Hard Passwords made easy

Why use a strong password

In the online world, security plays a role in all online activities. Passwords are the most commonly used method to limit access to specific people. In last month's newsletter, we discussed assessing the relative value of systems protected by passwords, and grouping passwords across locations with similar trustworthiness.

In a nutshell, don't bother creating and remembering strong passwords for low value systems, and certainly don't use the same passwords for low value systems that you use in high value systems.

We still haven't discussed how to create a strong password, and how to keep track of all your strong passwords, if you have a definite need to keep more than a couple.

Creating memorable strong passwords

A strong password is made up of several different types of characters, and isn't a name or word in a dictionary. Many systems that require strong passwords will check any password you try to create against a set of rules. These rules often specify a minimum length, and that your password includes characters from at least three of the following four groups:

Capital Letters ABCDEFGHIJKLMNOPQRSTUVWXYZ
Lowercase Letters abcdefghijklmnopqrstuvwxyz
Numbers 0123456789
Symbols `~!@#$%^&*()_+=-[]\|}{';:"/.,?

The exact list of allowed symbols vary depending on the system. Some systems allow spaces in passwords, while others don't. A particular system might also have an international character set that includes other letters or characters.

Time after time, people forced to use strong passwords come up with some gobbledy gook thing like "v7GT%Xz2." Leave a computer to generate a password for you, and you could well end up with something like that. And the next thing that happens is they've forgotten it and need to call the administrator for a new one. It's certainly a strong password, but if you can't remember it, and don't store it in a safe place, it's not an effective password.

I suggest using one of three strategies for creating strong passwords you can remember:

  1. Create a password using a mnemonic device
  2. Create a password using a word list with some variation
  3. Create completely random passwords and store them securely.

Use a mnemonic device

Remember learning about mnemonics? Not ebonics, that's something different. A mnemonic is a phrase or word to help you remember complicated or otherwise difficult to remember data. For example, ROY G. BIV tells me the colors of the rainbow: Red, Orange, Yellow, Green, Blue, Indigo, and Violet--the letters in the name give you the sequence of the colors.

Jesus Christ Made Seattle Under Protest. No, not because there's so many heathen folk running about--this is a local mnemonic for remembering the order of downtown Seattle's streets, from south to north: Jefferson, James, Cherry, Columbia, Marion, Madison, Spring, Seneca, University, Union, Pike, Pine.

You can make up a phrase to remember a password, or make up a password based on a phrase that means something to you and nobody else. For example, our earlier "v7GT%Xz2" could become "Ve haven't Gotten Ten percent Hex sleep, too!" or some similarly silly meaningless phrase. Our brains are capable of easily substituting one symbol for another. I wouldn't trust this phrase for a password I only used occasionally, but for one you use several times a day, you'll remember it in no time.

For less-commonly used passwords, use a phrase with meaning to you, because you'll remember it easier: "Timmy and Tommy were my first dogs" could become "T&Twm1Dgs," which isn't a bad password at all. Remember your puppies and you've got your password.

Use a word list

A dictionary is a list of words. But I already told you not to use dictionary words, right? Why is another word list okay?

Because you don't use just a single word, and you don't use a word that has personal meaning for you.

As a service provider, I often have to generate passwords for my customers. This is my favorite technique for doing that. You take a carefully generated list of words, and randomly pick two of them. Then you randomly pick a symbol or number to put between them. If it needs to be more secure, you then randomly make a few of the letters uppercase. Suddenly, you have a strong random password such as "rumpus!friar" or "fUngal)selMa." These can sometimes be quite amusing...

You can also add an element of fun to the actual password generation. Diceware.com has two different word lists, and a method of randomly choosing words from them: by using regluar dice. You scrounge through all those old board games in your closets to come up with 5 dice, roll them twice, and look up the word associated with the numbers you roll. Then you roll two of the dice to determine which number or symbol to put between them. Voila! You've got a reasonably strong password. I've found these passwords to be quite memorable.

Diceware is actually for creating longer passphrases, instead of passwords. A passphrase is used for encryption purposes, whereas a password simply provides access. Passphrases and encryption are a topic for other stories, but the passphrase generation ideas at Diceware make for a great way to generate passwords.

