Off Topic

I think, therefore I harm

Secure Password

This article aims at giving tips as to how to create a secure password.

1. Why is it important to have a secure password?

Without a secure password, you better have no password at all. You would save a couple of minutes to people who know you, and a couple of seconds to crackers.

Without a good password, not only the security of your data is compromised, but the entire system on which you have an account. Just as an example, if you have an account on a Linux shell, than the people in your group are giving you some permissions over their files, as they trust you. If someone finds your password, they gain access to those files too.

2. What is a good password?

A good password follows the following two rules:

  • Easy to remember
  • Hard to guess

3. How crackers find your password?

Finding all possibilities (aa, ab, ac, … aaaab, aaaac, …) would be a very long task (208,827,064,576 possibilities with just 8 lowercase letters). That is not how crackers will go to find out your password.

First, they will try to find information about you: Your first name, your girlfriend’s name, your social security number, your birthdate, your mother’s maiden name, your pet’s name, the model of your first car, etc. They will try to guess your password from this information.

If they can’t find your password from your personal data, they will go with trying all possible dictionary words. Usually, they will use a program which tries different patterns using a word list with most of the words from several different languages. The list might also contain proper names (people, cities, …) along with common expressions and jargon words.

These programs also try patterns over these words. Here are some common patterns tested over each of the words of the word list with such programs:

  • Just the word: generation
  • Word backward: noitareneg
  • Word with all vowels switched to numbers: g3n3r4t10n
  • Word with all caps: GENERATION
  • Word with mixed caps: GeNeRaTiOn
  • Word with a punctuation at the beginning and/or the end: -generation-
  • Two concatenated word, with or without a punctuation in between: generation.girl

Those are examples of weak passwords (you might not believe me, but those are the most commonly used passwords):

  • Marianne (my girlfriend’s first name)
  • 19880420 (my birthdate)
  • Sherbrooke (this is the city where I live)
  • windowsxp (my desktop OS)
  • Tom23 (my first name and my age)
  • god, secret, sex (those are the most popular passwords, according to the motion picture Hackers)
  • Patterns, such as 123456, qwerty, etc (those are more common than you could possibly believe)

Don’t try those passwords on my account, I don’t use them.

4. How to find a secure password?

A good password will NOT be one of these:

  • A dictionary word (a Spanish or Arabic word is no more secure than English word)
  • A password with only alphabetic or only numeric characters (this reduces the number of possibilities)
  • A short password (for today’s needs, I would recommend at least 8 characters, more is better)

A good password, as previously said, is easy to remember by you and hard to guess by others. Your birthdate is really easy to remember, but everyone knows it. ^lx9#SOdve is very hard to guess, as it has no meaning, but how the hell will you remember it? Probably by writing it down on a piece of paper, which will lie on your desk for a couple of weeks, right under the eyes of everyone (never write down passwords).

Here are some tricks to find a good password. One which you can remember, but others will not be able to guess.

A common trick is to find a sentence and use the first letter of every words as a password. For example, remember the sentence “My girlfriend Marianne is a nice girl” and create the password “MgMiang”. Of course, don’t use a common sentence such as “The quick brown fox jumps over the lazy dog” (that one is used by Windows for displaying font samples), as it would be no more secure than a dictionary word.

Once you have found a nice password, turn it even harder to find by others. For example, you could write it backwards, mix the caps, insert punctuation or numbers.

5. Cracking test results

In 2002, I ran a test on a web hosting company server. If I ran the test today (ten years later) I would expect better results. I used John the Ripper, a popular cracking software for Windows available on the Internet for free. The test was performed over the passwd file, the file that holds account passwords on Unix systems (such as Linux).

After 3 seconds: 38 passwords cracked
After 1 minute: 47 passwords cracked
After 5 minutes: 148 passwords cracked
After 10 minutes: 152 passwords cracked

The passwd file contained 740 passwords. That is, 5% of the passwords where cracked in 3 seconds, 20% in only 10 minutes.

13 cracked passwords were men names and 13 were female names (including names with a number appended).

About this article

This article was first written and published in 2002 as a reference for the clients of a web hosting company I worked for after I found out that almost all (over 90%) of all the accounts that were being hacked had a weak password. The article was updated before publication as a Knol in 2008 (and updated further when moved to WordPress). Common security web pages were used as references, but none of these could be found today so I removed the links.

Please, feel free to post ideas and suggestions in the comments below. If I pick up your ideas, the article will be updated (with due credit). Even if I don’t pick it up, it might help others.


3 comments on “Secure Password

  1. heretherebespiders
    March 9, 2012

    Hi again! Yes, I’m browsing. Did you see the xkcd comic about passwords? I have been considering it ever since I saw it: previously, I had heard that using one standard password that you could remember followed by the initials of the website you want to enter was a good ploy. Example, if you are logging into PayPal you’d use ‘MariannePP’. Easy to remember, but after reading this post I bet it’s pretty hackable…

    • Tom Duhamel
      March 9, 2012

      Hi! Yep, that one wouldn’t be much difficult to hack.

      I like that link you gave. They got their point straight by mixing technical speech and humor. Obviously, there is a discrepancy between what is easy for humans and what is easy for a machine. The idea is to use features of the human memory which are not easy grasped by a machine.

      Initially, section 4 was longer and had several more examples. However, while discussing the article with a colleague prior to publication, I realized sharing patters which were to much precise weren’t good, because if too many people were to use these the crackers would simply try these more often. Therefore I ended up with just one basic idea, in which I suggested to mix more ideas, hoping that the reader would get that as just a basic idea from which he could use his own imagination.

      Your idea of using one single password with a suffix corresponding to the website’s title isn’t a bad one, as long as not everyone uses the same trick. However, the base should be a lot stronger than in your example.

      Personally I do reuse passwords when it comes to websites where I don’t feel any security risks. For example, I don’t feel like looking for a new password for each and every websites where I register solely so I can see a picture or answer to a question. I do use slight variations for websites where I feel I better protect myself (and possibly others), so they remain easy enough for me to remember, while they are just enough different than if someone finds one of my password they don’t gain instant access to everywhere I went. I do use very unique passwords, however, for websites were security is of concern to me: my bank account, PayPal, eBay, Amazon… and obviously WordPress. There are generally not that many websites which qualify into that category, so you are not going to have hundreds of passwords to remember. Around 10 different passwords is within the reach of most people.

      • heretherebespiders
        March 9, 2012

        I’ve started writing mine down, (when I remember them) at home. I’ve gotten a bit worried recently that I might die suddenly and no one can shut down my blog, FB, etc. Someone else should know my password for my 1997-era Hotmail account, even if I only look at it every two weeks or so to delete junk mail! I’ve been around long enough that I’m sure I have accounts all over that I’ve forgotten about.

        My ‘creative’ password was an uncommon name of an animal I knew over ten years ago that I never owned, and that name was spelt oddly, and I’d be surprised if the actual owners know how to turn on a PC. So I feel pretty safe taking on a PP to the end… not that I have a Euro in my PayPal account in any case!

        I have ten things on my written list, and I’m sure silly stuff like my ancient MySpace isn’t on there. But – I hope the hubby remembers that I told him I was making a list! Hope he does the same, he’s the one who does all the Internet banking…

Any question? Have a tip to share? Have a different opinion?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


This entry was posted on March 6, 2012 by in Computers & Technologies and tagged , .
%d bloggers like this: