(Note: I’m going to switch to passphrases using randomly generated words, so the question is kind of academic, but I’m curious.)
Here’s how I created passwords until very recently.
Its a variation on keyboard shifting. I started with a number well known to me, of around 12 digits. For the first three digits, I shift down to the qwert row. For the next three, I shift up to the number row. For the next three, I shift to the asd row and capitalize, for the last three I shift to the number row and “symbolize” with the shift key.
So you get something that looks like this:
owi497JFA@)!
Would that issue in a strong password? Or do password crackers look for this kind of iterated shifting, such that if they knew the original number, they’d get to this password quickly?
Your password creation effort has a pattern to it that increases, once noted (i.e., identified, figured out), the chances of the password being figured out.
Not sure if this really belongs in GQ, since there appears to be more opinions on how to create a safe password. Factually, take a look these these three articles:
[ul]
[li]http://www.microsoft.com/security/online-privacy/passwords-create.aspx[/li][li]https://www.microsoft.com/security/pc-security/password-checker.aspx (Your password comes out strong)[/li][li]http://en.wikipedia.org/wiki/Password_strength[/li][/ul]
FWIW, I think there is an over-emphasis on password strength and not enough time spent on social engineering. Social engineering in this case is your use of passwords and how well you manage and protect them. All of my regular passwords are of the same length (12 characters), a mix of alphanumeric with some special characters, and each password is unique to a single account or access point. I also store all of my passwords in a password safe (never online!) protected by its own unique password. Lastly, whenever I use a password-accessed account, it’s only from a computer I own/manage/control, and almost never via a network connection I don’t already know to be safe and secure.
Yeah, I have a smartphone, complete with its own 12 character password. The SD card inside of it has its own password. And I have a special gmail account attached to it just for smartphone activities. I never use my regular gmail or other email accounts with my smartphone.
My work passwords are at least 12 characters and must be changed every 27 days. Work also has a 24-month password history and prohibits any dictionary words.
Overkill? Perhaps. But is all comes down to the saying if a grizzly bear is chasing the two of us, I only have to outrun you.
From what I regularly observe with so many smartphone and iPad/netbook users out in the wild, unless you are lax when it comes to creating and using your secure accounts, I think you’re fine.
The general principle is that a password should be secure even if the attacker knows what scheme you used to construct it. On that principle your password is, in theory, no more secure than the original 12-digit number.
In practice, it is probably quite a bit more secure, because password-cracking types have plenty of lower-hanging fruit to pick off before they get to keyboard-shifting people like you (and me!). But the types of mechanical substitution that keyboard shifting uses are already well known. They only have to add a few instructions that say, for example, " ‘1’ is sometimes used to mean ‘q’ ".
Personally, I believe that these types of relatively intricate obfuscation methods will never become mainstream, or rather that if they do then it will only be when the whole mechanism of passwords as a sole means of authentication becomes obsolete. So passwords based on inventive keyboard shifting should be reasonably resistant to hash attacks, for now.
Well, if someone was looking to crack your password in particular and knew your strategy , then of course all they have to do is find the right 12 digit (-ish) number. Which is (if I can still do math) about 40 bits of entropy. I think this is currently considered mediocre strength? But of course a determined attacker out to get you would also start guessing particular numbers of meaning to you (SSN, phone number, you+your sweetie’s birthdays, etc), so actual strength might be lower than pure brute-forcing would imply.
Now in the second-worse case, you’re a specific target, they don’t know your strategy, but can look at a bunch of other passwords of yours (old ones, or from other accounts). In this case, based on your pattern, then they have a pretty good chance of narrowing your strategy down to something pretty close to 40 bits of entropy as well.
But either of those are pretty unlikely, unless you’ve got something really valuable hidden. If we’re talking about busting into your Facebook account or something (or even generic middle-class bank account), the most likely attack on the password itself is pattern-based guessing (starting with common password forms and going to less common, etc.). Since it’s not a common form (e.g. P4ssword!), you’re pretty good.
Based on the uncommon pattern, it’s far, far more likely that you’ll get phished, have your computer hijacked by a password-stealing trojan, or have your password stolen through some other way than it is likely to have your password guessed.
But most password cracks don’t pay attention to patterns other than words. And current thinking is length=strength.
The password “Simon&Garfunkel5” is rated as being just as strong as owi497JFA@)! using the tests given in the above links. But which is easier to remember?
“Simon&Garfunkel5” is far less secure. Dictionaries compiled from the many real-life password cracks will probably have “simon” and “garfunkel” in them. Capitalising the first letter of words, and putting a number of digits on the end of the password, are common patterns that cracking software will look for. Ampersand between words, maybe. The point is, the cracking tools are indeed attuned to real-life password patterns.
This is roughly my thinking on the matter. The OP’s method isn’t terribly secure except that the likely attack nowadays is for someone to get a lot of password hashes from a compromised site, and then try out combinations of dictionary words (and small edits) to see if any of the hashes match. In that case they’ll probably get access to someone else’s account long before the OP’s, just because the OP is not using that pattern.