Store passwords securely

If you need to keep track of a bunch of different strong passwords, you have no choice but to record them somewhere. The problem is, where? Certainly not post-it notes attached to your monitor, or the bottom of your keyboard. I need to generate and store different strong passwords for many different clients. I don't want to remember them all, and I'm certainly not going to ask for them over e-mail, which has the security of a postcard.

If you're in this situation, you need a password vault of some kind, an encyrpted system that lists all of your passwords and keeps them safe and secure. You still need to remember one password: the one that opens the vault.

I use a program on my Palm Pilot that stores all my passwords in an encrypted file. I can see all the accounts I've set up in the main screen, but to get the password, I have to enter the master passphrase first. After 5 minutes, the program automatically "forgets" the passphrase and re-encrypts everything.

There are similar programs available for Windows and Pocket PC. You can also use generic encryption technologies like Gnu Privacy Guard (GPG), part of the excellent Windows Privacy Tools software and provided in every Linux distribution.

Don't store your passwords in a plain text file, a Word document, an Outlook note, or a note in your PDA.

The important point is to think realistically about your risks. If your passwords are in a plain text file on your computer and it gets hijacked by a worm, virus, or attacker, your password file might get compromised without you ever realizing it. PDAs are incredibly easy to steal--you wouldn't want a thief to have instant access to all your passwords.

Password vault software

For Palm: Keyring for Palm OS, great free little program that encrypts the password database to a password. The encryption is weak, but sufficient to protect your password for a few hours--if you lose your Palm, get a new one, restore your database, and change your passwords. The stronger your password, the longer a brute force attack will take. Also check out Strip for better encryption, though its database is not viewable on your PC.

For Linux: A plug-in for Jpilot can natively read the database for Keyring for Palm OS. This makes a great complement: you can view, synchronize, and update passwords in both Linux and the Palm. Again, note that the encryption is weak, meaning the database can be cracked in a matter of 5 hours or so of brute force. That means you should protect your Palm backups, as well as Jpilot.

For Windows: Try Oubliette or KeePass, both free open source password managers for Windows. And here's another: Password Safe, developed by a well-known security expert, primarily written for Windows but with compatible versions for PocketPC and Linux available.

For PocketPC: There's a KeePass version for PocketPC, too.

For Mac users, try Password Gorilla.

Freelock News

Happy Holidays! We thank you for your business over the year, and look forward to working with you in the future.

Our newest service is a retainer arrangement, with a unique bonus clause. We partner with your business, providing technology strategy and implementation for a fixed number of hours per month. We can provide a stunning array of services that have a positive impact on your business's bottom line.

Visit us regularly to see our new services!

Permalink

I know it's not terribly secure, but I have used a half dozen variations on a theme...for the last 20 years. The best method I've used, which I needed to return to recently, is...writing them in a little notepad or calendar. Before you scold me, let me explain: I use codes, not the actual passwords and logins. I used to do this with ATM cards when stuck with randomly-generated PINs. I could tape the encoded hint to the back of the card knowing nobody but me would know how to decode it.

Current Example: "DE--brown, Fxx#PIN" wouldn't be decipherable to anyone else, but to me it might mean that on a website belonging to a service I think of as "DE", I used one of my email addresses--the one that contains the word brown in it--as the login; for the password, I used a favorite word that starts with capital "F" followed by two lower-case letters, then the pound symbol, ending with my old ATM PIN. Sounds complicated, but for me it's easy, fast, and secure. And I don't have to worry about someone seeing my list. (And, of course, most of that example, posted here publicly, is fictitious and for illustrative purposes only. You get the idea.)

For the websites for which I need a more secure password/phrase, I use a phrase that amuses me, with some letters replaced by numbers and symbols. Yes, I know, they're probably common substitutions, but hopefully the phrase is odd enough and long enough to avoid easy cracking.

Permalink

Love the little anti-spam game. But why is your server time an hour ahead? You're six blocks from me!

Add new comment

The content of this field is kept private and will not be shown publicly.

Filtered HTML

  • Web page addresses and email addresses turn into links automatically.
  • Allowed HTML tags: <a href hreflang> <em> <strong> <blockquote cite> <cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h1> <h2 id> <h3 id> <h4 id> <h5 id> <p> <br> <img src alt height width>
  • Lines and paragraphs break automatically.