Change that password into a passphrase

Here’s a few inter­est­ing thoughts about pass­words. Some users have prob­lems remem­ber­ing their pass­words, so they rely upon one pass­word that they can eas­ily remember.

David Nay­lor has com­piled sev­eral lists of com­monly used pass­words. Per­mu­ta­tions of “pass­word” and numeric char­ac­ters are fre­quent entries in these lists. One of the lists that Nay­lor uses comes from this Dark­Read­ing arti­cle that has pro­vides a more detailed dis­cus­sion of sys­tem admin­is­tra­tor passwords.

I’ve become a big fan of the passphrase, which is a long pass­word that might resem­ble a sen­tence, a list of phone num­bers, or some other eas­ily remem­bered data. This Dice­ware arti­cle has some excel­lent tips for select­ing a strong passphrase.

If the sys­tem sup­ports a long pass­word, try using the por­tions of the sen­tence or the entire sen­tence itself as the passphrase.

If you want a shorter pass­word, try using the first let­ters of a long sen­tence that you can eas­ily remem­ber, but oth­ers will find hard to guess. Shorter pass­words are easy to break or crack, so users have to bal­ance secu­rity with memory.

Some exam­ples

As an exam­ple, an Eng­lish trans­la­tion of Julius Caesar’s famous quo­ta­tion, “The entirety of Gaul is divided into three parts”, might be encoded into a short passphrase, shown below in bold, by using the first let­ter of each word in the sentence:

1. TeoGid­itp is a lit­eral con­ver­sion of the sen­tence that pre­serves the upper­case char­ac­ters. It’s a weak encod­ing scheme, because it’s too easy to guess.
2. tE0Gid13p sub­sti­tutes a num­ber when­ever a alpha­betic char­ac­ter is repeated in the sen­tence. This sys­tem is a bit harder to crack, and may be more dif­fi­cult for the user to remember.
3. +€0G!d1Ep uses punc­tu­a­tion marks or typo­graph­i­cal sym­bols that resem­ble some of the char­ac­ters. This encod­ing scheme may be dif­fi­cult to type and remem­ber, but the vari­ety of char­ac­ters used makes a dictionary-based attack less effec­tive.
   
4. 190515070904091916 is another sub­sti­tu­tion cipher in which each let­ter is replaced by a num­ber rep­re­sent­ing its numeric order in the Eng­lish alpha­bet. This sys­tem may work well for devices on mobile phones. This cipher could be refined by using a non-decimal sys­tem like hex, or by rotat­ing the num­bers so that i=1, j=2, k=3 and so on.
5. 19!05@15#07$09%04^09&19*16 uses the punc­tu­a­tion marks pro­duced by the shift+numeric keys on a US key­board to indi­cate or delimit each char­ac­ter. Again, the user should iden­tify a more ran­dom set of sym­bols that can be remem­bered and typed.

If the passphrase cre­ator reveals the rules they used to cre­ate or encode the passphrase, these exam­ples are triv­ial for a per­son to crack.

It’s also easy to crack a pass­word if its used by the same per­son on mul­ti­ple sys­tems or sites. The over­all secu­rity of the pass­word is only as strong as the weak­est secu­rity scheme employed by any of these sites.

Keep in mind that some char­ac­ters are not avail­able on all key­boards. Mobile phones and PDAs present spe­cial prob­lems, as these key­boards are quite lim­ited. The Euro (€) sym­bol is usu­ally shown on Euro­pean key­boards, but is rarely shown on US and Cana­dian key­boards. This sym­bol can be typed alt+0128 on US Win­dows key­boards, with a short­cut key on var­i­ous other key­boards, and alt+shift+2 on US Mac sys­tems.

Cre­ate a pass­word keychain

One trick for cre­at­ing a site-specific passphrase that can be eas­ily remem­bered is to include a por­tion of the site’s name or URL in the passphrase itself. While this sys­tem can give a human of software-based pass­word cracker a start at decrypt­ing the pass­word, it does allow users to use a sin­gle passphrase across mul­ti­ple sites. Exam­ple #1 from my first list might be encoded as fol­lows for these URLs:

• google.com: TeoGiditp-google (much too easy to crack!)
  
• yahoo.com: TeoGid­itp%oohay (that’s “yahoo” backwards)
• hotmail.com: h0+mA1L#TeoGid­itp (tougher to crack, harder to remem­ber and type)
  

Using a well-known sen­tence as a passphrase can also reduce its strength. Try a ran­dom passphrase gen­er­a­tor like this one from leemon.com. You may need to try sev­eral passphrases until you find one that you can remember.

Of course, all of these tricks can­not pre­vent a key­stroke log­ger, cam­era or shoul­der surfer from observ­ing your pass­word as it is typed.

Related posts on billso.com

• 17 April 2008: Vir­tual key­boards and mon­i­tor­ing soft­ware foil key­stroke loggers
• 2 July 2007: CXOs face mal­ware email attacks
• 11 Jan­u­ary 2007: How to cre­ate a secure password

Tagged as: authentication, euro, passphrase, password, security, software