Good and Bad Passwords How-To
Creating Uncrackable Passwords
That Do Not Need to be Written Down
Overview
Off and on for years I've thought about how to create an uncrackable password.
To save you time, before getting to any technical specifics, I believe I
can tell you how to do what the page title says, but there is a cost. If
you follow my advice, you will be typing 18 to 22 characters everytime
you enter a password, and I'm going to advise you not to use any password
safe. It is likely 15 to 19 character passwords will do, but I think these
are more likely to have a flaw that makes them crackable. The passwords I
recommend will not be untypeabe random sequences, but they will contain a
minimum of two symbols or punctuation marks, a digit and a mixed case
character. This approach does not require the use of a password generator
though it may use one. If you are unwilling to type such passwords, there
is little point in reading further, unless you think you can find a flaw in
my approach. If you do find a flaw, I'd be glad to hear about it, and would
be willing to publish your comments (except for the obvious flaw that most
users, including those who know better are lazy, and unlikely to go to
this effort to protect their accounts.)
Actually creating uncrackable passwords is not difficult. Any password
generator, including mine, that will give you a string, 18 characters
or longer, made randomly from the full 95 typeable character set, will
give you more than you could use. The problem is, can you use even one
such password? I would say no. Even if you could somehow remember it, or
if you wrote it down, you would need to be a very good typist to be able
to type it without a mistake when you cannot see what you have typed.
Random character sequences contain none of the character patterns that
make it easy to type words and sentences. With such passwords you have
to actively think, where on the keyboard each character you want is
located. If you have several or many passwords, and who does not today,
you must write these random passwords down, or use some form of
password safe.
I thought of this method while modifying my generator to create long
passwords in ways that I had always avoided in the past. My method is to
use a common part, which I call a core password which will be part of
most passwords you create for the next two to four or so years. This
will be a "conventional" strong password between 10 and 14 characters.
It will contain two or three puncutation marks or symbols, at least one
digit and at least one letter whose case does not match the other
letters. The atypical case letter and digit must not begin or end the
core password. The core password may contain one or two words, but
neither must be equal to or longer than two thirds of the total length.
An 8 character word is OK in a 13 or 14 character password, but not
in a 12 character password. Two shorter words may be better.
Some readers are probably muttering, this sounds just like the advice
we have been hearing for years about good passwords, and they are all
hard to remember. It sounds like that adive for good reason, it is that
advice. If you've been paying attention though you know something very
important is different. The common advice also says to use a different
password on every account. That makes strong passwords hard to remember.
I'm saying you are going to use your strong core password on every
almost every account you have, from your home PC, to your browser
master password, your work passwords, your bank and credit card
passwords, and most other passwords that you have.
You may choose to make exceptions which could include any
throwawy, or insensitive accounts that you have on the web. A few web
sites don't even hash your password. Any web site that can email back
your password when you forget it does not hash your passwords and you
SHOULD NOT TO USE YOUR CORE PASSWORD on any such site. You also do
not want to provide any sensitive information to such sites. If you
are a computer or network administrator for work or for a volunteer
organiation, and you share one or more admin or root password with
others, you should NOT use your core password those accounts.
You should NOT use your core password anywhere where it may be exposed to
others without it being cracked by conventional cracking methods.
Since your new passwords are supposed to be uncrackable, no one else will
ever see them if you only use them where they can only be seen if they
are cracked.
Password Safes
On the other hand you want to use it on all your important and sensitive
accounts. You want to use it on these for security, and you want to use it
frequently so it becomes second nature to include it in a a password and so
you will never forget it, especially since you have never written it any where
or entered it into any password safe which may be accessed and stollen by
crackers.
