Password Tip 9

[RDK]

I came up with an idea for generating passwords that comes up with un-guessable and easily remembered passwords that I want to pass on.

Think of a sentence that you can easily remember, one that has capitals, numbers and punctuation in it. Pick a sentence that has meaning to you but not to any one else. You could make up a sentence about a grade school teacher or someone from your past. It could be something that is so trivial from grade school that only you even remember it. Take the first letter, respecting the capitalization and punctuation using numbers as appropriate. You can also use symbols i.e. & for and, # for number 2 for two, to and too etc.

For example lets assume that I pick the sentence “My friend John, has two cats and a number of dogs.” This would translate into a password MfJ,h2c&a#od. Another example would be “I was in the same class with Bill, our mailman, in grade 3 and 4” becomes IwitscwB,om,ig3&4

Try and guess those passwords but I can easily remember them.

They are not the ones I use (or even true statements) so don’t even try. Rick Kitson MBA P.Eng

Construction Project Management
From conception to completion

http://www.kitsonengineering.com

 

[jstickley]

Those have got to be painful to type. Another idea is to pick a pattern that makes sense to you on the keyboard. For example, start at z and go diagonally up and down -- zse4rfvgy7. Incorporating caps and shift into that makes it even better. Here's an example using the same pattern, but alternating the shift key every other character -- zSe$rFvGy&. Granted, the latter is not as easy, but probably more secure.

Just an idea, again, and of course not useful to determine my password.

 

[etch]

Even better, just close your eyes and hit the keys in a random manner, now your password is so secure, even yourself will not remember it.

 

[OhioIE]

Or just try typing your normal password backwards...cracker jack breakers look for logic, information about user, number coding, and random keystrokes. If you have a good cracker not much is going to stop it. If someone wants in there bad enough, they will get in. It is like looks on your door. No matter how many you have, a good foot will open the door. It is just having a good detering nature to it and a way of being flagged someone was there. If you really need security there are programs you log different passwords into and when it senses hacking it changes current password randomly and notifies you by the data you gave it. Like it saved your comp from hack attack assigned new password and then sends msg box to inform you of hint to new password. Just hope you have a good memory when this happens. My hint was saying use pw number 4. Darn thing was i forgot what password #4 was. HA! Good luck Have a nice day!
OhioIE

 

[RDK]

Could you try to crack the password and have the program re-set the password to say #5 which you remember?

Rick Kitson MBA P.Eng

Construction Project Management
From conception to completion

http://www.kitsonengineering.com

 

[OhioIE]

Um...no. These attacks aren't just used by typing in the password block. They are networked attacks that hackers use other programs to enter the pc and that triggers the software i am speaking of. Also, keep in mind i am no pc guru by any means. Some of my friends area and they have explained to me some things because i would like to open my own business and i asked them about protection because a lot of the information that would be available on my networked system could be hacked at stolen and sold to competitors for designing ideas and etc. Believe it or not it does happen. Pat. and trademark ideas can be stolen before applied if info is stored to comp linked to net even by phone line.


Have a nice day!
OhioIE

 

[Albion]

The best strategy for making passwords is the sentence example given in the first post. I run a password cracker, use pattern and dictionary checking, and force my users to change their passwords once every month. To users it may seem like a pain in the butt to make a random password, but the day that their system gets hacked and they get reprimanded for it they will change their mind. Not to mention the pay cut they may receive when their company loses millions of dollars because of their machine getting hacked allowing that hacker easy access to corporate servers.

Corporate security is a major concern to many administrators especially if their network is on the Internet. Firewall or not, there is always a way to get into a network. But it never hurts to reduce the possibilities

-al

 

[RDK]

I do have to agree with jstickley’s comment that sometimes these passwords are hard to type.

With a little work you could come up with a sequence that is easy to type and still follows a mnemonic sentence as I originally suggested.

How about “There goes Bob, he’s just imported oil.” Or TgBhjio?

I know it doesn’t make sense but at least it follows a pattern on a Qwerty key board. (Try it)


Rick Kitson MBA P.Eng

Construction Project Management
From conception to completion

http://www.kitsonengineering.com

 

[jstickley]

As mentioned, there really is no password that will be 100% safe from those who REALLY want to get in to your system. The only thing most of us can do (who are not system administrators and have no say in what kind of security measures are taken), is to make our passwords sufficiently complex that it would take quite a bit of time and effort to break them. (That and not be stupid enough to tell it to someone.)

On the other hand, system administrators can do quite a bit to make things more difficult for those who want to access systems they're not supposed to. Even standard things such as locking out accounts after several incorrect logins can go a long way toward preventing access (after all, if there are umpteen million password combinations, what's the chance a password cracker will be correct on one of the first several tries)? That's just one of many tools system adminstrators have at their disposal....

 

[RDK]

I agree. Computer security is like any other type of security. You want to make it so hard to break into your office, home, car, computer or whatever that the culprit will either go on to something easier or leave enough tracks that you can find him later.

