How easy is it to have a key logger as a mail attachment? I know nothing about hacking but wouldn’t this be easier than brute force?
Someone would have to open it and let it install somehow but key loggers can destroy all security. That is why password strength is a bit of a red herring. Phishing and key loggers (among other techniques) can just record them no matter how strong they are. There are even some really clever pieces of software that can often figure them out just by recording the sound of typing because different keys make slightly different sounds that can be decoded. You don’t even need physical access to a computer to do it. An external audio file is all that is needed.
I think you will find that things that “only you seem to like” is surprisingly popular. After all, they are a band, and you’ve heard of them (and most song lyrics are not great founts of originality either).
The point is, “song lyrics or poems or sayings you know” is a very limited set (as measured by the time it would take for a computer to go through them all) and mostly overlaps with “song lyrics or poems or sayings that other people know”, so a lot of those passwords are going to end up in cracker’s dictionaries anyway.
Unless you go so obscure that the phrase itself is hard to remember, in which case you might as well go for a sequence of random words.
Just remember, password managers can be hacked, nothing is ever 100% secure on the Internet, but the best way to protect yourself is to use a long random string of letters, numbers and symbols with different passwords for every site/account you have.
It’s OK if you immediately forget them, as long as no one else can get into your stuff either.
Sorry, that’s not a good formula, partly because formulae are not a good idea (any meaning makes them vulnerable to being figured out (or socially engineered), and also because your passwords are essentially the same between sites (if someone learned your Wells Fargo password, and also simply knew you had an account at Chase Bank, they would be able to figure out the password there)
Not impossible (for certain values of “random”). Just difficult.
The song method is a good one, but it’s better to have something personal that’s difficult for an outside actor to know. My job requires passwords to over a dozen systems, and I’m required to change them on a 6-8 week cycle (varies per system). I don’t know how this would be enforced, but I’m also required to have different passwords for many of the systems. At one point I had almost 30 to remember, but now it’s a more reasonable number. This works out to about 9 passwords per year per system, all on different update schedules. Writing any of them down is a fire-able offense, so I have to have a method of generating and retaining them entirely in my head.
I have a different scheme now, but my old method was using maps and trips. I could remember the route I took on vacation in say, 2003 and use the series of town names along that route as a basis. Add a standard (to me) prefix/suffix* to the town name, then a simple folding algorithm and I had an almost uncrackable series of passwords. All I had to remember was that system “A” was the trip I took in '97, and I could either generate or recall the password. Social engineering would require knowing what year, what trip, what route, what town along the route is “current”, which prefix/suffix was appended, and the folding algorithm. Easy enough for me, but almost impossible to recreate.
Security occasionally runs password-guessing routines against our accounts and lets us know if they were able to get in. They manage to get in a few, but so far have never cracked mine.
*these cover any special character or case requirements.
Y’all should read this article by ArsTechnica on how passwords are actually cracked. Most of your clever tricks aren’t any good. Human mental shortcuts are extremely easy to predict. Here are some of the seemingly complex passwords that were cracked:
These fell to a combination of dictionary attacks (where “dictionary” is a collection of strings used in known passwords, not just plain English words), obvious substitution rules, and statistical models of built with the humongous list of publicly available passwords.
This represents something of a worst case scenario, where a weakly protected list of passwords was obtained from a server. Still, those worst cases happen every day, and a password compromised on a site with poor security will compromise every other site where the password is reused. And this article is almost four years old, which is an eternity in terms of hardware performance and cracking methods.
FWIW, my strategy is to use Keepass as my password manager and long, truly random passwords on any “important” website. Keepass is protected with a strong passphrase*, as are a handful of accounts that I’d like to access when I don’t have Keepass handy.
*I cheated slightly, generating a few passphrases and picking one that seemed memorable. That undoubtedly reduced the strength of the passphrase, though even in a worst case scenario (given a list of 10 candidate passphrases, every person will always pick the same one) the remaining password space is still enormous enough for my needs.
Agreed. Clever formulae aren’t often as clever as they are thought to be.
The best compromise I’ve found for actual random passwords is to use a generator that produces pronounceable passwords (not words, but formed in such way that they can be spoken) - obviously at decreased entropy compared to truly random passwords, because they tend to be made of alternating vowels and consonants, but that can be offset somewhat by increasing the length.
My current plan is to mix up languages.