I know that password safes have become very popular. They are unquestionably
very convenient, and today anything that is convenient tends to become
popular. NO ONE has yet convinced me they are actually safe. The entire
concept of a password safe requires you to put all of you passwords in one
place where they may be accessible to a network cracker. Are more homes and
businesses broken into physically than networked computers compromised? I
have no doubt that over time hundreds of millions of networked computers
have been compromised, and that tens of millions are actively compromised
right now. Does anyone believe that there are tens of millions of burglers
in homes and businesses all around the world at this moment? Once a
computer, especially one in a home, is compromised, it is rare that the
owner finds the problem. It's normally found when someone else complains
to an ISP or the owner about spam, port scans, virus infected emails or
other malicious activity coming from that computer. Even most businesses
with full time security staff are not aware when they are compromised;
most businesses are alerted to a compromise by a third party such as
a law enforcement agency or a security auditing team.
Historically application passwords are much weaker than most operating
system passwords. Password safes are by definition applications. The may
be infrastructure applications but they are still applications. Some may
call them utilities; that's a fine distinction. The point is they are
normally developed by a small group and often just one developer. Small
groups and individuals tend to have blind spots about potential weaknesses
in their products. Operating systems are generally developed by larger
groups. More people see the code. More people are involved in testing
and often start with different assumptions than the software author.
More people use operating systems so they quickly get a lot of real
world testsing as soon as they are released. Bugs are reported more
quickly and widely, and are fixed more quickly (if serious) because
they affect more people.
The large majority of password safes are proprietary and this includes
freeware safes. Nobody but the author knows how the passwords are hashed.
No doubt all password safe authors honestly believe their products are
safe. That does not mean they are. When only one or a few people can
test a product with knowledge of the source code, no one can be sure it
was thoroughly tested. The code for open source products can be read by
anyone. One popular open source password safe actively uses this claim
in its promotion of its product. Unfortunately, even when such a group
claims to use an industry standard hashing method, there is no guarantee
that it has been properly implemented. Improper implementations of a
sound algorithms are just as likely to cause a security weakness as a
flawed algorithm.
Unless the ANYONE reading password safe source code is both a
cryptographic expert and an expert in the language that was used to
program the password safe, reading the source code is meaningless.
Unless you can say that you are a cryptographic expert, and
an expert in the language that your password safe is written in,
and that you have performed a systematic code audit of the
source code for your password safe,
YOU DO NO KNOW THAT YOUR PASSWORD SAFE IS SAFE. It's just
that simple.
There is only one group that I know of that routinely uses formal code
reviews as part of their testing and evaluation process. I would not be
surprised if there are tens of thousands of computer software companies
that claim to do this world wide. But like all proprietary processes, if
you want to know details, what will they tell you?
The group I'm referring to is the OpenBSD project (openbsd.org).
This is a group that since its inception has put reliablity and
security ahead of usability, features and convenience. OpenBSD
is widely regarded as the most secure general purpose operating
system and has been for well over a decaded. When they talk about
their code reviews, they tell you how many bugs were found that
had not been found by other testing and evaluation methods. Not
surprisingly it takes some research to make effective use of
their products. Despite their unquestioned ability and excellent
record, even the OpenBSD group makes some mistakes.
Today the Blowfish algorithm for hashing passwords, developed by the
OpenBSD group, is widely regarded as the most secure password hashing
method available. But that was not true when it was first released.
Despite all their expertise and formal code review, the first Blowfish
algorithm was released with a flaw. I don't know how serious it was,
but someone outside the group found it, and a new version of Blowfish
was released that corrected the flaw. If the very best in the business
can make a mistake in their area of expertise, it is NAIVE to
believe the claims of the authors of your password safe.
One more point on password safes. Operating system bugs are reported
relatively quickly because so many people use them. The same is true
of widely used applications like Word and Excel. On the other hand,
most password safes, even the most popular, represent comparatively
small numbers and there is little reason to think most users will ever
notice any flaw which relates to the master password hashing algorithm.
On the other side, cracking groups
who are most likely to find such flaws, have every incentive to stay
quiet about such flaws when they find them. The longer a cracker knows
about a password safe flaw that is not reported, the longer he has easy
access to a significant number of passwords. A conventional hacker may
tell friends about such a flaw, and over time this will spread. Sooner
or later someone in the mainstream security community will hear of it
and make it public. If a criminal group finds such a flaw, they will
never reveal it to anyone outside their group. This gives the criminals
almost complete access to everything valuable and sensitive online
belonging to any victim who uses a password safe with a known flaw
when the criminals compromise a computer belonging to someone who
uses that password safe.
