I think, therefore I harm
This article aims at giving tips as to how to create a secure password.
Without a secure password, you better have no password at all. You would save a couple of minutes to people who know you, and a couple of seconds to crackers.
Without a good password, not only the security of your data is compromised, but the entire system on which you have an account. Just as an example, if you have an account on a Linux shell, than the people in your group are giving you some permissions over their files, as they trust you. If someone finds your password, they gain access to those files too.
A good password follows the following two rules:
Finding all possibilities (aa, ab, ac, … aaaab, aaaac, …) would be a very long task (208,827,064,576 possibilities with just 8 lowercase letters). That is not how crackers will go to find out your password.
First, they will try to find information about you: Your first name, your girlfriend’s name, your social security number, your birthdate, your mother’s maiden name, your pet’s name, the model of your first car, etc. They will try to guess your password from this information.
If they can’t find your password from your personal data, they will go with trying all possible dictionary words. Usually, they will use a program which tries different patterns using a word list with most of the words from several different languages. The list might also contain proper names (people, cities, …) along with common expressions and jargon words.
These programs also try patterns over these words. Here are some common patterns tested over each of the words of the word list with such programs:
Those are examples of weak passwords (you might not believe me, but those are the most commonly used passwords):
Don’t try those passwords on my account, I don’t use them.
A good password will NOT be one of these:
A good password, as previously said, is easy to remember by you and hard to guess by others. Your birthdate is really easy to remember, but everyone knows it. ^lx9#SOdve is very hard to guess, as it has no meaning, but how the hell will you remember it? Probably by writing it down on a piece of paper, which will lie on your desk for a couple of weeks, right under the eyes of everyone (never write down passwords).
Here are some tricks to find a good password. One which you can remember, but others will not be able to guess.
A common trick is to find a sentence and use the first letter of every words as a password. For example, remember the sentence “My girlfriend Marianne is a nice girl” and create the password “MgMiang”. Of course, don’t use a common sentence such as “The quick brown fox jumps over the lazy dog” (that one is used by Windows for displaying font samples), as it would be no more secure than a dictionary word.
Once you have found a nice password, turn it even harder to find by others. For example, you could write it backwards, mix the caps, insert punctuation or numbers.
In 2002, I ran a test on a web hosting company server. If I ran the test today (ten years later) I would expect better results. I used John the Ripper, a popular cracking software for Windows available on the Internet for free. The test was performed over the passwd file, the file that holds account passwords on Unix systems (such as Linux).
After 3 seconds: 38 passwords cracked
After 1 minute: 47 passwords cracked
After 5 minutes: 148 passwords cracked
After 10 minutes: 152 passwords cracked
The passwd file contained 740 passwords. That is, 5% of the passwords where cracked in 3 seconds, 20% in only 10 minutes.
13 cracked passwords were men names and 13 were female names (including names with a number appended).
This article was first written and published in 2002 as a reference for the clients of a web hosting company I worked for after I found out that almost all (over 90%) of all the accounts that were being hacked had a weak password. The article was updated before publication as a Knol in 2008 (and updated further when moved to WordPress). Common security web pages were used as references, but none of these could be found today so I removed the links.
Please, feel free to post ideas and suggestions in the comments below. If I pick up your ideas, the article will be updated (with due credit). Even if I don’t pick it up, it might help others.