Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature: Security
Choosing Strong Passwords
By on
March 01, 2003 (8:00:00 AM)
Share
Print
Comments
- By Raj Shekhar -
Passwords are the most common approach for identifying a user's identity. We use passwords to secure our computers, to send or receive emails or to access special resources. Password guessing has always been the favourite method of cracking into computers or circumventing security measures.
Passwords are the most common approach for identifying a user's identity. We use passwords to secure our computers, to send or receive emails or to access special resources. Password guessing has always been the favourite method of cracking into computers or circumventing security measures.
Commonly two methods to guess a password are used:
- The cracker has some personal information about the user. Frequently people use the names of their cats, dogs or spouses as their passwords.
- A brute force attack is one in which all possible words of a certain length are attempted until a correct one is found. Crack dictionaries which contain a list of common words and phrases can easily be found on the Internet. Good crack dictionaries contain entire scripts to popular movies and entire sets of song lyrics.
Use Long Passwords
Choose passwords that are as long as allowed by the software. Make your passwords at least 10 or 12 characters long. Short passwords do not leave enough choices to prevent their being guessed by repeated trials. Ideally your password should contain at least one character from each of the following categories:
- upper case letters (ABC)
- lower case letters (abc)
- digits (123)
- punctuation and other symbols (!$%)
<SAMP>`Rash1978BRuno!blaCk'</SAMP>
may seem absolutely random but will be quite easy to
remember for someone whose name is Raj
Shekhar, who was born on 1978, who had a dog
named Bruno (notice how the upper case and lower case
letters have been mixed), and whose favourite color is
black. (Again, notice the mix of upper and lower case.)
If you had used only one of these as your password, crackers with some personal knowledge about you would have compromised it. However, if these are mixed in with other characters and words, they can increase the length of your password without compromising its security -- while keeping it easy to remember.
Use Shocking Nonsense
Q: How do I choose a good password or phrase?Shocking nonsense means to make up a short phrase or sentence that is both nonsensical and shocking; that is, it contains grossly obscene, racist, impossible or another extreme mix of ideas. This technique is permissable because the passwords is never (ideally) revealed to anyone with sensibilities to be offended.A: Shocking nonsense makes the most sense
A very weak example is
<SAMP>`Bart Simpson beats up Einstein'</SAMP>.
or with some mixing of upper and lower case characters,
<SAMP>`bartSimpsonBeatsUpEinstein'</SAMP>.
Making up many far more shocking or entertaining examples
is left as an exercise for the reader.
Shocking nonsense passwords which are quite long cannot be easily cracked by use of brute force attack.
Use the First Letter of Each Word
Another technique for creating strong passowrds is to use the first
letter of each word of an easily remembered phrase. For example
<SAMP>`Mhall'</SAMP>
is formed by taking the first characters of of each word in the sentence
<SAMP>`Mary had a little lamb'</SAMP>.
This technique can be further strengthened by mixing the password with some digits and punctuations. For example, <SAMP>`M!hal%l'</SAMP>.
An even stronger password can be obtained by typing one key to the left on a standard <samp>QWERTY</samp> keyboard. The above password after applying this technique becomes <SAMP>`N!gpk%k'</SAMP>.
Conclusions
Choosing a strong password is just a small step in securing your resources. Using the guidelines above will help you choose passwords that are easy to remember, and at the same time strong.
If you have any suggestions for this article please let me know at lunatech3007 at yahoo dot com.
Comments
on Choosing Strong PasswordsNote: Comments are owned by the poster. We are not responsible for their content.
My last job I had a new boss who I will call Jr. (who happened to the son of the CEO). He was fresh out of collage, and was hired on as the new head of MIS.
I went on a 2 week vacation and was fired the day I got back, marched to my office, and asked for my password to my PC.
I then told him what it was.
"fuckyou2" I said.
Jr. replied "What?"
So I repeated what I had said.
"fuckyou2. f-u-c-k-y-o-u and the number 2."
He looked at me in amazment.
I will cherish that day as long as I live.
I went on a 2 week vacation and was fired the day I got back, marched to my office, and asked for my password to my PC.
I then told him what it was.
"fuckyou2" I said.
Jr. replied "What?"
So I repeated what I had said.
"fuckyou2. f-u-c-k-y-o-u and the number 2."
He looked at me in amazment.
I will cherish that day as long as I live.
the main problem isn't the password it is the software security
not so much.