I pick short phrases and choose a different language for each word. Not that I know the language, but I find I can remember a single word in Dutch or Italian without much trouble. The english part helps me remember the rest of the words and then I need only to remember the foreign language. I have heard of brute-force methods going through the dictionary in a matter of seconds, but when there are an unknown number of dictionaries to choose from, I think it will be harder to guess.
I’m not sure if that would be good or bad. ‘Dictionary’ doesn’t literally mean ‘dictionary’ in the context of dictionary attacks - it’s just a list of words, not all of them will even be real words - they just need to be things that people might use as components of passwords.
For example, the names of every character and place name in the works of JRR Tolkien have been on the list of likely sysadmin passwords for about as long as computer passwords have been a thing 
Regards,
Gandalf420
Then use
SD=4Sa7YaoFB4 for SDMD
A=4Sa7YaoFB4 for Amazon
IM=4Sa7YaoFB4 for IMDB
DIS=4Sa7YaoFB4 for your Discover account
This is a joke, right?
Nope… For someone who wants to use same password, this is better. slightly different so easy to remember, yet software plugging in hacked password into another sight wouldn’t have right PW. Plus you’re adding a few more letters plus a character
No great obviously, but for someone who insists on one password, this is better for them
I agree. This type of password pattern is a reasonable compromise for most people (siteSpecificPart+commonPart password). It has some obvious weaknesses, but it provides much better security than just using the same password on all sites.
This type of password may be the ‘best’ for fallible humans which need to log in from several devices and need to remember passwords in their head. If you’re a high value target, you may not want to use this method since hackers may target you individually to figure out your pattern. But if you’re the type who uses one password everywhere, adding a site-specific part will greatly increase your security without too much memorization complexity.
It might be an improvement, but it’d be a huge mistake to think it makes you truly secure.
Let’s say that password crackers use “dictionaries” of substrings that have appeared in multiple leaked password lists. If you have a long, truly random, part of a password that’s reused, it’s not hard for for password crackers to recognize the unique substring, and add it to a dictionary. Then, the variant password used on another site is guessed when the cracker tries combining and modifying their dictionary entries.
From the article I linked above:
There are even statistical models that do this sort of thing automatically, recognizing improbable substrings in lists of known passwords, and determining the chance that one substring follows another.
If you reuse ***4Sa7YaoFB4 on many different websites, it won’t be long before 4Sa7YaoFB4 ends up in a dictionary (or Markov chain transition matrix).
One of the password crackers (who makes their living as a white hat security researcher) showed up in the comment thread of the article I posted up thread. To quote:
[quote = epixoip]
nobody has wordlists that are only in english. we have wordlists for most any language you can think of. it just so happens that this particular dump that Dan had us crack was all english. we crack passwords in foreign languages all the time, not only in unicode, but in native codepages as well.
[/quote]
I disagree. Using the human-readable prefix you prescribed makes it quite obvious that the suffix is likely to have been used in multiple places - anyone who learns one of these passwords is going to be straight off to PayPal, Amazon, eBay, etc to try the same suffix with a few combinations of likely prefixes related to the names of those sites.
Right. What this means is our current obsession with passwords is useless. Computers will always be better at guessing passwords than typical human beings will be at generating, remembering, and changing passwords.
If you think a normal human being of average intelligence can memorize a dozen random strings of characters, change them every 3 months, never write them down, and never re-use them, then you’re sadly mistaken. Your insistence on this “security” measure is foolish, because the human parts of the system won’t comply with it. And so your technically perfect system is guaranteed to fail, and you’ll never expect it because you’re protecting against only one type of attack, which is where a hacker gets your hashed password list, runs through a dictionary attack, and then starts a brute force attack. Yeah, that will take them a million years to complete.
But that’s like putting a kryptonite lock on the door of a wooden shed, and thinking you have excellent security because nobody will be able to break that lock.
Look, writing down a strong password and keeping it in your wallet is much, much more secure than memorizing a weak password that can be dictionary attacked in hours. Yeah, don’t tape it to your monitor.
Or, if your security is so very very important, use two factor authentication. If the hacker needs your phone or your badge then some guy in Russia can crack all the passwords he wants, he still can’t break into the system unless he has your phone too. And how is he supposed to get your phone from the basement of his mom’s house in Russia?
I’m pretty sure no one wants to do that. My password for this site isn’t “password”, but I’m sure it’s on hacker dictionaries. And I don’t really care. I can’t think why anyone would bother to hack my access to a site like this.
I use stronger passwords for sites that are with hacking.