Secure Password Creation
26/06/09 13:10
Passwords are a vital part of IT security and privacy. Without them, computing as we know it, would cease to function and identify-theft would be as common place as shop lifting.
Many websites have strange password requirements, making you think up new ones all the time or worse allowing you to set all your passwords to be the same, be it for online banking, e-mail, or that punch the monkey and win $1,000,000 dollars site.
Some sites require 6 digit or 8-digit passwords. Many want mixed letters and numbers, with both upper and lower case. Some even require using the odd symbol such as % $ & ( @ ! #. What an absolute mess!
Here we explain how to create passwords, or sets of passwords that are easy to remember and hard to “crack” (We’ll get into that later).
My office requires me to create a secure password, using numbers, letters, mixed case, and at least one symbol. It must be at least 10 characters long, I cannot share it with anyone and must change it every month. Here is an example of my password now:
1Password!
This certainly fits all the requirements, except it is still easy for a hacker to obtain by “brute forcing” (the act of guessing over and over again until the answer is found), or for another coworker to simply guess, as it uses a really easy word, and two other elements to make it different.
Hackers have tools that will add numbers and symbols to dictionary words to guess your password. It would only take some of them 10 seconds to figure out your password, log into your account and start copying all your personal data (account numbers, other passwords written somewhere, etc).
Mixing Letters and numbers makes it difficult for hackers to brute force or “crack” (the act of breaking through a protective barrier) your password. Adding symbols further obfuscates your password making it even more difficult. Here is an example of a “secure” password:
BmH!9*5SbEmErAlD
Hard to remember that! So, let’s use some simple guidelines to make easily memorable phrases or names or places you know to create a secure password. This password will be between 8 and 20 characters in length, easy to remember, and hard to crack.
My name is Bart and my parents are Marge and Homer. I was born in 1988, I work at Starbucks and this month’s birthstone is emerald.
To create my password I will start by stringing together some of this information:
BartMargeHomer1988StarbucksEmerald
That is too long! Let me remove some characters to trim it down some:
BMH1988StarbucksEmerald
Ok that’s still a bit long. Let’s trim it a bit more:
BMH1988SBEmerald
That is now 16 characters long, perfect! But it is still subject to brute forcing, since it is just a few letters, numbers, and then a dictionary word. Let’s obfuscate it a bit by pressing and holding down the “Shift” key every other letter.
BmH!9*8SbEmErAlD
Wait, isn’t that the password from before? Wow, that looks really hard for a hacker to copy, it has letters, numbers, symbols, shifting case, and is 16 characters long. Isn’t it still that hard to remember?
It is just the first initial of me, my mother, and my father, followed by the year I was born, my company, and this month’s birthstone, while holding down shift on every other character.
I could probably remember that, and use the same system but changing the “Sb” part to shorthand for another company or online system (like Google Mail, or Yahoo! Mail).
I use this month’s birthstone became my password changes every month, so I can just keep the really secure part and change the monthly birthstone every time I change my password. Other sets of words could be used for this too.
But wait, won’t the first half of my password that remains the same make it easier for hackers to crack my new password if they have the “hash” of my old one?
A long time ago this was the case. But with the advent of cryptographic salting (yes, it is called a “salt”), this is no longer a concern.
Save this article in a safe place for reference when creating a password.
For help creating sets of words to use for your passwords, check out Google Sets at http://labs.google.com/sets. Type in one or more related terms and Google can create a set of terms related to them. Try out Loki, and Thor, or Mars, and Jupiter. Author names, stars, elements, musicians, etc can all be used to create sets you may want to use to create your own passwords.
Stronger passwords contain no information related to you, though the example uses names of relatives and birthdates, and company names, for highly secure passwords, random sets generated by Google Sets should be used instead.
The estimated bit-strength of the final password is 50.2 bits, this is a fairly good strength for company networks and logins. 60 to 127 is recommended for financial data. Using this guideline, and making the password 20 characters or more long should allow you to create a 60 bit-strength or higher password.
Here is a list of terms that are related to this article, if you want to learn more about security and passwords.
Obfuscate, Brute Force, Cryptography, Salt, Hash, Advanced Encryption Standard, blowfish, rot13, Pretty Good Privacy, Gnu Privacy Guard, Secure Sockets Layer, Encryption, Bit Strength
Be warned the above topics can be quite daunting to understand and are considered to be part of a hard scientific field, which the NSA, CIA, and other similar organizations fund.