You can break into an OpenBSD system if somebody uses an awful password. It is as big a security hole as anything else
You can break into an OpenBSD system if somebody uses an awful password. It is as big a security hole as anything else
One problem is sysadmins who make passwords expire too frequently and implement rules restricting password re-usage or passwords being similar to previous passwords.
How many times can you come up with the types of passwords suggested in the article? After a while, you start to run out of ideas of things you can remember easily.
And then you start to have what I see in the office, especially from non-technical users - people writing down passwords because they have to change them so often and use unusual patterns (mix upper/lower case, punctuation, etc.).
How many times can you come up with the types of passwords suggested in the article? After a while, you start to run out of ideas of things you can remember easily.
And then you start to have what I see in the office, especially from non-technical users - people writing down passwords because they have to change them so often and use unusual patterns (mix upper/lower case, punctuation, etc.).
Infinate combinations of numbers and letters.
There is not an infinite combinations of numbers and letters because most passwords has a maximum length.
I find this utterly shocking. We should never be encouraging racism in any forms, even in secret passwords nobody else will ever see.
Yes, but it takes a long time for people to find it in the original article.
quoting from the text: ``...it contains grossly obscene, racist, impossible or another extreme mix of ideas...''
Indeed I agree the suggestion of racism is rather unnecesairy. The other ones already give enough inspiratation.
quoting from the text: ``...it contains grossly obscene, racist, impossible or another extreme mix of ideas...''
Indeed I agree the suggestion of racism is rather unnecesairy. The other ones already give enough inspiratation.
I agree that it is an unneccesary comment, and wuld like to add that it's a direct quote from the
Linux Administration Handbook
by Evi Nemeth, Garth Snyder and Trent R. Hein.
So do we blame the parrot?!?
Linux Administration Handbook
by Evi Nemeth, Garth Snyder and Trent R. Hein.
So do we blame the parrot?!?
MY password is @#%raveAboutLinux01 think anybody will ever guess it.
No you just told it to us!!!
doohh.
At a wild guess, is your password, umm @#%raveAboutLinux01 by any chance?
Wo0t! I'm a skiddie (should that be skidmark?).
Wo0t! I'm a skiddie (should that be skidmark?).
Thank you for the advice! I just changed my passwords, so that they are really weird.
Bart beating up Einstein isn't so weird, cartoon characters can beat up anyone. And Einstein wasn't exactly Mike Tyson.
How about MicrosoftTrustworthyComputing
How about MicrosoftTrustworthyComputing
Seeing as how one Simpsons episode featured Stephen Hawking laying the smack down, "Bart Simpson beats up Einstein" is more like an upcoming episode summary than a good password.
I just changed my passwords to k3a0(A9kiWekj) and kka9i)#3@@Daweid.
I'm in charge of maintaining systems with economically sensative information, and it is policy for me to change root passwords bi-monthly.
This is how I am able to create and rotate strong passwords.
I usually go to a chinese restaurant at least every other week. At the end of the meal, I keep the fortune from the fortune cookies.
When I get back to the office, I take the "lucky numbers" from the fortune, and put a word that is easily remembered in front of the numbers - and that is my strong password! For example, if my lucky numbers are 32452123, and I remember "f00b@r" as my key, my password is f00b@r32452123.
I always make sure that I keep the fortune in the same, VERY safe place.
This is how I am able to create and rotate strong passwords.
I usually go to a chinese restaurant at least every other week. At the end of the meal, I keep the fortune from the fortune cookies.
When I get back to the office, I take the "lucky numbers" from the fortune, and put a word that is easily remembered in front of the numbers - and that is my strong password! For example, if my lucky numbers are 32452123, and I remember "f00b@r" as my key, my password is f00b@r32452123.
I always make sure that I keep the fortune in the same, VERY safe place.
I always make sure that I keep the fortune in the same, VERY safe place.
I had to read this while I was eating lunch. Groan.
I had to read this while I was eating lunch. Groan.
So a password for a site that identifies itself as "The Online Newspaper of Record for Linux and Open Source" should be close to "TONoRfLaOS"?
Of course, is good that the phrase that the password is based don't be so visible<nobr> <wbr></nobr>:) I usually use part of songs I like, or poems, book titles, memorable quotes, or, why not, slogans that I see somewhere (no, not the newsforge one<nobr> <wbr></nobr>:) to pick initials and do some transformation.
