Password Infomania - Part
By Benjamin Rich
Protecting Yourself - How to Choose
In Part One of Password Infomania, Benjamin Rich discussed ways crackers figure
out passwords. In today's installation, he covers hints on selecting good passwords
that are difficult to guess or crack.
Length: Unlike baboons but similar to elephants, length is crucial. A 4-character
password, no matter how clever, only has about 81 million possibilities, a pathetically
small search-space for a Pentium-level processor to move through. Even with every
possible practical ASCII
combination, covered in no particular order, a 4-character password can be
cracked by a brute force program on our aforementioned 1,000,000 password/sec
machine in just over a minute twenty. Most machines aren't capable of this kind
of speed, but even at a thousandth of the speed, this can be accomplished in just
under 24 hours.
Complexity: Sometimes called entropy.
Making your password as free of plausible patterns as possible can indeed bring
it closer to 'uncrackable'. Obviously, a 16-letter password, fridge explosion
can be quickly sorted out with a dictionary attack. Even fr1dge expl0sion, as
explained, can also be accounted for in most dictionary attacks. Therefore, a
password that increases the theoretical search-space to the largest possible,
with the fewest recognizable patterns, is best. 5-character passwords are fairly
easily cracked, although Q+f@~ is still infinitely better than h4ppy (not that
you should use a 5-character password, but your see what I mean).
Apathy: Don't choose a password close to your heart - remember, any cracker,
or worse, someone who wants to do you real harm and has real surveillance expertise
and equipment, is going to find it much easier to crack your password if they
don't even have to use a program to do it. If it's 11 characters long, but also
happens to be your girlfriend's or boyfriend's name, it will be on the list of
first choices for anyone seriously wanting to get into any of your systems.
We've already gone through the pitfalls of using real words or names, or even
'non' words like those from the popular vernacular, or from l33t-sp34k
substitution, but add to this list: your birthday; your partner's birthday; your
car's number plate; foreign words; famous phrases; pet-names; Social Security
Remember - as typified by numerous security breaches in supposed 'impervious'
systems, the weakest link is always the human one. It means nothing if the main
projects repository server of your company is secure to thousands of outside attacks
if it has a 5-letter root password which is the name of the CEO's dog, whom he
or she tells their niece in the advertising department 'in case of emergency'.
Likewise, it means nothing if your password is easily accessible, guessable, or
findable (as in written down somewhere) even if it happens to be long and have
Uniqueness:A highly common pitfall is to use the same password for many
things: your email, your Linux root, your eBay account, etc. For the love of christ,
don't do this: a clever password it may be, and 36 characters long, plus alphanumeric
email account, and it's stored in plaintext
in a MySQL database with no password prompt hidden on the site under the directory
'secret'... and you also used it as your Linux root... you're in an extremely
dangerous position indeed. Your password may be a secure one, but the different
agencies protecting it may not all be secure. Using one password for everything
means that a) you're done for - repetition is the sort of thing an immoral cracker
will try first upon cracking your online email and finding your use-all password,
email-address and geographical location in plain text, and b) you've wasted a
good password because you'll have to change it to n different other passwords
on all your systems - and this is assuming you figure out someone has your
password before said password has been used to break into and gain control
of all your protected systems.
Memorability: If you can't remember it, you'll have to write it down, and
that's inefficient and means it can be found by immoral others. Mind you, good
password practices really should be the cornerstone of computer usage, not necessarily
called into question for their practicality - as a Linux user for example, it's
unlikely anyone will even attempt to crack your system because most immoral people
use Windows (I'm not joking on this one) - and at that, broadband users are more
at risk than dialup users, since broadband is a valuable commodity and is more
'prominent' as it were, on the network due to a permanent or long-standing IP1.
Sure, sure, you're just a PC owner - unobtrusive, and you don't have the same
3-letter password for your email as your root access - so, theoretically, having
a password less than 19 characters, or writing it on the inside of your sleeve
cuff just in case, or even telling it to a trusted friend, aren't necessarily
security-compromising activities which will see your credit card stolen and your
family dead within the week. Nonetheless, it helps if your password is a good
one, a long one, and also something you don't have to record anywhere except your
memory - just as you take precautions in other areas of your life regardless of
the likelihood of extreme misfortune.
Generating a Good Password
Inconvenient as it is, a good password must be long; have a good combination of
upper and lowercase letters, symbols, and numbers; and use as many twists and
turns as possible. An example of a highly secure password might be:
9 letters long, utilizing letters, numbers and symbols, and being more or less
uncrackable with dictionary means. Resist the temptation also of 'disguising'
words with obfuscation - as stated, an English word, even made entirely out of
symbols and numbers, can still possibly be guessed by an advanced dictionary attacker.
A good way to choose and remember a complex password is to generate the password
using a random exercise, and then type it many times to remember it. Remember,
then, the position of the keys you type; the pattern of your fingers moving across
the keyboard - not a particular word or phrase, which is easily remembered but
also easily cracked.
Generating a good password can be as simple as finding a list of ASCII characters,
and then rolling a pair of dice several times to pick out the ones you want -
a good example for this sort of thing can be found at http://world.std.com/~reinhold/diceware.html;
another way, and a much more trodden path, is using a password generation program.
Password generating programs are mostly found for *nix
environments, but there are some for Windows, and I've included a list of useful
links below - remember to use a program that generates random ASCII gibberish,
not combinations of words or English elements. Always be on the lookout for password
generating programs that only have fixed character sets (only letters and numbers,
which alone doesn't generate enough entropy for a password) or only English-like
generations (if it can be generated, it can be second-guessed by a dictionary
Good Security Practices
Finally, and this is perhaps hardest of all, remember to change your passwords
fairly regularly. With highly complex passwords like the one above, stored on
a secure system, there is little need for the average unobtrusive user to change
their password very regularly - but as a necessary habit for maintaining a secure
system, it should be noted, and particularly by those who do work in high-risk
If anything can be said for good security practices, it's the reminder that what
really makes a system secure is diligence, vigilance, and knowledge - a strong
human factor. All the high-priced software in the world will not save your company
server from attack if it's system administrator is inexperienced, unobservant,
and lax in practice; the best system is still not impenetrable if it has an obvious
password - no matter how cosseted away that password is.
Good Random Password Generators:
>> Password Generator
Dialup providers change their users' IP addresses
each time the user logs on - but cable providers usually give their users permanent IPs, or IPs which have 'leases' of several months. This means that, since your
address is unchanging and constantly present on the internet for months at a time,
or forever, an attacker could theoretically track you, suss you out, and come
back later at any time to collect.
Benjamin Rich is the Web master