December 26, 2011
Thinking About Better Passwords

With identity theft and account hijacking a rampant problem think about raising the toughness of your online passwords to a higher level of obscurity. At home this is especially difficult for some of us due to the much larger number of home passwords (multiple financial accounts, multiple email addresses, multiple online store accounts, home utility accounts, and more - dozens for me). How to do this? Dennis O'Reilly has a useful article "How to master the art of passwords" with some controversial advice:

Gunter Ollman, a researcher for security firm Damballa, concludes that recording your passwords on paper is the lesser of several password evils; more risky is using the same password at multiple sites, setting your software to remember passwords, failing to change passwords frequently, using an easy-to-guess password, and reusing past passwords.

Likewise, computer expert Bruce Schneier reiterated on his Schneier on Security blog the advice of Microsoft executive Jesper Johansson to record your passwords on paper to encourage use of strong passwords.

Without writing down full passwords at home I use a system where I write down hints. I can apply some personal rules for password generation to those hints and come up with the passwords I use. The little hints aren't even words in my case. They are very obscure letter combinations that trigger thoughts in my head. For very frequently used passwords on a few key accounts I've got the passwords well memorized and not written anywhere.

O'Reilly points to a site which I suggest you pay a visit. You don't have to type in your real passwords. You could just type in assorted ideas you have for passwords and watch how it rates each password for crackability. Try mixed case, special characters (other than A-Za-z0-9), and words versus non-words. See how the ratings change.

You can base your passwords around words since words are easier to remember. But then you can add camouflage. For example, you can substitute special characters for letters in words. Sometimes this is done with obvious substitutions such as '@' in place of 'a' and '3' in place of 'E'. But you could make up your own substitutions that are not obvious to others as long as you can remember them.

Other games to play with words: misspell words, spell words backward, add suffixes and prefixes that a word normally never gets, interleave 2 words every other letter. You can also use first letters from words in a sentence that you think you'll remember. Or even use last letters from words in a sentence.

Update: To be clear, common substitutions to words (e.g. @ in place of a) help some but not a lot. You would be better off making up your own substitution rules that are unlikely to be guessed. Also, another idea: mix words from different languages so that a dictionary attack has to cut across languages. Makes the search space much larger. Also, longer passwords are better. Go over 10 letters. The more the better.

Update II: Some more password rating sites: Microsoft's, Gibson Research's, Tyler Akins of Rumkin, and PasswordMeter. The problem is that if you apply common transformations to words you can fool most (all?) of these password checkers into rating your password as stronger than it really is. That's why you've got to use uncommon transformations on words or do not use words as your starting point.

Still, a password rated highly by the sites above is probably going to better than what 90+% of the people reading this are currently using. So at least use a password that is rated highly by some of these sites.

Also see: Report: Analysis of the Stratfor Password List. Are you making any of those mistakes?

Share |      Randall Parker, 2011 December 26 06:39 PM  Computing Security

john personna said at December 27, 2011 5:15 AM:

I break usernames and passwords into fragments, and put them in a spreadsheet, with chaff columns. Re-assembly is at least non-obvious, though I'm sure a clever person who knew what they were looking at could figure it out in time.

Dan said at December 27, 2011 8:21 AM:

I don't agree with the "hack my password" times from that website. I think it just figures out how long it would take a computer to try all permutations of N letters, or N letters+numbers, or N letters+numbers+symbols. Even if this is how passwords were actually hacked (it's not), it would require access to the password file you were trying to break (not just a login prompt). This would imply a hacker was already inside of the system. Even with the password file, you need to know how it is encrypted / hashed in order to interrogate the rawfile. Passwords are typically broken because (1) the password file wasn't properly protected or (2) the password was a simple word or (3) the password was the person's name/etc.

Nanonymous said at December 28, 2011 2:18 PM:

Yeah, the times listed are crap. They are for a local brute force attack, which is unrealistic in almost all real life situations. To break, say, my Amazon password, a bot would have to spend at least 1,000X and more likely 10^6 longer trying them through a web form. And just about any site runs software smart enough to raise a flag after 100 or so unsuccessful login attempts.

