This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new!

Feature: Security

Choosing Strong Passwords

By on March 01, 2003 (8:00:00 AM)

Share    Print    Comments   

- By Raj Shekhar -
Passwords are the most common approach for identifying a user's identity. We use passwords to secure our computers, to send or receive emails or to access special resources. Password guessing has always been the favourite method of cracking into computers or circumventing security measures.

Commonly two methods to guess a password are used:

  • The cracker has some personal information about the user. Frequently people use the names of their cats, dogs or spouses as their passwords.
  • A brute force attack is one in which all possible words of a certain length are attempted until a correct one is found. Crack dictionaries which contain a list of common words and phrases can easily be found on the Internet. Good crack dictionaries contain entire scripts to popular movies and entire sets of song lyrics.
There are a number of suggestions on what you should not choose as your password but very few suggestions for choosing good passwords. The best password is obtained when the characters of the password are chosen completely at random. This password can be a little difficult to remember. Here are a few guidelines which can help you in choosing strong, almost random, but easy to remember passwords.

Use Long Passwords

Choose passwords that are as long as allowed by the software. Make your passwords at least 10 or 12 characters long. Short passwords do not leave enough choices to prevent their being guessed by repeated trials. Ideally your password should contain at least one character from each of the following categories:

  • upper case letters (ABC)
  • lower case letters (abc)
  • digits (123)
  • punctuation and other symbols (!$%)
For example:

may seem absolutely random but will be quite easy to remember for someone whose name is Raj Shekhar, who was born on 1978, who had a dog named Bruno (notice how the upper case and lower case letters have been mixed), and whose favourite color is black. (Again, notice the mix of upper and lower case.)

If you had used only one of these as your password, crackers with some personal knowledge about you would have compromised it. However, if these are mixed in with other characters and words, they can increase the length of your password without compromising its security -- while keeping it easy to remember.

Use Shocking Nonsense

Q: How do I choose a good password or phrase?

A: Shocking nonsense makes the most sense

Shocking nonsense means to make up a short phrase or sentence that is both nonsensical and shocking; that is, it contains grossly obscene, racist, impossible or another extreme mix of ideas. This technique is permissable because the passwords is never (ideally) revealed to anyone with sensibilities to be offended.

A very weak example is
<SAMP>`Bart Simpson beats up Einstein'</SAMP>. or with some mixing of upper and lower case characters, <SAMP>`bartSimpsonBeatsUpEinstein'</SAMP>. Making up many far more shocking or entertaining examples is left as an exercise for the reader.

Shocking nonsense passwords which are quite long cannot be easily cracked by use of brute force attack.

Use the First Letter of Each Word

Another technique for creating strong passowrds is to use the first letter of each word of an easily remembered phrase. For example
<SAMP>`Mhall'</SAMP> is formed by taking the first characters of of each word in the sentence <SAMP>`Mary had a little lamb'</SAMP>.

This technique can be further strengthened by mixing the password with some digits and punctuations. For example, <SAMP>`M!hal%l'</SAMP>.

An even stronger password can be obtained by typing one key to the left on a standard <samp>QWERTY</samp> keyboard. The above password after applying this technique becomes <SAMP>`N!gpk%k'</SAMP>.


Choosing a strong password is just a small step in securing your resources. Using the guidelines above will help you choose passwords that are easy to remember, and at the same time strong.

If you have any suggestions for this article please let me know at lunatech3007 at yahoo dot com.

Share    Print    Comments   


on Choosing Strong Passwords

Note: Comments are owned by the poster. We are not responsible for their content.

My passwords are so good...

Posted by: Anonymous Coward on March 01, 2003 05:25 PM
...even I can't remember them!


Re:My passwords are so good...

Posted by: Anonymous Coward on March 02, 2003 06:32 PM
My last job I had a new boss who I will call Jr. (who happened to the son of the CEO). He was fresh out of collage, and was hired on as the new head of MIS.
I went on a 2 week vacation and was fired the day I got back, marched to my office, and asked for my password to my PC.
I then told him what it was.
"fuckyou2" I said.
Jr. replied "What?"
So I repeated what I had said.
"fuckyou2. f-u-c-k-y-o-u and the number 2."
He looked at me in amazment.
I will cherish that day as long as I live.


Password is not the problem

Posted by: yu cao on March 01, 2003 08:01 PM
the main problem isn't the password it is the software security


Re:Password is not the problem

Posted by: Anonymous Coward on March 03, 2003 09:34 AM
not so much.

