The Problem with Passwords - Part 2
As I mentioned in my previous post, it is difficult to strike a balance between a password that is easy to remember, and yet is difficult to guess. When choosing passwords, you want to avoid words that appear in a dictionary.
How Password Crackers work:
There are 3 main stages to guessing a password. The initial stage might involve some profiling of the person who’s password you are attempting to obtain. The names of children, pets, and home towns are common. This phase is often short lived but can sometimes bear fruit without having to proceed to Phase 2. The second phase is called a “dictionary” attack where the attacker uses a program to load up an enormous list of words in multiple languages and churns through the list until it finds a match. Password cracking applications also contain intelligence to attempt variants of the dictionary words (ex: Password1, Password12, Password123). An average desktop computer can run a large scale dictionary attack in a matter of a few hours to a day. If that fails, the attacker can call out the big guns. Phase 3, which is called “brute-forcing”, involves instructing the password cracking guess every possible password. Given enough time, the application will eventually find your password, though in real-world terms, it is only practical for shorter passwords.
With this knowledge in mind, it is important that our passwords be of sufficient length (8 characters at least), not exist in the dictionary or be easily associated with you, and should not follow keyboard patterns (ex: qwerty or asdfgh), and they must be easy to remember! So how do we balance these needs without writing down all of our 12 character passwords on a sheet of paper?
Two Words: Pass phrases
Suffice it to say that we all enjoy movies, music, and literature. This will serve as the root of our password generation method. The idea is to take something you’ve already memorized and use it to generate a long, pseudo-random password that will still be easy to recall. Let’s say that in your misspent youth, you memorized the lyrics to “Jump Around” by House of Pain and now they are indelibly stuck in your brain, playing over and over again while you await death’s sweet release… Please note that I cannot be held liable for any emotional or psychological damage caused by this example:
“Word to your moms, I came to drop bombs, I got more rhymes than the bibles got psalms…”
For the purposes of this example, we will just take the last 9 words here and write the first letter of each word:
“Igmrttbgp”
Now we have a 9 character non-english word. Not too bad, but it still wouldn’t take an intelligent brute force attack too long to crack as we’re only using the 26 characters of the English alphabet. We need to make the password more complex by adding some special characters and numbers. As far as this goes, I normally perform a character substitution to produce something like this.
“!gmrttbg9”
As you can see, I’ve replace the “I” with a “!” and the “p” with a “9”. This gives us a password that is very resistant to the most common vectors of attack described above. I’ve been using this technique for generating passwords for the last several years and I have found it useful. I welcome your comments and suggestions for improving on this technique.
Comments (2)
All comments are subject to the site Terms of Use. For a full commenting tutorial click here.
Our editorial team relies on filtering technology and our visitor community to identify inappropriate comments. In the event that a site user has submitted offensive content that has evaded our filter, please select the option to Flag As Inappropriate presented within the comment. Thank you for helping to keep this site clean.
Ian