Please remember that security is just as much about ensuring that you have
reliable and timely access to your own data as it is about keeping intruders
out. A lost password on an important account can be every bit as serious as
a system compromise. The people most likely to lose an important password
are also those least likely to know how to recover a system with a lost
password. Often in discussions of security, no one bothers to mention
backups. Any discussion of security that does not start with timely tested
backups is meaningless.
Password Reuse
I thought of the idea of core passwords when I was experimenting with the
just created option to enter literal strings into a generatated password
using the backslash character. A long password does not have to follow
most of the advice given for ordinary short passwords, and has room for
things that short passwords does not. I was entering "+my1+Whatever" (which
is already 13 characters), using the backslash, into the pattern field.
I was clearly thinking about using a common string plus random words,
character paterns, sequences, repeats, etc. which were also defined, in
multiple passwords. As I experimented with this, I realized it was the
answer (or at least an answer) to remembering strong passwords without
writing them down. Use the same one everywhere or at least very
frequently.
There are very good reasons why the standard advice is to not reuse
passwords for multiple accounts (or websites or whatever you call the
places that require a username and password). But the answer was right in front of me.
Combine a widely used, strong core password, with other things, perhaps
generated by a
password generator. It does not really matter how the rest of the
password is created, as long as it has no apparent relationship with
the strings used at other sites or on other accounts.
I believe the parts added to the core password should accomplish the
following: 1) they should assure that every password used on a different
account or at a different location is unique; 2) they should add enough
length to insure the entire password is a minimum of 15 characters and
preferably 18 characters (additional length in a password never hurts);
3) if the written list of passwords is lost or
seen by someone else, it should look like a plausible list of passwords,
4) besides merely adding length, the unique part should add some strength
by containing at least two character types and it should not be an
entirely trivial single alpha, numeric, or keyboard sequence, especially
not one that begins with abc, 123, or qwe, or any single character
repeated 4 to 8 times, even at both ends of the core password.
Regarding 3 in the previous paragraph, it's not at all hard to make a list
of several characters each look like a full password list. Many, possibly
most passwords are as short as the system they are used on will allow. In
practice the overwhelming majority of known cracked passwords are between
5 and 8 characters.
Regarding 4 above, I really have no idea what is easy
for other people to remember and type, which is part of the the reason I've
provided so many options in my password generator. While I'm a firm beliver
in strong passwords, there are many ways these can be achieved, and sites
should not be blind to the fact that if you make an all lowercase password
long enough, an all lower case password can always be stronger than one
with all four main character types.
A 12 character lower case password is
stronger than an 8 character password with all 4 character types. As
length increases the lower case password has to grow faster; keeping a
4 character lead is not nearly good enough. For each extra 4 characters
from the full keyboard, the lower case password needs to add about an
extra 1.5 characters. So when the full keyboard password reaches 16
characters, the lower case password needs to be 23 characters, rather
than only 20, to be stronger.
The Unique Parts, Part 1
What's enough for the unique parts? There is no simple answer. I'm trying
to build something that has a huge margin for error, so if my calcualations
and understandings are correct, it won't just be good 5 years from now but will
be strong for the entire foreseeable future. I'm trying to cover huge
miscalculations in cracking times. I'm allowing for the pathetic password
storage used by Windows where if you crack a password for any Windows
computer, you've cracked that same password for all Windows computers. I'm
trying to allow for poor hashing algorithms that have effecient alternernative
implementations that may speed cracking up a thousand to a million times.
I'm trying to allow for unexpected technological advances in cracking
techniques and for a user who thinks he or she has a strong core when
it is really pretty obvious and easily guessed.
If you look at my
cracking time table, in
particular the network section, a strong 12 character password should be
safe against a network 10 times as fast as that shown. How do you
implement the core password idea in 12 character passwords and come up
with strong passwords? I don' think you can. As I said before, maybe 15
but I think this is close. At today's times even a cracking network should
take something like 50 trillion millenia to crack a strong 18 character
password. Assuming Moore's law holds for another two decades and computer
speeds increase by 10,000 times, that same 18 character password should
still be good for 5 billion millenia.