It certainly won’t hold up against a concentrated attack targeted solely on the OP, but unless the OP is very rich or a major government official for a significant world power, that issue is not likely to arise.
What if my scheme is “Pick the first letters of a phrase known only to myself, interspersed with numbers and special characters”? That is usually thought to be a good scheme.
What if my scheme is “Pick a random set of characters of appropriate length”?
Personally I never bothered with overly-complicated passwords. I prefer long strings of 5-8 short words. This is as secure as 10-12 semi-random character, but considerably easier to remember. While there is logical reason for choosing those specific words, the logic is particular to myself and I’m sure that a computer can’t find it. On the other hand, your approach follows a strict logic that is very easy for computer to understand and implement.
OK, what I mean is, the password should be secure even if the attacker knows about non-random schemes that you use. Like reversing the password, or substituting elements in a predictable fashion.
Random elements are, essentially, part of the original password.
How targeted are hackers?
Putting aside anyone I know (or government agencies) that would want to do nefarious things, do I need to be worried about the predictability of my password scheme?
My passwords are based off lines from a song–the first letters of a line sandwiched between numbers and characters. So if the song was Mary had a Little Lamb, the pass would be:
&1MhAlLwFwWaS#2 (‘strong’, according to the above link).
I used the same password on many sites. Recognizing that if one was compromised it would then be used to try other sites, I’ve been appending the site name and a bit more punctuation to it. So the SDMB would become:
&1MhAlLwFwWaS#2straightdope!
That comes up as ‘best’ on the above site. But is it? Will the inclusion of the site name make the rest of the password more susceptible to decrypting? And more importantly, I’ve been doing this on the assumption that it’s all automated, that a program will try it on different sites and get no results–but not report back for tweaking. Or is that something likely to get flagged and worked on?
Your Clever Password Tricks Aren’t Protecting You from Today’s Hackers
*”Security breaches happen so often nowadays, you’re probably sick of hearing about them and all the ways you should beef up your accounts.
Even if you feel you’ve heard it all already, though, unfortunately, today’s password-cracking tools are more advanced and cut through the clever password tricks many of us use.
Here’s what’s changed and what you should do about it. …”*
One of the easiest schemes that I’ve heard of is to take your initials, capitalize the first one, then a special character, then the first three letters of the site (capitalize the first one), then a string of at least four digits that you can easily remember. This gives you an 11 character long password that varies from site to site,but is basically easy to remember.
So for example, my number string might be the numbers on my license plate. The initials for Clothahump Turtle Wizard would be Ctw, and this site would be Str. My password might be Ctw@Str4748.
According to CertainKey, it would take about 30,972,024 days to crack that password. Probably good enough.
If someone’s specifically targeting you, and if that person knows your identity here and has read this thread, or if the scheme you use becomes widely-adopted, then your password isn’t very secure. Absent that, though, you should be fine: You’re not vulnerable to a dictionary attack (since your letter sequences are presumably not words), and you’re not vulnerable to a brute-force attack that fails to include capitals, lowercases, numbers, and symbols, since you have all of those, and you’re not vulnerable to a brute-force attack that uses mostly letters with one or two replacements to numbers or symbols, since you have a lot of them. The only password-cracking routine that’s actually used that could get you would be a brute-force attack that uses all types of characters, and at 12 characters, it’d take a heck of a long time for such a cracker to get through to you.
Here’s a site that checks how long it may take to crack any given password. Ones like **123456 **or **password1 **register as being cracked instantly. But according to it This silly passcode is secure for 100 years! would actually take 13,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 years to crack!
The problem with really long passwords like that - even if they’re easy to remember - is that since your view of it is often obscured by the password entry window (you usually see dots or asterisks instead of the actual letters you’re typing), it can be difficult to enter the entire password without making any mistakes. There’s a happy medium somewhere: a password that’s easy to remember, hard to guess, and easy to type in reliably.
Except an English-language dictionary has roughly 250,000 words in it. If “Simon&Garfunkel5” is seen as a password with four positions, and each position contains either an English-language word or a standard keyboard character, then there are approximately 250,256[sup]4[/sup], or 3.9x10[sup]21[/sup], possible combinations. a brute-force method that is working with this scheme would take 123 billion years to crack, assuming 1000 attempts per second. This assumes that the hacker would guess your arbitrary scheme to begin with.
However, if the brute-force method makes no assumptions and attempts to guess the password as a string of individual characters, then 15 characters means there are 2^15 possible combinations; at 1000 attempts per second, this password would last just 33 seconds. That assumes that the hacker is only trying 15-character passwords. But he could work his way up from shorter passwords;just another 33 seconds to try all possible passwords with lengths of 14 characters or less. So with about a minute of unrestricted access, this password could be cracked.
The thing that will save you is systems that limit the number of attempts before they call for a time out.
