iEntry 10th Anniversary RSS Archive

IT Management Begins With Security
SecurityProNews > Insider Reports > Insider > Passwords: Getting To The Treasure
Search:
[ insider_reports_insider ]

Passwords: Getting To The Treasure



Joe Purcell
Staff Writer
2011-05-12

SecurityProNews: Insider Reports Insider Reports RSS Feed


Perhaps the most overlooked feature of security is the password. Let's consider an analogy: your information, whether it be your home computer or Facebook, is like treasure. Only you have access to that treasure because it's protected by a password, a secret. The only way someone can steal your treasure is if they know how to get to it, that is, if they know your secret password.

Passwords: Getting To The Treasure
Passwords: Getting To The Treasure

Let's say for example, you have money hidden under your matress. Anyone wanting to steal from you would easily guess to look there. In the same way, hackers would easily guess "123456" for your password. Which, by the way, was the password of almost 300,000 users at RockYou in 2009, according to a report by Imperva. Choosing a strong password isn't easy, but surely one could come up with a better password than that!

Ok, so passwords are our first line of defense. There are four main characteristics of a strong password:
  1. Length - the more characters the better; with each additional character (if you are considering uppercase, lowercase, numerals, and special characters) the complexity of cracking the password goes up by a multiple of 94, so 2 characters has 8,836 possibilities, but 3 has 830,584!
  2. Diversity - the more types of characters the better; use numbers, special characters, uppercase, lowercase, but don't use dictionary words, backwards words, or repeated characters
  3. Associativity - hackers can socially engineer your password, so the more obvious the association between you and the password is, the more likely it can be guessed; for instance, don't use your name or anything that obviously identifies you
  4. Duration - the longer your password stays the same, the more chances a hacker has at attempting to crack it; duration of 3 months is ideal

Ok, but how can one create a strong password that can be remembered? The best I've found is summed up by an article by Microsoft which starts with a sentence and modifies it to become a password impossible to guess. Here are the steps, with a few modifications:
  1. Choose a sentence - Choose a sentence you can remember with about 10 words, maybe a quote or start going through lines of your favorite poem or book (you'll need a new sentence every 3 months). I'll use the quote: "Treat your password like your toothbrush. Don't let anybody use it, and get a new one every six months." (it's longer than 10 words, but I can remember it--that's the key)
  2. Extract characters from the sentence - The simplest is to choose the first letter of each word, maybe convert number words to numbers and words like "at" and "and" to @ and &, so mine is: "Typlyt.Dlaui&gan1e6m."
  3. Add complexity - Microsoft suggests making the letters in the first half of it upper case, but a great alternative is to use l33t speak, so make T's into 7's, a's into @'s, and such, here's a complete list of l33t conversions. This can also be done in the process of step 2 as I did, so since mine is already complex--it has uppercase, lowercase, numbers, and special characters--I can skip this step.

So, I have a password, "Typlyt.Dlaui&gan1e6m.", that is 21 characters long, which is crazy, but I can remember it. The first few times you will have to quote it in your head and remember which characters you've changed, especially the l33t characters. But, it's much more memorable than something arbitrary and it's nearly impossible to crack. However, we still have some issues.

First, there is the issue of sites or services that only allow less than my 21 characters. In those cases, this is the best way to treat it: find all sites that allow less than 21 characters, of those sites find the smallest length allowed, then chop your password off at a point less than that length. For example, let's say my bank only allows for 8 characters, so I cut my password off at 7 characters to get "Typlyt.", which is the first part of the quote--I can remember that. But, wait, there are no numbers! Okay, take both short and long passwords and use l33t modification. I'll use it on the first character to get "7yplyt.Dlaui&gan1e6m.", and "7yplyt.".

Second, there is the issue of needing different passwords for different sites. Before you get too crazy, take all the accounts with passwords you have and divide them up into low and high security accounts. An instant messenger or a social media account, like Facebook, is low security, but a bank account or email is high security. Save yourself a headache and use the same password for all low security accounts, and maybe don't change them but every year.

For high security accounts, instead of making completely separate passwords for each account, come up with a strong prefix or suffix to add to the password. One method is to take the abbreviation of the institution the account is with and l33t it. Let's say I'm using Bank of America, so the initial prefix is "BA", l33t it to be "8@", and now my Bank of America password is "8@Typlyt.Dlaui&gan1e6m.". Another method is to use digits from your account number, routing number, date you made the account, or something that you can associate with that account. The whole point is to diversify your passwords for your high security accounts.

Lastly, there is the issue of keeping your password secret. Don't write it down and don't store it in plain text or in an Excel file on your computer. If you must, allow Firefox or your web browser to store your passwords, but be sure you know it's secure. On Firefox you have to set the master password to keep your passwords secure. Another option is to use a password manager like RoboForm, 1Password, or LastPass, or you can store a list of them on an encrypted drive using a tool like TrueCrypt. All in all, the safest way is to memorize your password, which is why I think this method is the best method for making a password--you should be able to memorize it.

Alright, so you now have a set of strong passwords for your high security accounts, even the Goonies or Captain Jack Sparrow won't be able to get at your treasure! You can use LastBit's Password Calculator to find out how long it would take someone to brute force your password, and notice how time increases exponentially as password length increases. My 21 character password will take just over 7.795036469024206e+23 years with 1,000 computers trying 1 million passwords a second :)

Further Reading:

- Your Passwords Aren't As Secure As You Think; Here's How to Fix That

- No Time Like the Present to Choose Strong Passwords

- Help consulting clients create strong password policies

- Microsoft Security - Create Strong Passwords

- Symantec - The Simplest Security: A Guide to Better Password Practices (More Reference Material)

- Langa Letter: How To Build Better Passwords

View All Articles by Joe Purcell




About the Author:
Joe Purcell is a technology virtuoso, cyberspace frontiersman, and connoisseur of Linux, Mac, and Windows alike.

More insider_reports_insider Articles

SecurityProNews: Insider Reports Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Contact Us | Advertise | Newsletter Archive | Sitemap | Submit an Article | News Feeds
SecurityProNews is an iEntry, Inc.® publication - $line) { echo $line ; } ?> All Rights Reserved | Privacy Policy and Legal		 Join the WebProWorld Forums: Click Here
Virus Warnings

Subscribe to
SecurityProNews FREE!


[ more newsletters ]

Featured On:
article resources
Search Articles:
[advanced search]

WebProWorld.com
Get in-touch with industry experts and leaders
Post your site for review by expert and peers
Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com

Titan Quest Forum
The #1 Titan Quest forum
Halo 3 Forum
The best Halo, Halo 2, Halo 3 forum
Nintendo Wii
Nintendo Wii news and views
Mac Software
The best in OS X freeware
Graphics Forum
Your source for graphic tutorials
SecurityProNews.com | Breaking eBusiness News Get Your IT Questions Answered - Click Here SecurityProNews News Feeds