And the best part of using initials of something to rebuild the password is that this defeat some time based sniffing attacks (that try to measure times for pressing keys based on keyboard position for gessing passwords over an encrypted channel, I saw some of this some time ago) because you are getting the letters at the same time you remember the phrase, and that is not related to letter positions in the keyboard.
Of course, is good that the phrase that the password is based don't be so visible<nobr> <wbr></nobr>:) I usually use part of songs I like, or poems, book titles, memorable quotes, or, why not, slogans that I see somewhere (no, not the newsforge one<nobr> <wbr></nobr>:) to pick initials and do some transformation.
And the best part of using initials of something to rebuild the password is that this defeat some time based sniffing attacks (that try to measure times for pressing keys based on keyboard position for gessing passwords over an encrypted channel, I saw some of this some time ago) because you are getting the letters at the same time you remember the phrase, and that is not related to letter positions in the keyboard.
When a site has rules for creating passwords and those rules ban entire classes of passwords then the site has made a brute force attack easier. For example: If a site requires passwords to be from 10 to 12 characters long then a brute force program will start with 10 character combinations and ignore all shorter combinations.
Similarly: If a site requires special characters in the password then a brute force program can ignore all possible passwords which do not contain special characters.
If a brute force program used all of the rules advocated by this article to avoid banned passwords then the program would crack the password in a fraction of the time required to crack a password which had no restrictions other than no personal information such as pet names, hobbies, relatives, etc.
I leave it to a probability enthusiast to figure how much faster these password rules allow a brute force program to find the password.
Similarly: If a site requires special characters in the password then a brute force program can ignore all possible passwords which do not contain special characters.
If a brute force program used all of the rules advocated by this article to avoid banned passwords then the program would crack the password in a fraction of the time required to crack a password which had no restrictions other than no personal information such as pet names, hobbies, relatives, etc.
I leave it to a probability enthusiast to figure how much faster these password rules allow a brute force program to find the password.
...yes - this is why you lock the account after X attempts.
most brute force programs will ONLY find passwords that are derivative of a WORD, not a string of characters (no matter how long)
having your password cracked by brute force is not an artifact of the password rules, but by the human who thought up the password.
having your password cracked by brute force is not an artifact of the password rules, but by the human who thought up the password.
No. You are very wrong.
Say, we have 26 letters. Now we have 25 times more passwords of length 10 than we do of any length below that. So, if one requires that passwords are of length at least 10, at most 12, we would only have removed 1/(26*26*26-1) of the passwords. That is one password out of around 17500. Presumably most users would have chosen a password of length less than 10, and then your idea of no limitation would have made the attackers job at least 17500 times easier.
Requiring special characters is also a good idea. Just going from all characters being lowercase letters, to requiring at least one to be uppercase, makes a 10 character password around 256 times harder to guess (26*(26+26)^8*26 / 26^10).
Assuming we have a language of 500000 words, and a password can consist of up to 2 words, we remove one out of 26^10/(500000 * (500000 + 1)) = 564 passwords.
Again we see the important lesson: If just one out of perhaps 1000 users use an unsafe password, not having any of the schemes would make the attackers job much easier. We would of course have to try brute forcing all of the passwords simultaneously.
So you see the attackers job is still, perhaps 99.5% of what it was previously, but the chance of being lucky has disappeared.
i agree about case, by my point still stands.
again, you are making your reference point to a language/dictionary-based bruteforce attack.
if i choose my password as something that does not exist in a dictionary file, or can't be found to be derivative of any of the permutations used by the cracking program upon that dictionary file, then it won't be broken by the cracker.
the original point was that if an organization places rules (like length) on a password, then it increases the risk that it can be broken. of course, this, i agree with. but not by a language-based brute force attack.
what i don't agree with is that it can be said that it will be broken by a brute force attack with any degree of certainty, within any reasonable amount of time. (i'm not talking years here)
again, you are making your reference point to a language/dictionary-based bruteforce attack.
if i choose my password as something that does not exist in a dictionary file, or can't be found to be derivative of any of the permutations used by the cracking program upon that dictionary file, then it won't be broken by the cracker.
the original point was that if an organization places rules (like length) on a password, then it increases the risk that it can be broken. of course, this, i agree with. but not by a language-based brute force attack.
what i don't agree with is that it can be said that it will be broken by a brute force attack with any degree of certainty, within any reasonable amount of time. (i'm not talking years here)
You are right, that with passwords of some length, pure brute force is infeasible. This is a fact so obvious, I saw no reason to state it.
As I read the original poster, the claim was that by putting limitations on passwords you make the job easier for the attacker (during a brute force attack), which I showed to be incorrect. Putting a (lower) bound on the length on password only removes neglible fractions of the entire search-space of strings, whereas it increases the size of the minimum space one has to search in order to be lucky. Thus a lower bound is a good thing.
Of course the only feasible way to search for passwords of acceptable length is to be more clever, like using a dictionary attack. If no lower bound is present (or if it is too low), it becomes feasible to search the entire space as well, as there is a possibility that somebody has chosen a password of length only 4 or 5.
As I read the original poster, the claim was that by putting limitations on passwords you make the job easier for the attacker (during a brute force attack), which I showed to be incorrect. Putting a (lower) bound on the length on password only removes neglible fractions of the entire search-space of strings, whereas it increases the size of the minimum space one has to search in order to be lucky. Thus a lower bound is a good thing.
Of course the only feasible way to search for passwords of acceptable length is to be more clever, like using a dictionary attack. If no lower bound is present (or if it is too low), it becomes feasible to search the entire space as well, as there is a possibility that somebody has chosen a password of length only 4 or 5.
My solution with my most recent password change was to MD5->Base64 a long phrase and then mutate the the first 10 characters with punctuation. Once you get the password into muscle memory, the rest should not be a problem.
This fixes one flaw I see with most of the password selection schemes referenced in the article. English is highly structured with significant bias in terms of character, digraph and word frequency. An attack on the "first letter of a phrase" can dramatically shorten the search by recognizing that many sentences begin with an article and "is" is one of the most common verbs. An attack on long phrases can be signifcantly shortened by generating random phrases with the same character frequencies as written English. (The field can be further shortened by using digraphs and common short words.)
Of course, someone can always run these attacks through md5 to try to get to my password. At some point security is less about being uncrackable and more about convincing the cracker that they would be better off attacking the next host over.
This fixes one flaw I see with most of the password selection schemes referenced in the article. English is highly structured with significant bias in terms of character, digraph and word frequency. An attack on the "first letter of a phrase" can dramatically shorten the search by recognizing that many sentences begin with an article and "is" is one of the most common verbs. An attack on long phrases can be signifcantly shortened by generating random phrases with the same character frequencies as written English. (The field can be further shortened by using digraphs and common short words.)
Of course, someone can always run these attacks through md5 to try to get to my password. At some point security is less about being uncrackable and more about convincing the cracker that they would be better off attacking the next host over.
I use old Motown lyrics. As in:
"Papa was a rolling stone" become Pwars.
Add some thing like a date and it gets better.
First time you got some or 9-11 comes to mind . . .
put them together and you have Pwars9-11
Oh and e=3 or 0=o is SO old school!
"Papa was a rolling stone" become Pwars.
Add some thing like a date and it gets better.
First time you got some or 9-11 comes to mind . . .
put them together and you have Pwars9-11
Oh and e=3 or 0=o is SO old school!
Now this is my Nice system. I write poems code and so on so password get hard even annoying.
So I have partical books I have with me for refecence. So a pasword comes page number lines down offset and direction.
Take any book open to a page write the page down.
read page pick a bit you like or close you eyes and point. Then take the chars so many in from begining of each word.
Example this doc. 3 pargaph insert 2 in
password would be anopoaarhaoeaiaioirloynohahhoanrefaw
Yep I would like to see some one guess stuff like this.
book page/3/2 writen some where can just look like a refence or it could look like a boot and date and so on. So unless you have some one really deteraned they will have fun.
Note I have not told you all of my code just the start. Where any how I mix caps in and number make my passwords some of the most complex I have ever seen. But the catch is if I forget I can just create.
So I have partical books I have with me for refecence. So a pasword comes page number lines down offset and direction.
Take any book open to a page write the page down.
read page pick a bit you like or close you eyes and point. Then take the chars so many in from begining of each word.
Example this doc. 3 pargaph insert 2 in
password would be anopoaarhaoeaiaioirloynohahhoanrefaw
Yep I would like to see some one guess stuff like this.
book page/3/2 writen some where can just look like a refence or it could look like a boot and date and so on. So unless you have some one really deteraned they will have fun.
Note I have not told you all of my code just the start. Where any how I mix caps in and number make my passwords some of the most complex I have ever seen. But the catch is if I forget I can just create.
Re: Good way to remember: song lyrics
Posted by: Anonymous [ip: 64.253.110.159] on December 01, 2007 05:15 PM
Good Idea! I need the links to your public TV performances of original tunes, thank you.
Shifting your keys one key to the right is a fun way to type gibberish, another might be to memorize the ROT13 of your password, or to reverse the phrase that you use.
Also, when chosing numbers, don't choose "12" or "12345" or even "369" or "753" because consecutive numbers on the keypad are soooo common for things like voice mail.
Using a reverse phrase, ROT13, one keystroke over should be very difficult for a brute force attack. "Mary had a little lamb" becomes "Mhall" becomes "llahM" becomes "yynuZ" becomes "uumiX". I find it very difficult to purposefully type one keystroke over, but once you've memerorized "uumiX" you're good to go.
Better than regular chinese fortune cookies... Chinese fortune cookies with "Learn Chinese" on them. "Qing gei wo zhang-dan" means "May I have the check please". Combined with the lucky numbers 4, 8, 10, 13, 41, 42 and you're good to go.
Lacking a fortune cookie, a foreign language phrase book that's hidden may help. A phrase in french and the page it was on may be a good start. Just as long as nobody finds the book... Put a cover on it and stick it next to the HTML for Dummies book you still haven't thrown out.
Just try not to show off your newly acquired "wine for dummies" skills too often or people will realize that you're also using 'riesling67' for your password.
Or pieces of code. "mypassword" should be hard to guess but easy to remember.
Also, shouldn't passwords expire after a few incorrect attempts making brute fore that much more diffcult? Site administrators should see to that. Even if it just expires for an hour or so after 3 incorrect attempts, that limits an attacker to 3 * 24 = 72 attempts in any given 24 hour period.
Password anecdote from Foucoult's Pendulum by Umberto Ego. The computer asked "Do you have the password?" So of course the password was "no"
Anonymous Reader = marktaw = http://www.marktaw.com
Also, when chosing numbers, don't choose "12" or "12345" or even "369" or "753" because consecutive numbers on the keypad are soooo common for things like voice mail.
Using a reverse phrase, ROT13, one keystroke over should be very difficult for a brute force attack. "Mary had a little lamb" becomes "Mhall" becomes "llahM" becomes "yynuZ" becomes "uumiX". I find it very difficult to purposefully type one keystroke over, but once you've memerorized "uumiX" you're good to go.
Better than regular chinese fortune cookies... Chinese fortune cookies with "Learn Chinese" on them. "Qing gei wo zhang-dan" means "May I have the check please". Combined with the lucky numbers 4, 8, 10, 13, 41, 42 and you're good to go.
Lacking a fortune cookie, a foreign language phrase book that's hidden may help. A phrase in french and the page it was on may be a good start. Just as long as nobody finds the book... Put a cover on it and stick it next to the HTML for Dummies book you still haven't thrown out.
Just try not to show off your newly acquired "wine for dummies" skills too often or people will realize that you're also using 'riesling67' for your password.
Or pieces of code. "mypassword" should be hard to guess but easy to remember.
Also, shouldn't passwords expire after a few incorrect attempts making brute fore that much more diffcult? Site administrators should see to that. Even if it just expires for an hour or so after 3 incorrect attempts, that limits an attacker to 3 * 24 = 72 attempts in any given 24 hour period.
Password anecdote from Foucoult's Pendulum by Umberto Ego. The computer asked "Do you have the password?" So of course the password was "no"
Anonymous Reader = marktaw = http://www.marktaw.com
Just set your Keymap to Russian Cryllic, so when you enter the password from your QWERTY keyboard, even you don't know what it is! Then when Win boots up, have QWERTY the default and you're good to go.
If you're using song lyrics (or poetry) as your source, you can make up a bunch of related passwords for related computers. Each password is another line in the source material.
I have a way of choosing passwords that is so unique I have never seen it described anywhere. I won't tell you what it is because that would give you some information about my passwords. Even what I have written gives you some information about my passwords
E,fkzdfcdct[d'jge e,k.lrjd
My passwords are so good...
Posted by: Anonymous Coward on March 01, 2003 05:25 PM#