Anonymous said at December 28, 2011 5:42 PM:

I use a simple system:

I have a core password of six random characters. To that, I add two or three characters that are derived from the URL of the site in question by an algorithm known only to me. Could be every fourth char in the URL or the first two non vowel chars or who knows? Since urls contain numbers as well as chars, the passwords sometimes have numbers and even punctuation. It's not perfect, but nothing is...

Sigivald said at December 29, 2011 2:29 PM:

Even if this is how passwords were actually hacked (it's not), it would require access to the password file you were trying to break (not just a login prompt).

1) Many times, hackers have taken encrypted password files (such as from forum sites), and then have and do brute-force crack the passwords, because so many people re-use them on other, more valuable sites. So it's not like that isn't how actual "hacking" happens; it's been known to.

And of course a lot - a whole lot - of designers are lazy, and do things like just use crypt() and a salt, or something else "obvious" for their password hash. Some, likewise, think MD5 is fine for passwords. They're wrong, but nonetheless, if I got a random database dump of a user table with password blocks, I'd try those two options first - and odds are dishearteningly high that it'd work.

Lastly, we should note that while "hackers have to be inside the system to get the password file" is true in a sense, it's not literally true that they need deep access to get password hashes; it seems that more typically they have a simple database injection in, and simply dump the user and/or password table. They can, if the system is poorly designed, like most systems, get your password hashes without ever getting root access or to a prompt or filesystem.

[Though, yes, in practice it sure seems like most of it is just trying the ten most popular passwords and trying those. Low-hanging fruit and all that.]

2) Sites with a web API or the right sort of login prompt form are still - if they're not smart enough to throttle login attempts - vulnerable to brute-force attacks, just not as rapidly. A good script combined with a fast network connection could in practice probably do a few thousand a second indefinitely without a lazy admin ever noticing.

3) Even worse, let's not forget sites that don't enforce a maximum length explicitly... but truncate silently to 8 or 12 characters. Nobody should ever do this, but I've heard of it, and fairly recently. So you make what you think is a "secure" 16 character password... but in fact you've only really got 8. False sense of security, what?

Teletran One said at December 29, 2011 2:30 PM:

Check out Steve Gibson's GRC site about how just adding a string of characters (or salting your password) dramatically improves the crypto strength.

Sayyid said at December 29, 2011 2:40 PM:

"You can base your passwords around words since words are easier to remember. But then you can add camouflage. For example, you can substitute special characters for letters in words. Sometimes this is done with obvious substitutions such as '@' in place of 'a' and '3' in place of 'E'. But you could make up your own substitutions that are not obvious to others as long as you can remember them."

Congratulations, a brute force attack that includes "common substitutions" just cut the value of your added character to one or two additional bits.

If you're concerned about a brute force attack it's easier to just give up on short passwords. "j@(*#smUs" -- the result of my hands mashing my keyboard -- is a three year crack. "my password is so secure you will never crack my password" rates at about 421 octovigintillion years. Whatever the heck an octovigintillion is. I'm sure it's a long enough time.

Now ask yourself: which of the two is easier to memorize?

There's an xkcd about this mass insanity.

DSmith said at December 29, 2011 2:50 PM:

I use the PassPack password manager. There are others. I let it generate random passwords, using whatever characters and max length each site allows. Then I just cut & paste them from the password manager into each site as required. There is a web version and a local version that are synced, so even if my disk crashes, or the company disappears, I still have my passwords. The manager itself is protected by a quite long passphrase, but I only type that once and then leave it open during a session. You can also store other information in the password manager, like bank account info, etc.

For home users, I think this is a great way to have truly strong, unique passwords for each site you use, without having to go through a great deal of inconvenience. The only catch is that you have to trust your password manager company - so spend the time to research them. You also could be vulnerable to a keylogger attack, but that's true no matter what you do.

