Choosing a password.

cmyk · May 9, 2012, 9:23pm

There’s several methods, for general security, in creating a password for online accounts.

I hate passwords that mix caps and numerals. The height of annoying. I mixed names and dates and a string of random words (yes, I’ve seen the XKCD comic on that). I’ve also employed the keyboard pattern, too, which I do like, as you can devise a complex but memorable pattern, yet end up with seemingly random letters and numbers.

However, I’ve thought about doing this: pick a word and double or triple up the characters. For instance, taking my user name, you’d end up with “ccmmyykk.”

Might this be a bad idea, or is it about as secure as any other method?

Also, any other clever tips for generating passwords would be appreciated.

Fiendish_Astronaut · May 9, 2012, 9:35pm

My old boss was half-Polish. He’d use Polish words backwards with a spelling error. He claimed all the Zs and Ks meant his passwords were almost impossible for bots to guess. I’d say for the same reason your passwords might be quite good but I’m no computer whizz.

biqu · May 9, 2012, 9:42pm

Doubling or tripling is probably not sufficient in that case, since the length is still only 8 characters and can be brute-forced in a reasonable time. But you’re on the right track. Using a simple pattern that pulls from a large “alphabet” and then repeating one of the characters enough times (say, 10–15) should make a brute-force attack awfully slow.

See this blog post for more details, or search under the keywords “password haystack”.

Noelq · May 9, 2012, 10:14pm

To make things easy for various relatives of mine, I taught them the following password rules that makes a secure password, strong enough for 99% of the sites.

Use name.
Then an At symbol (@).
Then the website location.
Then either the 4 digits of your phone, or 4 other digits you like.

For example, for Google, “John Smith” would use a password of “John@Google1234”.

Its unique to each website, easy for people to remember, and very secure.

filmore · May 9, 2012, 10:18pm

The most important thing is to make sure you don’t use a normal word. Hackers already have tables of all the dictionary words pre-encrypted called a Rainbow Table. When they steal the password table from a website, they compare the encrypted passwords with the passwords in their rainbow table to find the original password. All these goofy password rules are to make sure you’re not typing a regular word as a password.

But some enterprising hackers have created rainbow tables of all 8 character and less lowercase passwords. So it doesn’t matter if your password is ‘password’ or ‘adieiqoq’, it’s just as easy for that hacker to break. By adding capital letters, numbers and symbols, you’re making the hacker’s job harder since the table has to get so big to account for all options.

So at this point, ccmmyykk is not really a secure password. Add some special characters in there so it can’t be reversed so easily.

But the most important thing about passwords is: DO NOT USE THE SAME PASSWORD ON MULTIPLE SITES!!! If you have unique passwords, then the worst thing is that the hacker could login to the site he hacked. But if you have common passwords, then the hacker can try the same login on other sites like facebook, gmail, etrade, banks, etc.

Some sites don’t even encrypt the password. Whatever you type in is stored in the database. When the hacker steals the database, they have your login, email, and password in the clear. So even if you have a super complicated password like ‘$Ia)0192w1=’, a hacker may discover it from a site with poor security.

So this means you need unique, goofy passwords for each site. Try to come up with passwords that incorporate part of the domain and user name. Figure out some pattern that works for you. So my password for this site could be something like f1ilst2r. On CNN it might be f1ilcn2n, etc.

tellyworth · May 10, 2012, 12:46am

Quoting for emphasis. I see this happen all the time - accounts with otherwise strong passwords get hacked, because someone reused the same password on a site that was compromised.

Darth_Panda · May 10, 2012, 1:17am

I use made up names from characters I had in role-playing games when I was a kid. They’re nonsense words, completely meaningless to anyone else, but really memorable to me. Then I just tack on some numbers that have a meaning to me, but aren’t a birthday or anything obvious.

Here’s an example:

Character name (never had this, just made it up now): Varindal
Ex-girlfriend’s street address: 1538

Password: Varindal1538

Gagundathar · May 10, 2012, 1:24am

One of the early programs I coded (back in the 1970s, believe it or not) was a password generator. It was limited to 8 alphanumeric characters but so was the target OS. I created about 20 of these passwords and still use them with significant variations (extending the length and adding nonalphanumerics). So far, so good.

Really, if your password is Dog@P0N33#H0r2e, it is going to be a bit of a challenge to crack it.
The real trick is to make it difficult enough to crack that the infiltrating agent is unwilling to spend the time to brute-force it. If the system has a timeout/lockout provision setup for failed password attempts, then brute-force becomes less of a problem.

But, many online sites don’t use timeout/lockout because that requires active systems administration and when your site has millions of users, then that becomes something of a challenge.

RealityChuck · May 10, 2012, 1:55am

I use many methods, but currently am going with song lyrics – taking the initial letter of each word and using a few numbers and special characters. Thus PamtimI1mow&t uses the first line of “Sympathy for the Devil.”

