a writer with CIO.com. We recently reviewed a password manager that’s meant not only to securely store passwords but also to generate cryptographically strong ones. This is a great way to create very strong passwords. The device can generate passwords of up 14 characters based on admin or user-specified “schemas” to ensure they meet organization’s password policies. The U.S. Defense Dept. uses them to keep their various systems secure.

Check it out:

http://www.cio.com/article/111850

Cheers. :■■■■

Great helpful hints Jim. (:CLP)

One other useful method:

I picked up a rather useful and a relatively easy way to create passwords; one that is hard for others to guess, and probably hard to ■■■■■ too, but relatively easy to remember (even I have been able to).

First you would think of something simple like an event or a place or person from your past; as an example …

“When I was in seventh grade I had a crush on this girl that was probably six inches taller.”

If it is that personal, you will probably recall every bit of it …

Now take the first letter of each word in the sentence …

Wiwi7gIhacotgtwp6"t

Meets stringent password requirements; It is a long enough maybe too long, at least 1 upper case letter, at least one numeric character, at least one special character, definitely not in any dictionary

Isn’t that hard to guess and ■■■■■. Of course it need not be something personal. It could be something unique on your desktop and just by looking at it you will be able to recall the phrase and from that phrase your password. Finally don’t forget the golden rule, change passwords at least once in three to four months.

Here is the web site that I got this idea from …
http://world.std.com/~reinhold/diceware.html

If you are looking for a good, NO, GREAT Password Manager (Open Source from sourceforge.net) go to …
http://keepass.sourceforge.net

Excellent!

There are two things about passwords that absolutely raise my ire ( (:AGY) )

1. Things like the home-use router/firewall that will ONLY allow an EIGHT letter password - must be alpha-only! It’s almost impossible to create a non-crackable password.

2. Password strictness rules that are “too strict” - and make even well generated passwords illegal. (I have seen password rules that were so wierd that even the sysadmins couldn’t keep up with them - I’ve gotten system-generated “reset” passwords that did not meet the system’s own password rules!)

Jim

Hi Al

Welcome to our forums. We appreciate your participation.

We would love it if you kept contributing, either through your articles or other means so that we can make internet a safer place for everyone.

again, welcome aboard.

Melih

Awww… Goshk! (:SHY)

Laughing! (:LGH) :■■■■

That’s the idea! You want to come up with somthing that’s easy for you to remember, but so “bizarre” that password crackers would (hopefully) choke on them.

I hadn’t thought of that one - good idea!

Actually, this is also a good idea for creating WPA-PSK wireless security passphrases too. It’s long - really long ( :o ) - which means that you’ll get a nice “juicy” binary hash from it that will be ■■■■ difficult to hack. ;D

This is the whole idea behind my push to start this thread - Comodo wants to improve Internet security. Unfortunately, it’s meaningless if people keep choosing passwords like “password”, “fluffy”, or other easily cracked words.

Keep 'em coming!

Jim

Another good method, somewhat similar to snyders, is to base your password around a phrase, rather than a word, and substitute numerics for alphas.

Example :

Phrase : log me in please
Substituted password : L0g!m3!1n!p13a53#

where there is a leading capital, spaces are replaced by exclamation marks and some alphas are replaced by graphically similar alphas (e becomes 3, l becomes 1 etc.)

The originating phrase can be driectly related to the site your logging in to, as the resulting password is definitely not in any dictionary I’ve ever seen (except the one that mentioned "nosewool ).

Cheers,
Ewen

However …

your password is only as good as the system is. Some systems or websites take exception to certain characters and some truncate it to a certain number of characters, etceteras. In general I use numbers to represent certain alpha characters and vice versa, however there is no getting around if the system has too many limitations. I have come across some that seriously cripple password but at least the ones that I use have a two layer authentication (may be an improper phrase, technically speaking). What I mean to say is that login is authenticated by logging IP address and then presenting a second secure screen for password.

Personally I think the limit is one’s imagination.

Add a couple methods together, here… Use the other-language idea for word substitution, and incorporate some aspect related to that that’s easily remembered by you, with non-alphanumerics thrown in. For example, let’s say you have a dog that you have been trying to teach to fetch. In Scots Gaelic, the command is (something like) “faigh sin.” There’s 8 letters to start with; this is what you have to “remember;” the rest will come out of it. Let’s say you got the dog in March of this year (which you will remember easily). Password = 0.3fAigH?2!0siN0*7

It’s easy enough to use a “schematic” for introducing numbers and characters (NOT every other letter!), upper & lower case, so that the primary thing you have to remember is what your “core” word was. In this scenario we end up with 18 characters; even if we drop the non-alphanumeric (which some sites won’t allow, it’s true), we still have 03fAigH20siN07 with 14 characters. Not too shabby, nor easy to guess; neither numbers or capitals are evenly placed, so that adds some complexity to it.

LM

take initials of all ur security apps together, 1 upper, 1 lower case taking turn.
followed by the date ur company established.
my suggestion.

you could use the last four of your ss# but hold alt before doing it and put your initials at the end or mix them ╥╙⌠α▌ That’s almost truly impossible to guess that should be easy to remember or even mix them because you need 8 right? so thats a good thing keep on doing the alt + (number of anything

jake

P.S this is what i use so …