You can break into an OpenBSD system if somebody uses an awful password. It is as big a security hole as anything else


One problem

Posted by: Anonymous Coward on March 01, 2003 09:26 PM
One problem is sysadmins who make passwords expire too frequently and implement rules restricting password re-usage or passwords being similar to previous passwords.

How many times can you come up with the types of passwords suggested in the article? After a while, you start to run out of ideas of things you can remember easily.

And then you start to have what I see in the office, especially from non-technical users - people writing down passwords because they have to change them so often and use unusual patterns (mix upper/lower case, punctuation, etc.).


Re:One problem

Posted by: Anonymous Coward on March 01, 2003 10:52 PM
Infinate combinations of numbers and letters.


Re:One problem

Posted by: Anonymous Coward on March 03, 2003 02:25 AM
There is not an infinite combinations of numbers and letters because most passwords has a maximum length.



Posted by: Anonymous Coward on March 01, 2003 10:20 PM
I find this utterly shocking. We should never be encouraging racism in any forms, even in secret passwords nobody else will ever see.



Posted by: Anonymous Coward on March 02, 2003 04:18 AM
Well, this is what I think of your post:




Posted by: Anonymous Coward on March 02, 2003 05:50 AM
Yes, but it takes a long time for people to find it in the original article.

quoting from the text: `` contains grossly obscene, racist, impossible or another extreme mix of ideas...''

Indeed I agree the suggestion of racism is rather unnecesairy. The other ones already give enough inspiratation.



Posted by: Anonymous Coward on March 04, 2003 06:23 PM
I agree that it is an unneccesary comment, and wuld like to add that it's a direct quote from the
Linux Administration Handbook
by Evi Nemeth, Garth Snyder and Trent R. Hein.
So do we blame the parrot?!?



Posted by: Anonymous Coward on March 01, 2003 10:48 PM
MY password is @#%raveAboutLinux01 think anybody will ever guess it.



Posted by: Anonymous Coward on March 02, 2003 12:25 AM
No you just told it to us!!!



Posted by: Anonymous Coward on March 02, 2003 01:57 AM



Posted by: Anonymous Coward on March 03, 2003 08:55 PM
At a wild guess, is your password, umm @#%raveAboutLinux01 by any chance?

Wo0t! I'm a skiddie (should that be skidmark?).



Posted by: Anonymous Coward on March 02, 2003 03:50 AM
Thank you for the advice! I just changed my passwords, so that they are really weird.


shocking nonsense

Posted by: Anonymous Coward on March 02, 2003 04:40 AM
Bart beating up Einstein isn't so weird, cartoon characters can beat up anyone. And Einstein wasn't exactly Mike Tyson.

How about MicrosoftTrustworthyComputing


Re:shocking nonsense

Posted by: Anonymous Coward on March 02, 2003 04:11 PM
Seeing as how one Simpsons episode featured Stephen Hawking laying the smack down, "Bart Simpson beats up Einstein" is more like an upcoming episode summary than a good password.


Just changed my passwords

Posted by: Anonymous Coward on March 02, 2003 06:02 AM
I just changed my passwords to k3a0(A9kiWekj) and kka9i)#3@@Daweid.


Fortunes from Fortune Cookies!

Posted by: Anonymous Coward on March 02, 2003 10:00 AM
I'm in charge of maintaining systems with economically sensative information, and it is policy for me to change root passwords bi-monthly.

This is how I am able to create and rotate strong passwords.

I usually go to a chinese restaurant at least every other week. At the end of the meal, I keep the fortune from the fortune cookies.

When I get back to the office, I take the "lucky numbers" from the fortune, and put a word that is easily remembered in front of the numbers - and that is my strong password! For example, if my lucky numbers are 32452123, and I remember "f00b@r" as my key, my password is f00b@r32452123.

I always make sure that I keep the fortune in the same, VERY safe place.


Re:Fortunes from Fortune Cookies!

Posted by: Anonymous Coward on March 04, 2003 02:15 AM
I always make sure that I keep the fortune in the same, VERY safe place.

I had to read this while I was eating lunch. Groan.


Newsforge administrator password

Posted by: Anonymous Coward on March 02, 2003 10:08 AM
So a password for a site that identifies itself as "The Online Newspaper of Record for Linux and Open Source" should be close to "TONoRfLaOS"?

Of course, is good that the phrase that the password is based don't be so visible<nobr> <wbr></nobr>:) I usually use part of songs I like, or poems, book titles, memorable quotes, or, why not, slogans that I see somewhere (no, not the newsforge one<nobr> <wbr></nobr>:) to pick initials and do some transformation.