Bonus – you get to hear the song whenever you log in.

Rysdad · May 10, 2012, 2:52am

I do something similar:

I use the first three letters of whatever the website is that I’m logging into, plus a string of characters that only make sense to me. For example, if I’m logging in to Facebook, the login would be: Fac7321!Dar!

Easy peasy.

pulykamell · May 10, 2012, 3:36am

That’s fine, but consider this: if one of your passwords gets out for whatever reason, if you follow this formula religiously, the person who found your password can pretty easily figure out the password to every other website you use. Maybe nobody will hack into Google or Amazon, but what about a messageboard or similar site where the security may not be up to snuff? Were I a hacker and I saw a password like John@MessageBoard1234, my first instinct would be to go to eBay, Amazon, Facebook, whatever and try the username with John@ebay1234, John@amazon1234, john@facebook1234. That formula of making a password is fairly common, and an experienced hacker, I would think, should recognize it. Really, in my opinion, this is only marginally better than using the same password for every website you use.

Chronos · May 10, 2012, 5:52am

To really do it right, you want something such that, even if the attacker knows your method and a sample password from a different site, they still can’t get your password for a different site in any sane amount of time. Like, with the OP’s method, if I know that he’s using a dictionary word with each letter doubled, then I can code up something quickly that will do that, and get in after a number of tries equal to the number of words in the dictionary.

septimus · May 10, 2012, 6:52am

This is a key point. Note that a password of Noelq’s straight method can be cracked with just 10,000 probes. (How many probes do such crackers usually try?)

But there are many other ways in: packet sniffing, keyboard-sniffing Trojans, and, with so many stolen laptops and foolish security, I’d not be surprised to learn that many thousands of user passwords are for sale on the black markets!

I watched a friend log-in to his British bank using a challenge-response protocol that would be hard to crack. Do any American banks do that? (Mine doesn’t.)

cmyk · May 10, 2012, 8:54am

Really great advise here, thanks folks.

I’ve so many accounts now, and I’m starting to feel a bit weary about the passwords I’ve been using, so I’m meaning to update most of my important passes with some kind of system; as mentioned, a unique pass for every account.

Some of the methods described in generating passwords and also in how hackers crack them has already inspired some good ideas for a new system. The point I seem to be hearing is devising a consistent method for generating passwords for myself, but impossible to decode the method even if one is directly exposed, and even if it’s obviously generated using some method. Also that mixing in numerals or other acceptable non-alphanumeric characters helps to defy brute force probing.

md2000 · May 10, 2012, 12:54pm

Back in the Pentium 150MHz days, L0phtcrack was taking (IIRC) about a week to try all possible 8-character combinations. Of course, in those days, Microsoft cleverly broke all passwords into 8-character chunks and stored them upper case to allow for logon to the old Windows networking as well.

I ran the program against the large corporate datase, and surprisingly (not?) it found about 1/3 of the passwords from the dictionary-plus-one attack (i.e. SNOWMAN7) - within half an hour.

Considering how much faster machines are today, a brute force attack can take very little time (days, weeks) if your password is short and they get the encrypted version.

nudgenudge · May 10, 2012, 1:42pm

Could you explain what a challenge-response protocol is? I have several UK bank accounts, and what they typically do is ask you for, say, the 2nd, 5th and last characters of a secret phrase, I suppose to provide some protection against key loggers. Is that what you mean?

md2000 · May 10, 2012, 2:37pm

Length helps defeat brute-force probing. Add one character and it can take (26x2)+10+15 or so times longer, depending on what punctuation is allowed.

The trick is to generate a long and complex password while making it easy for you to remember long term and reproduce, and also not making too process to obvious (i.e. site name in password). If it’s harder to shoulder-surf, so much the better. Hence the “Sympathy for the Devil” trick above.

What’s annoying while convenient is the sites that need your email as userid and send a verification to there, thus ensuring that half your credentials are fairly obvious.

septimus · May 10, 2012, 3:44pm

IIRC, my friend had a paper with several multi-digit numbers and had to enter a specified subset of them. Of course this could still be cracked if several login sessions were observed, but it seems likely any present-day automated sniffing system would be thwarted. This is good security.

Even better security is obtained if the challenge-response cycle involves client performing an irreversible calculation – some USB “dongles” do that I think. This is better security. With the choice of good security or better security, it seems odd that some sites opt instead for bad security.

Is it true that UK banks generally do use challenge-response protocol to protect against sniffers? Is it true that US banks generally do not? If so, why the difference?

nudgenudge · May 10, 2012, 3:56pm

None of the half-dozen UK banks I use have that kind of security, but I think some other banks do provide their customers with dongles or token generators.

Chronos · May 10, 2012, 5:05pm

That’s not half of your credentials. That’s none of your credentials. Your credential is your password, and that’s it. If you’re depending on your username providing any security at all, you’re doing it wrong, because the whole point of the username is that it’s the insecure part of your login.