Sam said at December 29, 2011 3:21 PM:

Use at least uppercase letters, lowercase letters, numbers and special characters and make the password as long as you can. If you must use words, use words from several languages. Use a password manager, but make sure it is protected itself and you back it up when you make changes.

lockestep said at December 29, 2011 4:08 PM:

Thank you Sayyid for being a lone spot of sanity. "strong passwords" are treated as received wisdom amongst corporate IT professionals, and they will not even engage in conversation about the number of attempts needed to crack "fire twist rouge phalanx" vs "Tr@psh00t". So we go with the "strong password" and do the most dangerous thing possible with a password -write it down.

David said at December 29, 2011 4:43 PM:

For my own passwords, frequently changed, I rely on a lifetime of memorized poetry, prose, and songs in a few different languages. A verse selected from a song or poem, or a paragraph of text can supply a relatively strong password via the first letters of each word in the verse or paragraph of prose, especially with a few numbers or other characters insertedin ways that make sense to my own twisted view of reality.

And yes, I do keep a regularly updated, hand-written list of passwords in a safe to which only the executor of my estate, such as it is, has a key. Obviously, it's not as a reminder for me (unless I were to suffer serious mental degradation), but it is nice to know that my family won't be locked out of my digital life when I am gone.

Of course, none of my passwords are generated from sources well known to associates to be favorite poets or composers. Building such passwords from passages in, say, Die Winterreise, would just be silly.

Kevin M said at December 29, 2011 5:43 PM:

The common wisdom is to use at least 3 of 4 types (upper, lower, number, symbol) in a shortish password of 8 or 10 characters. The problem is that it MUST be written down, and the list has to be handy. If you use a word and substitute for letters in a way that "makes sense" it will also make sense to everyone else and be obvious (1 for l, 3 for e, etc), so you lose the added benefit of the extra characters. If you reuse passwords, you are at the mercy of the weakest protected site.

And even if you do use random selections from that wider character set, note that 128^8 is much much less than 26^20.

What I do:
1. a throwaway password. I don't care if you know it. I use it for annoyance passwords, like obsolete laptops used as lab tools.
2. a password for sites where there is nothing other than embarrassment at risk. I expect these sites to have poorer security than my password anyway.
3. a password regime for most sites that has a set of maybe 16 random 5-7 letter words, of which I use 3-5 for any given site. And I write down only my code for those words, which are themselves written down no where. Similar to the xkcd scheme.
4. an ultra secure password for server roots and things of that sort.

Leonie said at December 29, 2011 7:57 PM:

Use words from a dead language and mess with them. Even better, use an obscure dead language.

And I have an entire book of sites & passwords. Why re-use a pw if you don't have to? Start collecting dictionaries, or hunt down foreign

Penny said at December 29, 2011 11:45 PM:

Like some of the other commenters, I use an algorithm. This has the advantage that every site has a unique password, I don't have to memorize them, and I don't have to write them down. Easy sneezy.

Rob said at December 30, 2011 8:34 AM:

I used to memorize passwords, write them down, use the same ones over and over, but no longer. DSmith mentioned he uses the PassPack password manager. I have used LastPass PW manager for about 2 years now and I'll never go back to my old ways of writing down passwords on a 3x5 card. Never. Try a password manager--any manager, though I prefer LastPass--and you'll see what life can be like without having to remember insane passwords. Just let the PW managers generate complex passwords for you.

Joeythelemur said at December 30, 2011 10:22 AM:

I don't know PassPack or LastPass, but I've used KeePass for years and it's fantastic. A solid password manager app has worked wonders for me.

I agree with the techniques suggested in this post. I'd go a bit further and put your efforts into having 1 or 2 solid, 14-20 character passwords that you can remember and rotate those as the access password for the password manager. Everything else is stored in that encrypted DB. I don't have any idea what my passwords are for each of my bank/investment accounts; they're long, random, and different for each site.

David said at January 3, 2012 1:25 PM:

I can recommend Password Safe:
Free, open source, has been around for a good long time.

Post a comment
Name (not anon or anonymous):
Email Address:
Remember info?

Go Read More Posts On FuturePundit
Site Traffic Info
The contents of this site are copyright