And the best part of using initials of something to rebuild the password is that this defeat some time based sniffing attacks (that try to measure times for pressing keys based on keyboard position for gessing passwords over an encrypted channel, I saw some of this some time ago) because you are getting the letters at the same time you remember the phrase, and that is not related to letter positions in the keyboard.



password rules

Posted by: jamsession on March 02, 2003 11:28 AM
When a site has rules for creating passwords and those rules ban entire classes of passwords then the site has made a brute force attack easier. For example: If a site requires passwords to be from 10 to 12 characters long then a brute force program will start with 10 character combinations and ignore all shorter combinations.

Similarly: If a site requires special characters in the password then a brute force program can ignore all possible passwords which do not contain special characters.

If a brute force program used all of the rules advocated by this article to avoid banned passwords then the program would crack the password in a fraction of the time required to crack a password which had no restrictions other than no personal information such as pet names, hobbies, relatives, etc.

I leave it to a probability enthusiast to figure how much faster these password rules allow a brute force program to find the password.


Re:password rules

Posted by: Anonymous Coward on March 02, 2003 12:46 PM
...yes - this is why you lock the account after X attempts.


I have to disagree

Posted by: biera13 on March 03, 2003 12:36 AM
most brute force programs will ONLY find passwords that are derivative of a WORD, not a string of characters (no matter how long)

having your password cracked by brute force is not an artifact of the password rules, but by the human who thought up the password.


Re:password rules

Posted by: Anonymous Coward on March 03, 2003 03:06 AM

No. You are very wrong.

Say, we have 26 letters. Now we have 25 times more passwords of length 10 than we do of any length below that. So, if one requires that passwords are of length at least 10, at most 12, we would only have removed 1/(26*26*26-1) of the passwords. That is one password out of around 17500. Presumably most users would have chosen a password of length less than 10, and then your idea of no limitation would have made the attackers job at least 17500 times easier.

Requiring special characters is also a good idea. Just going from all characters being lowercase letters, to requiring at least one to be uppercase, makes a 10 character password around 256 times harder to guess (26*(26+26)^8*26 / 26^10).

Assuming we have a language of 500000 words, and a password can consist of up to 2 words, we remove one out of 26^10/(500000 * (500000 + 1)) = 564 passwords.

Again we see the important lesson: If just one out of perhaps 1000 users use an unsafe password, not having any of the schemes would make the attackers job much easier. We would of course have to try brute forcing all of the passwords simultaneously.

So you see the attackers job is still, perhaps 99.5% of what it was previously, but the chance of being lucky has disappeared.


hmm....again, i don't agree....

Posted by: biera13 on March 03, 2003 04:08 AM
i agree about case, by my point still stands.

again, you are making your reference point to a language/dictionary-based bruteforce attack.

if i choose my password as something that does not exist in a dictionary file, or can't be found to be derivative of any of the permutations used by the cracking program upon that dictionary file, then it won't be broken by the cracker.

the original point was that if an organization places rules (like length) on a password, then it increases the risk that it can be broken. of course, this, i agree with. but not by a language-based brute force attack.

what i don't agree with is that it can be said that it will be broken by a brute force attack with any degree of certainty, within any reasonable amount of time. (i'm not talking years here)


Re:hmm....again, i don't agree....

Posted by: Anonymous Coward on March 03, 2003 05:22 AM
You are right, that with passwords of some length, pure brute force is infeasible. This is a fact so obvious, I saw no reason to state it.

As I read the original poster, the claim was that by putting limitations on passwords you make the job easier for the attacker (during a brute force attack), which I showed to be incorrect. Putting a (lower) bound on the length on password only removes neglible fractions of the entire search-space of strings, whereas it increases the size of the minimum space one has to search in order to be lucky. Thus a lower bound is a good thing.

Of course the only feasible way to search for passwords of acceptable length is to be more clever, like using a dictionary attack. If no lower bound is present (or if it is too low), it becomes feasible to search the entire space as well, as there is a possibility that somebody has chosen a password of length only 4 or 5.


md5, SHA1?

Posted by: kirkjobsluder on March 02, 2003 11:38 AM
My solution with my most recent password change was to MD5->Base64 a long phrase and then mutate the the first 10 characters with punctuation. Once you get the password into muscle memory, the rest should not be a problem.