You really cannot stop a determined thief or hacker. Computer security involves much more than passwords. Locking accounts, changing passwords from defaults all are a big part of security. Its an old UNIX flaw that some distributions used the password root as the default for the root account. This has resulted in some major security breaches.

In one of my first exposures to computer networks the system administration changed user names and passwords on a monthly basis. These usernames and passwords were 8 alphanumeric characters long and were assigned on a random basis.

You can guess what happened. Almost every computer had a post it note on the monitor or under the keyboard with this months names and passwords on it.


Rick Kitson MBA P.Eng

Construction Project Management
From conception to completion

http://www.kitsonengineering.com

 

[Miper]

My guess is that the key is to have a long password, no matter what it is.

How hard is it to crack a short password if a hacker has a program on your computer running every possible combination all day long? With the limited number of keys on a keyboard, it shouldn't take long to crack a short password, no matter how you make it up.

With a 4-place password, for example, my keyboard gives roughly 78 million possible alternatives. A 3 GHz computer could crack that in seconds with even the crudest scheme. I'm sure others have already worked out the number of places you need in a password to be reasonably secure. Is there a website that has that information?

 

[FrenchCAD]

"With a 4-place password, for example, my keyboard gives roughly 78 million possible alternatives"

Alphanumeric passwords (99% of the existing passwords, since you are rarely allowed to use extra symboles like ",#& etc) makes you a combination of 26 (lower case) + 26 (upper case) + 10 (numbers) = 62 possible characters per slot. Make your password four digits, and you come to a number of 62*62*62*62 alternatives, that is 14776336, which is less lower than your expectation.

also, a quick search on the web about passwords creation (Google search for "password&quot gives you a couple interesting pages :

http://www.alw.nih.gov/Security/Docs/passwd.html

http://www.microsoft.com/security/articles/password.asp

http://www.theregister.co.uk/content/55/31920.html

http://zdnet.com.com/2100-1105_2-5053063.html

http://segobit.virtualave.net/pbm.htm

there are many others. Also look for "encryption" or words like this ;-)

Cyril Guichard
Mechanical Engineer

 

[Miper]

FrenchCAD,
Yes, your number is more accurate for most cases. As your links indicate, most passwords don't allow non alphanumeric symbols. I assumed that all keyboard symbols were useable just to estimate an upper bound on the combinations, in order to show that short passwords can't be good. I have always wondered if any of the less common ASCII symbols could be used, and I'm aure the answer is "yes" if the program allows it; but I haven't seen any that do.

The links imply that any password can be cracked in a matter of seconds; and I am surprised to see that the time is so short, although the relationship between length of password and time-to-crack is not discussed in a systematic way.

It is also stated that the use of random symbols in a password (&,#,$,<, etc.) is helpful for making it more difficult to crack, I suppose because they reduce the usefulness of pattern algorithms in password cracking codes, thereby requiring more of a brute force method. But some programs don't allow symbols in passwords.

So, while length is important, randomness is important also. Using a short, favorite word for a password is almost like having no password at all.

 

[willwicker]

Mpiper wrote:

With a 4-place password, for example, my keyboard gives roughly 78 million possible alternatives. A 3 GHz computer could crack that in seconds with even the crudest scheme. I'm sure others have already worked out the number of places you need in a password to be reasonably secure. Is there a website that has that information?

and I respond below:

Assuming a 4 character password of case-insensitive alphanumerics only, we get 1.67 million combinations (36^4). Allowing case sensitivity and shifted numbers gives us 72 characters, and 72^4 = 26.9 million combinations.

More importantly, though, while it may be true that a 3GHz computer can generate 78 million 4-character groups in a few seconds, it is probably NOT true that that same computer can make 78 million login attempts in a few seconds.

For fun, I'll throw a few numbers at the question...
Assume fast connection (100Mbps ethernet)
Assume very fast authentication (time to check password = 0)
Assume password and login request fits in a 256 byte packet.
Assume total login requires 4 packets (request login, receive challenge for password, send password, receive notice of success/failure)
Network efficiency of 75% (packet collisions, etc limit throughput)

Time to make one login attempt = 0.11ms (This gives about 9000 attempts per second.) Time to work through 78 million combinations = almost 2.5 hours. Time to work through 78 million combinations if account is locked out after 5 failures, and re-enabled hourly by a really stupid sysadmin: 1780 YEARS!

With a 56K dialup connection, with similar assumptions, things are much slower: perhaps 6 or 7 attempts per second, max. Interestingly, if the account is locked out after a number of failed logins, the total penetration time is no different than if a faster connection was in place.

The moral? Choose a good password, and then choose an authentication process that throws a flag when things look fishy.

William Wicker.

 

[ornerynorsk]

I personally like the password &quot;Ilovemyjob&quot; , who would ever think of THAT!!!!