The Core Password, Part 1
However you create your core password, you should NEVER use it in this
site's password generator or password evaluator. You may get your
core password from this generator and test it in the evaluator, or
you may get a suggestion for it and test that suggestion, but make
changes to it before actually using it. You will never reuse the
core on this site, whatever, if any relationship it may have to this
site. You should probably use NOT use it on any site except one where
you are logging in with that password and the login page is SSL
encrypted.
If we assume for the
moment my core password is "+my1+Whatever+", I should enter something
like "\*\t\o\5\*\P\a\s\s\w\o\r\d\*" (*to*Password*). The two are
structurally identical. Both have a password constant symbol in the
same 3 locations. Both have a digit
in the same place. Both have a capital in the same place. Neither the
digit or capital are in the first or last place. Either could begin or
end another password and neither the capital or digit would be the
first or last character in the resulting password. Both have 2 and 8
character words in the same locations.
The Unique Parts, Part 2
So what do I recomend for the unique parts? Pretty much anything that is in
the range of 6 to 8 characters that is not trivial or obvious. I'll start
with my old favorite, the State Departments cvc (consonant, vowel, consonant)
and add a digit, but I'll use a new option that lets me duplicate this and
put the core in the middle. The pattern that does this is {(cvCd)2(\*\t\o\5\*\P\a\s\s\w\o\r\d\*)1}. I made the second consonant
optionally upper case. Remember we're pretending my real core is
"+my1+Whatevver+" so a structural equivalent is used but all the details are
different. This lets generated passwords be tested in the evaluator, as
well as showing us how the the unique pieces relate to the core.
In this example the curly braces (" { } ") are a new option.
Among other things they allow the
definintion of a repeat pattern within a pattern, which may include
another element, which appears once, before, between or after any
repetion. Inside the curly braces, a pair of parenthesis define the
structure of the repeated pattern. Inside the parenthesis are standard
pattern control characters that work just as they would in any pattern if
not enclosed by either the curly braces or parenthesis.
The pattern could be as simple as any two lower case letters, "(ll"),
or any two possibly mixed or upper case letters, "(LL)". An "(ln)"
would be alternating leter and non letter and "(Mt)" would be a possibly
upper case alpha numeric character alternating with a puctuation mark or
symbol.
Longer patterns can be used in the parenthesis. The digit after the
close paren indicates how many times the pattern repeats. This can be
from 2 to 9. In this case, unlike most patterns defined outside of curly
braces, the actual characters substituted for the control characters are
saved and reused.
The optional second set of parenthesis define a second pattern that
will be used only once. Here the digit after the close paren indicates
which repetion of the first pattern, the second will follow. In this
example, there are only two so it can go in the middle (after the
first (1)) or at the end (after the second (2)). A 0 will place the
second pattern before the first occurance of the first pattern.
A more conventional and secure way to do something similar would be cvCd\*\t\o\5\*\P\a\s\s\w\o\r\d\*cvCd. This is a very conventional
variation on the basic
State Department pattern
cvcddcvc, using the first half twice with an optionaly upper case second
consonant.
The difference between this and the previous pattern, is that the
two ends are now processed independently, creating nearly 3 million
variations instead of less than 55,000. The result gets exactly the
same length and strenght rating as the previous pattern. It's the
same length and has the same degree of character diversity. Unless
the cracker has specific knowlege that a pattern is being repeated
at the ends, it's not likely to be cracked any more easily than the
more complex one.
On the other hand, there is clearly more complexity and variety in
the second pattern. If there is any flaw in the whole, I believe
the extra diversity in it, may save the second in a situation where
the first may be discoverd.
The Core Password, Part 2
Both my hypothetical core password and its substitute are strong 14
character passwords just by themselves.
Some reader is probably getting agitated and thinking, but there is an 8
character dictionary word in each. It does not matter. Even if used as
a complete password, the 8 character word is less than two thirds of the
total length. I know of no password cracking rule set that can find the
8 character word. Remember (except for old Windows LM hashes) passwords
are never broken in pieces. A cracker must have the entire string that
matches every single character before starting the computations that
create the hash that will be compared to the hash in the password file.
If you adopt this approach, you will have a secret part that is a
good password by itself, and that you will use as part of most passwords you
create for the next two to four years. You've decided you are going to
do passwords properly from now on. You want passwords no one, not even the
NSA can crack. You want passwords that the fastest cracking networks yet
assembled will take hundreds of thousands of years or much longer to crack.
You want to be part of that select few percent who have never seen one of
their passwords in any common password list and who have never had an
account of theirs cracked.
You start with a core of 10 to 14 characters that is a strong
password by itself. It may have two words, three symbols and a digit.
It will have at least one capital (or lower case if the others are
upper case). Neither the digit or capital should be at either end of
the core password. Instead of you favorite separator, you should
consider any easy to type symbol, and use it on both ends, so you
have two symbols in your password. Maybe you will use
your favorite separator to separate the two words, or you might run
them together or the digit(s) my separate them.
If you have only
one digit in your core password, it will NOT be a "1".
The digit 1 accounts for more than
25% of all digits used in the
top
10,000 passwords, and it accounts for 90% of the digits
used by themselves in passwords. You may want to use a 3, 8, 9,
or 0 which combined account for 2% of all single digits. The 5 and 6
each account for 1%, while the 7 accounts for 1.5%, the 4 for just
over 2%, and the 2 for 4.5%.
In multi digit passwords 3, 4, 5,
and 6 climb substantially because of the heavy use of passwords
using numeric sequences starting with 123. 7, 0, 9, and 8 are the digits
least frequently used in combination with other digits.
Some words that you should avoid in your core password are "password" which
by itself is the top password in a variety of envioronments but primarily
the Internet. In business envioronments 14
variations of password take most of the top 25 positions, followed by
welcome, summer, 123456, and spring. More generally "qwerty" comes in
number 5 with "123456", "12345678", "1234", and "12345" filling in the
rest of the top 6, and "dragon", "pussy", "baseball" and "football"
fill out the general top 10. Obviously different lists from different
sources and times vary a good bit.
There are some other things to think about in our core passwords. If we
care enough about passwords to go to the trouble this approch entails,
it is very likely we will talk to others about the need for strong
passwords. I think that many people who (if there are many
people who adopt such a strategy), will feel compelled to talk about
this approach to their friends and colleagues. This is NOT
a bad idea. The state of passwords in general use is abysmal. People
need to understand the dangers and how to make good passwords.
When discussing passwords, you
want to avoid any specifics that may reveal your own password content.
Keep
the discussion of structure as general as you can. If you reveal that
you use a core password, you should avoid any core passwords similar to
"my secret", "my private", "my personal", "can't get this",
"2 good to get", etc. The odds of anyone getting these, with all the
surrounding letters are very small.
If you thought of something
that actually describes your core password, is clever or boastfull,
someone else just might guess it also. Don't take these chances.
BOTH OF MY SAMPLE CORE PASSWORDS ARE POOR EXAMPLES OF CORE
PASSWORDS. Some better ones might be ;petaL8&Stary;,
.sU~0sprawleD., or =faN,7acidifY=, (not including the trailing
commas).
While any words in your core password or complete passwords will be
combined with multiple other elements, there is no point in using any
of the most commonly used words in your passwords. Smart crackers will
use many more and longer rule variations with these very common words,
and there is no point to risk a freakishly unlikely rule mixing a common
word in passwords and several other common elements catching your
supposedly uncrackable password. Even with strong character variations
there is no reason to abandon common sense in making our strong passwords.
We are not trying to dare crackers to try our strong passwords or trying
to see how close to bad we can get away with.
We are trying to make
passwords that no one but ourselves will ever have a clue as to what
they look like. The farther you can get from any of my positive
suggestions without doing the dumb things I warn against, the better
your password is likely to be. But you never give up character diversity
unless you really provide the length to compensate for it.
Maybe
you can keep straight passwords that are more than 25 lower case
characters only, but I cannot. I need some kind of visual or phonetic clues
to separate really long letter sequences. In other places I've
suggested running together two short words to get more variety in
short (8 - 10) character passwords which were once considered strong.
To me there is a huge difference between keeping track of two 2 to 5
character words, and four or more words run together for 25 plus
characters.
Writing Down the Unique Parts
Over time you will type this core password hundreds and maybe thousands of times.
There is no need to write it down. It will be etched into your memory within
a few weeks. You want the core password to work on either end of your
passwords because you will be using it on both ends routinely.
If you've
been using strong passwords for a long time and have lots of accounts,
and you have used different passwords on different accounts,
you know the question is not will you write your passwords down, but where can you
write them securely? I'll leave you to answer where for yourselves based
on your situation. In most workplace environments, I consider the inside
of a purse or wallet to be reasonably secure. Few people leave these laying
around unattended. You know your situation. Think about it.
Just because
it is unsafe to write passwords on a postit on your monitor, or the closest
desk drawer, does not mean all places are unsafe. One thing I know about
any password only on a piece of paper, no network hacker can possibly
access it, which is more than I can say for password safes. Most important,
what you will be writing down now will be less than half of what is
needed. That is, provided your core password is strong and does not try
to say something clever or relate to you in any way someone might guess
or figure out.
You won't write your core password down, but you will have to write down
the unique parts. To your 10 to 14 character core you will be adding
meaningless (in the sense that they have no special meaning or relationship
to you) words, character sequences, repeats, and various odds and ends
that add at least 4 and hopefully closer to 8 characters to your core
password. You need to pick the unique parts on what you find relatively
easy to remember and type. While you will be writing down the unique
parts, for those passwords that you use daily to several times a week
you should be able to remember these without looking them up.
Even though I'm offering many elements that have routinely been
described as things to be avoided in a password in passwords, I'm also
providing ways of mitigating weaknesses they may posses. By mixing
element types, including words which greatly expand the options,
using flips, making limited use of character subsets (which significantly
alter the relationship of various sequence characters) it becomes
very hard for the cracker to find ways to create similar strings
that have a yeild worth the effort. Over time as computers get faster,
disks grow in size, and cracking techniques evolve, larger portions
of passwords made from non random cmponents will be cracked.
Lets look at a few examples. aBaBaB and aBaBaBaB are awful passwords.
They may not be as bad as some of the most obvious pure repeats and
simplest sequences but it is still very easy to program all corresponding
passwords regardless of which to characters are used. There are only
about nine thousand two character combinations so all 4, 6, 8, 10 and 12
character similar passwords would only be about 45,000 entries which is
a small dictionary.
But what about aBaBa~97j;BaBaBaBaB ? You cannot get the aB's without
getting the "~97j;" at the same time. There is a shifted rarely used
symbol with a common unshifted punctuation from a different part of
the keyboard. Two low frequency digits with no particular relationship
and mixed in the non letters
is a "j". The lower case "j" runs a close second to the "q" for the
least frequently used lower case letter in the English language.
How can you get these characters? The answer is you can't. For it's
length it is clearly a "low entropy" password.
The only way to get it would be to do all 7.7 billion 5 character
combos in all 15 positions of all 9025 character pairs. That's just
over a 1000 trillion passwords for a very low yeild, and assumes
the cracker somehow knows he's looking for a 19 character password,
with 7 alternating characters, plus 5 odd ones mixed in somewhere.
It's actually only a little over an hour on a fast network, but who
wants to devote the equivalent of 10,000 fast desktops for an hour
to get a password or or two, maybe.
When you start mixing in words,
and various sequences, and repeats, with flips here and there, the
numbers climb quickly. Just to store the 1000 trillion passwords to
disk would take 20,000 terabytes, and that's with no indexes or
or any database overhead to assist a quick lookup. While you can
describe ways to build dictionaries that could generate the
outputs which cover the kinds of passwords I've been creating, the
yeilds would be abysmally low by most cracking standards, and with
dictionaries too large to store to disk, to check for duplicates,
there would be certainly be a lot of duplication of effort.
Crackers are not likely to persue these avenues for a long time.
When you write down
the unique part you will come up with some notation that indicates
which end the core part goes on. It should be better than an arrow or
other constant indicator that quickly becomes obvious, if anyone else
happens to see or obtain your password list. I'd suggest any group of
characters that you can easily relate to each other, and which consists
of 5 to 10 or so character.
There are many groups to choose from. Some of the less obvious are vowels,
upper or lower case or both. The first 6 consonants: b, c ,d, f, g, h.
The three contiguous groups of five consonants, 1) j, k, l, m and n, 2)
p, q, r, s and t and 3) v, w, x, y and z. Mixed case doubles the numbe for
more variety.
Among symbols and puctuation the eight paired symbols seem
fairly obvious: (), [], {}, and <>. They could be used to point at
either end, but do not need to; this is the only group that has a really
clear way to show the secret core embeded in the unique part: 34()5678.
Some puctuation marks have only one part: , . ' - ( ) and possibly ` and ~.
Other punctuation marks and symbols have two clearly separate parts,
( ; : " ? ! = ). Some punctuation and symbols float above the baseline,
( ` ~ ^ * - = + ' " ). Some of the most common non punctuation symbols
are located along the top of the keyboard: @ # $ % & * _ = +.
Any modest size group of characters, that you can easily relate
to each other and remember, will do. Keyboard location can also be useful,
( ; : ' " , < . > / ?), are very close together as are many other combinations
of characters.
You should have a consistent method of dealing with what to
do when one of your group appears at the start, end, or in the middle of an
element that may end, begin, or surround your core password. One of
the advantages of haveing a small group is that you might just discard or
not use any character group that ends with one of your direction indicators. Alternatively
you might repeat the character or just add a different one from the group.
It would be somewhat annoying at least, to forget a password you have
written down, but can't remember because you cannot figure out where the
core belongs relative to what is written.
What about the rest of your password? Is there anything you should or
should not do with these. I think your written list should look pretty
much like an ordinary list of passwords, with no duplicates, because if
your written list has a duplicate it means you are using the same password
at two locations.
Two of the most common psswords are 123446 and 12345678.
Why would anyone need to write these down? Because they are so simple and
meaningless it might be hard to remember what account or site they belong
to. If they were written down as 012{}345, 23()4789, or 789ABc], someone who
managed to see the list, would likely think he or she uses pretty simple
passwords but is trying to make them better. Even with 123456[ few
people would ever think that the symbols were indicators where an
additional 10 to 14 characters might go.
On your password list you should be looking for passwords that
while you may not
remember an infrequently used one from week to week, once you've
glanced at your list, you can quickly return it to its reasonably
secure location. You do not want unique parts that are so difficult
that you need to lay your password list in plain sight, in front of
you, while you type in a password.
Account Names
Your written password list may
contain exact site and full account name (my account names vary almost as
much as my passwords and I have to write them down), or just a hint that
is enough to tell you where the password is used.
On the subject of account names, I think of account names and passwords as
two halves of a hole. Neither one alone has any value; it's only when two that
match are used together does anyone get access to anything. Few websites
or operating systems tell the user enough to know if they have a valid account
name but the password is wrong. For this reason I mix my account names up quite
a bit.
The most important differece from a securiy perspective is that account
names are always stored in plaintext (at least in my experience) where passwords
are normally stored as hashes (with some execeptions noted previously). Thus as
soon as anyone has access to the system, all the account names are typically
available.
When someone is trying to gain remote acess to a system by guessing
accounts and passwords, you don't have to make have to make the first half
easy. When you take your names and initials, chopped up various ways, and
combine them with numerous ways your birthday and parts of it may be formated,
and add your address, with perhaps some other information there are a
very large number of account names you can come up with. I think it's
been more than a decade since any system told me an account name I was
trying to use was already in use.
On many websites and other Internet venues, many people use nicknames
or handles that have no relationship to who they are. This is also fine
as long as the system allows it. In many businesses, administrators
assign the account names and email addresses, and for good reason they
normally have a direct relationship to the individual users.
The Unique Parts, Part 3
I'll close with some more
example of how you may create your unique parts, continuing to use the
admittedly poor core password that's already been used.
<''4-6fm>\*\t\o\5\*\P\a\s\s\w\o\r\d\*d3 This one starts with a 4-6 character
ASCII sequence (defined by the angle brackets (" < > "))
with a randomly selected start point (the empty apostrophe pair
(" ' ' "). It has a flip denoted by the "f" which means if either
or both ends of the sequence contain a letter, there is a 75% chance one end
will be case flipped. The "m" denotes the ASCII sequence is limited to
alphanumeric charaters. Few people know the ASCII symbol and punctuation sequence
order while anyone can look at a keyboard and see the keyboard order for the same
characters. The core password is followed by 1 to 3 digits. See the password
generator instruction page for detailed instructions
on creating control patterns. In this case the
Sequences and Repeats section will be
of particular interest.
[''3-5f]\*\t\o\5\*\P\a\s\s\w\o\r\d\*Cvc This one starts with a 3-5
character keyboard sequence (defined by the square brackets, (" [ ] ")),
again with a randomly selected starting point, (" ' ' "),
but because the the whole keyboard is visible, all characters are included.
It also has a flip, ("f"). Because this is a keyboard sequence and every
key has two characters, flips are not limited to letters. If the sequence
begins or ends with letters, they will be flipped, if any character is.
When no alpha character begins or ends a keyboard sequence, either end may be
flipped to to the other character on the same key that began or ended the
sequence. After the core password, this one ends with a consonant, vowel,
consonant, and the first consonant may be upper case.
Perhaps the simplest variations on the core password is to use a single word
with one additional charcter for more variety at either end.
Wd\*\t\o\5\*\P\a\s\s\w\o\r\d\* At the beginning with a digit
\*\t\o\5\*\P\a\s\s\w\o\r\d\*Wt At the end with a symbol or punctuation
mark. In both cases a flip is use by using an upper case W for word
2 to 9 characters in length. A single digit would request a fixed length
word and 4-7 a word from 4 to 7 characters in length. A simple "w" or "W"
has the advantage of varying your password over a length range of 6 or 7
characters (2 character words are seen only very infrequently) making its
total length very hard to guess, but try not to limit yourself to a
single approach.
(''3f)\*\t\o\5\*\P\a\s\s\w\o\r\d\*(''3f) This one starts and ends with with a
randomly selected 3 character repeat at both ends. Any of the 95 characters may be
selected and both include a flip which will apply to letters only.
Please
remember that the number of available repeats and sequences between 2 and 9
characters is smaller than any other kind of character group of similiar lengths.
These were added because when combined with a few arbitrary characters in long
passwords they are relatively safe. As they have been frequently used in common
passwords, I assume many people find them easy to remember and or type.
Flips help increase the diversity but only to
a limited extent.
When using the core password approach you are already keeping
most of your password constant. You should mix the use of repeats and sequences
with other pattern types such as words, psuedo words, short to moderate length
digit sequences, pronouncable bits (cvc), short random letter bits, and
occaisional symbols among others. Look at the Pattern Samples page for many other examples
which may be extracted from the mostly conventional short passwords shown
there.
Summary
To try to sum this all up, even though each new password you create will have
a common core password, the whole string which makes up the password should
be unique. You should have no reason to think any human being, past or
present, and definitely including yourself, has ever seen this particular
string before.
Since May 25, 2012, when I recalcualted my Password Cracking Timetable
I kenw I had to upgrade a number of my passwords. I was in no hurry
because I knew even my oldest and weakest passwords are strong by
most measurements, and none has ever been in any common password list.
I had no idea what my new passwords would look like except they would
be longer than I'd ever used before. I thought that as I revised my
pages, and upgraded my
Password Generator and
Password Evaluator I would find
some approach to making new longer passwords that I was comfortable
with. Now, at the very end of June, with the core password concept,
I believe I've found that method.
Top of Page -
Site Map
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
http://GeodSoft.com/terms.htm
(or http://GeodSoft.com/cgi-bin/terms.pl).
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is
allowed.
|