Tuesday, September 9, 2008

Passwords 101

I've been working with computers for a long time. Since 1975 to be exact. And the one weakness in the security of those computers has been the password. Make them too complex and the user will write it on a sticky-note and put it on the monitor. Make it to easy and the password can be brute-forced, or the user will use their kid's name as the password.

So how to go about making a secure password? Well I like to have 3 out of the 4 items. These would be:

Uppercase Characters
Lowercase Characters

So how do you remember the password F$mpatsFld?I break it down into chunks, then you need to just know the order of the chunks. So to make this password, I took Fannie May, the name of a fictional relative, and a tv show. So here is how I did it:
F$m = Fannie Mae
pat = fictional relative
sFld - Sienfeld

So I have about 15 different combo's and I just re-arrange them to make passwords. So let's add a few more... M$ft for Microsoft, pB58 for papelbon (Red Sox closer), and C.Cr for Captain Crunch cereal.

Now by swapping chunks around you can create very secure passwords that you can even keep track of without worrying about it.

They way to jog your memory is to never, ever write down the whole password. But you can give yourself mnemonics to remind you. I would never write down mnemonics for really important passwords, like how to log into blogger, or your ban's website, but for email, forums etc here is what I do. on a piece of paper, or in the Google Notebook. Now, a mnemonic isn't an exact copy, it's just to jog your memory. So for the 3 above I'd use something like this:

blogger tv cereal
avsforum cereal close
THG forums evil empire bailout

The trick is to make it personal without using any of your social security numbers, childrens' or spouse's birthdays, anniversaries, etc.

Hope this helps some, I got a wicked head cold so I'm not making too much sense, so I might have to edit this to make it a little clearer.


theotherryan said...

Phrases are good. When things get random it is a lot harder.

Something like FNfal7.62 would be good while AGoq21#* would be hard to remember without writing down.

PKS said...

I used to work as a sysadmin, and I saw a lot of strategies a lot like these. These are good, but if there's a pattern (abbreviations, changing S to $, e to 3, a to @, etc) then it can be broken, right?

The last shop I worked at, did a variety of these, but I saw on Bruce Schnier's blog that there's some people working on the fact that passwords that don't have a word in any language, usually at least have a "pronounceable" part of it. Food for thought, anyway.

Really, things like FNfal7.62 are a false sense of security. If the attacker knows you're a fan of that particular weapon, well, then it's basically 'security through obscurity', right?

I don't have a 'silver bullet' for the problem of passwords. I know a couple of clients take the attitude that they write them down and put them in their wallet, thinking, "if it's safe enough for my credit cards, it's safe enough for my livejournal account" or something.

I guess it depends on how sophisticated a potential attacker could conceivably be, right? If the NSA is looking at you, well, nothing short of PGP and a 26-digit completely random password will do, right? But if the NSA is looking at you, you've got bigger problems, in all likelyhood.

riverwalker said...

I just change my main passwords for important stuff on a regular basis at random intervals. Sometimes I change then every month and sometimes sooner. Seems to work OK for me.