This fixes one flaw I see with most of the password selection schemes referenced in the article. English is highly structured with significant bias in terms of character, digraph and word frequency. An attack on the "first letter of a phrase" can dramatically shorten the search by recognizing that many sentences begin with an article and "is" is one of the most common verbs. An attack on long phrases can be signifcantly shortened by generating random phrases with the same character frequencies as written English. (The field can be further shortened by using digraphs and common short words.)

Of course, someone can always run these attacks through md5 to try to get to my password. At some point security is less about being uncrackable and more about convincing the cracker that they would be better off attacking the next host over.


Good way to remember: song lyrics

Posted by: Mr. Linux Head on March 02, 2003 07:01 PM
I use old Motown lyrics. As in:
"Papa was a rolling stone" become Pwars.
Add some thing like a date and it gets better.
First time you got some or 9-11 comes to mind . . .

put them together and you have Pwars9-11

Oh and e=3 or 0=o is SO old school!


Take any book about anything

Posted by: Anonymous Coward on March 03, 2003 01:10 PM
Now this is my Nice system. I write poems code and so on so password get hard even annoying.

So I have partical books I have with me for refecence. So a pasword comes page number lines down offset and direction.

Take any book open to a page write the page down.
read page pick a bit you like or close you eyes and point. Then take the chars so many in from begining of each word.

Example this doc. 3 pargaph insert 2 in
password would be anopoaarhaoeaiaioirloynohahhoanrefaw

Yep I would like to see some one guess stuff like this.

book page/3/2 writen some where can just look like a refence or it could look like a boot and date and so on. So unless you have some one really deteraned they will have fun.

Note I have not told you all of my code just the start. Where any how I mix caps in and number make my passwords some of the most complex I have ever seen. But the catch is if I forget I can just create.


Re: Good way to remember: song lyrics

Posted by: Anonymous [ip:] on December 01, 2007 05:15 PM
Good Idea! I need the links to your public TV performances of original tunes, thank you.


Encode before you encode

Posted by: Anonymous Coward on March 03, 2003 04:55 AM
Shifting your keys one key to the right is a fun way to type gibberish, another might be to memorize the ROT13 of your password, or to reverse the phrase that you use.

Also, when chosing numbers, don't choose "12" or "12345" or even "369" or "753" because consecutive numbers on the keypad are soooo common for things like voice mail.

Using a reverse phrase, ROT13, one keystroke over should be very difficult for a brute force attack. "Mary had a little lamb" becomes "Mhall" becomes "llahM" becomes "yynuZ" becomes "uumiX". I find it very difficult to purposefully type one keystroke over, but once you've memerorized "uumiX" you're good to go.

Better than regular chinese fortune cookies... Chinese fortune cookies with "Learn Chinese" on them. "Qing gei wo zhang-dan" means "May I have the check please". Combined with the lucky numbers 4, 8, 10, 13, 41, 42 and you're good to go.

Lacking a fortune cookie, a foreign language phrase book that's hidden may help. A phrase in french and the page it was on may be a good start. Just as long as nobody finds the book... Put a cover on it and stick it next to the HTML for Dummies book you still haven't thrown out.

Just try not to show off your newly acquired "wine for dummies" skills too often or people will realize that you're also using 'riesling67' for your password.

Or pieces of code. "mypassword" should be hard to guess but easy to remember.

Also, shouldn't passwords expire after a few incorrect attempts making brute fore that much more diffcult? Site administrators should see to that. Even if it just expires for an hour or so after 3 incorrect attempts, that limits an attacker to 3 * 24 = 72 attempts in any given 24 hour period.

Password anecdote from Foucoult's Pendulum by Umberto Ego. The computer asked "Do you have the password?" So of course the password was "no"

Anonymous Reader = marktaw =



Posted by: Anonymous Coward on March 03, 2003 06:44 AM
Just set your Keymap to Russian Cryllic, so when you enter the password from your QWERTY keyboard, even you don't know what it is! Then when Win boots up, have QWERTY the default and you're good to go.


The nice thing about lyrics.

Posted by: Anonymous Coward on March 05, 2003 04:23 AM

If you're using song lyrics (or poetry) as your source, you can make up a bunch of related passwords for related computers. Each password is another line in the source material.


Password Security

Posted by: Anonymous Coward on March 05, 2003 01:32 PM
I have a way of choosing passwords that is so unique I have never seen it described anywhere. I won't tell you what it is because that would give you some information about my passwords. Even what I have written gives you some information about my passwords


My password is

Posted by: Anonymous Coward on March 11, 2003 09:22 PM
E,fkzdfcdct[d'jge e,k.lrjd


This story has been archived. Comments can no longer be posted.

Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya