Here’s a few interesting thoughts about passwords. Some users have problems remembering their passwords, so they rely upon one password that they can easily remember.
David Naylor has compiled several lists of commonly used passwords. Permutations of “password” and numeric characters are frequent entries in these lists. One of the lists that Naylor uses comes from this DarkReading article that has provides a more detailed discussion of system administrator passwords.
I’ve become a big fan of the passphrase, which is a long password that might resemble a sentence, a list of phone numbers, or some other easily remembered data. This Diceware article has some excellent tips for selecting a strong passphrase.
If the system supports a long password, try using the portions of the sentence or the entire sentence itself as the passphrase.
If you want a shorter password, try using the first letters of a long sentence that you can easily remember, but others will find hard to guess. Shorter passwords are easy to break or crack, so users have to balance security with memory.
Some examples
As an example, an English translation of Julius Caesar’s famous quotation, “The entirety of Gaul is divided into three parts”, might be encoded into a short passphrase, shown below in bold, by using the first letter of each word in the sentence:
- TeoGiditp is a literal conversion of the sentence that preserves the uppercase characters. It’s a weak encoding scheme, because it’s too easy to guess.
- tE0Gid13p substitutes a number whenever a alphabetic character is repeated in the sentence. This system is a bit harder to crack, and may be more difficult for the user to remember.
- +€0G!d1Ep uses punctuation marks or typographical symbols that resemble some of the characters. This encoding scheme may be difficult to type and remember, but the variety of characters used makes a dictionary-based attack less effective.
- 190515070904091916 is another substitution cipher in which each letter is replaced by a number representing its numeric order in the English alphabet. This system may work well for devices on mobile phones. This cipher could be refined by using a non-decimal system like hex, or by rotating the numbers so that i=1, j=2, k=3 and so on.
- 19!05@15#07$09%04^09&19*16 uses the punctuation marks produced by the shift+numeric keys on a US keyboard to indicate or delimit each character. Again, the user should identify a more random set of symbols that can be remembered and typed.
If the passphrase creator reveals the rules they used to create or encode the passphrase, these examples are trivial for a person to crack.
It’s also easy to crack a password if its used by the same person on multiple systems or sites. The overall security of the password is only as strong as the weakest security scheme employed by any of these sites.
Keep in mind that some characters are not available on all keyboards. Mobile phones and PDAs present special problems, as these keyboards are quite limited. The Euro (€) symbol is usually shown on European keyboards, but is rarely shown on US and Canadian keyboards. This symbol can be typed alt+0128 on US Windows keyboards, with a shortcut key on various other keyboards, and alt+shift+2 on US Mac systems.
Create a password keychain
One trick for creating a site-specific passphrase that can be easily remembered is to include a portion of the site’s name or URL in the passphrase itself. While this system can give a human of software-based password cracker a start at decrypting the password, it does allow users to use a single passphrase across multiple sites. Example #1 from my first list might be encoded as follows for these URLs:
- google.com: TeoGiditp-google (much too easy to crack!)
- yahoo.com: TeoGiditp%oohay (that’s “yahoo” backwards)
- hotmail.com: h0+mA1L#TeoGiditp (tougher to crack, harder to remember and type)
Using a well-known sentence as a passphrase can also reduce its strength. Try a random passphrase generator like this one from leemon.com. You may need to try several passphrases until you find one that you can remember.
Of course, all of these tricks cannot prevent a keystroke logger, camera or shoulder surfer from observing your password as it is typed.
Related posts on billso.com
- 17 April 2008: Virtual keyboards and monitoring software foil keystroke loggers
- 2 July 2007: CXOs face malware email attacks
- 11 January 2007: How to create a secure password