Many websites have strange password requirements, making you think up new ones all the time or worse allowing you to set all your passwords to be the same, be it for online banking, e-mail, or that punch the monkey and win $1,000,000 dollars site.
Some sites require 6 digit or 8-digit passwords. Many want mixed letters and numbers, with both upper and lower case. Some even require using the odd symbol such as % $ & ( @ ! #. What an absolute mess!
Here we explain how to create passwords, or sets of passwords that are easy to remember and hard to “crack” (We’ll get into that later).
My office requires me to create a secure password, using numbers, letters, mixed case, and at least one symbol. It must be at least 10 characters long, I cannot share it with anyone and must change it every month. Here is an example of my password now:
1Password!
This certainly fits all the requirements, except it is still easy for a hacker to obtain by “brute forcing” (the act of guessing over and over again until the answer is found), or for another coworker to simply guess, as it uses a really easy word, and two other elements to make it different.
Hackers have tools that will add numbers and symbols to dictionary words to guess your password. It would only take some of them 10 seconds to figure out your password, log into your account and start copying all your personal data (account numbers, other passwords written somewhere, etc).
Mixing Letters and numbers makes it difficult for hackers to brute force or “crack” (the act of breaking through a protective barrier) your password. Adding symbols further obfuscates your password making it even more difficult. Here is an example of a “secure” password:
BmH!9*5SbEmErAlD
Hard to remember that! So, let’s use some simple guidelines to make easily memorable phrases or names or places you know to create a secure password. This password will be between 8 and 20 characters in length, easy to remember, and hard to crack.
My name is Bart and my parents are Marge and Homer. I was born in 1988, I work at Starbucks and this month’s birthstone is emerald.
To create my password I will start by stringing together some of this information:
BartMargeHomer1988StarbucksEmerald
That is too long! Let me remove some characters to trim it down some:
BMH1988StarbucksEmerald
Ok that’s still a bit long. Let’s trim it a bit more:
BMH1988SBEmerald
That is now 16 characters long, perfect! But it is still subject to brute forcing, since it is just a few letters, numbers, and then a dictionary word. Let’s obfuscate it a bit by pressing and holding down the “Shift” key every other letter.
BmH!9*8SbEmErAlD
Wait, isn’t that the password from before? Wow, that looks really hard for a hacker to copy, it has letters, numbers, symbols, shifting case, and is 16 characters long. Isn’t it still that hard to remember?
It is just the first initial of me, my mother, and my father, followed by the year I was born, my company, and this month’s birthstone, while holding down shift on every other character.
I could probably remember that, and use the same system but changing the “Sb” part to shorthand for another company or online system (like Google Mail, or Yahoo! Mail).
I use this month’s birthstone became my password changes every month, so I can just keep the really secure part and change the monthly birthstone every time I change my password. Other sets of words could be used for this too.
But wait, won’t the first half of my password that remains the same make it easier for hackers to crack my new password if they have the “hash” of my old one?
A long time ago this was the case. But with the advent of cryptographic salting (yes, it is called a “salt”), this is no longer a concern.
Save this article in a safe place for reference when creating a password.
For help creating sets of words to use for your passwords, check out Google Sets at http://labs.google.com/sets. Type in one or more related terms and Google can create a set of terms related to them. Try out Loki, and Thor, or Mars, and Jupiter. Author names, stars, elements, musicians, etc can all be used to create sets you may want to use to create your own passwords.
Stronger passwords contain no information related to you, though the example uses names of relatives and birthdates, and company names, for highly secure passwords, random sets generated by Google Sets should be used instead.
The estimated bit-strength of the final password is 50.2 bits, this is a fairly good strength for company networks and logins. 60 to 127 is recommended for financial data. Using this guideline, and making the password 20 characters or more long should allow you to create a 60 bit-strength or higher password.
Here is a list of terms that are related to this article, if you want to learn more about security and passwords.
Obfuscate, Brute Force, Cryptography, Salt, Hash, Advanced Encryption Standard, blowfish, rot13, Pretty Good Privacy, Gnu Privacy Guard, Secure Sockets Layer, Encryption, Bit Strength
Be warned the above topics can be quite daunting to understand and are considered to be part of a hard scientific field, which the NSA, CIA, and other similar organizations fund.