Industrial strength passwords for IT guys

I use the same alpha numeric password for several things at work and personal use. It’s easy to remember but difficult to guess and not in a dictionary. I used an app that generated eight digit random passwords for my users, but they started writing them down on sticky notes, so now user passwords are close-my-eyes-and-point-at-the-Merriam-Webster. Hey, it’s their stuff, and more difficult to compromise than turning their keyboard over.
I’m initializing a new RAID tonight that is addressable from the LAN, and maybe I should come up with a better password scheme. What’s yours?

(for those who are lazy: it’s a phonetic password generator)

I come up with an easy to remember sentence that contains a number and then I just turn it into an acronym- for example, “I graduated from high school in 1969” turns into, “IGFHSI69”. Or, “My mother turns 50 in 2009” is “MMT50I09”.

This has always worked very well for me, both in terms of secure passwords and also having enough personal meaning in them to remember well, without doing something stupid like making my password my child’s name (dumb).

Oh, come on. Pick either the model of your car, or the name of a pet, and put 01 on the end, and every time you’re forced to, increment the number, and put all your passwords into a text file with a vague name, like a normal person.

I concatenate the name of a planet with my college student ID number. Each time I’m forced to change it, I just go to the next planet out until I have to go from Pluto (demoted but still in my scheme) to Mercury and start over. Worst case scenario- nine tries to get in.

c10s3 my 3y35, p!ck 4 w0rD 4t r4Nd0m Fr0m th3 d!cT!0nAry, 4nd 1!b3r@11y $u8$t!tUt3 punctu4t!0n & numb3r$.

Although I have a couple of common passwords along the lines of “two short words and two numbers” that I use in a variety of situations, I like to use deliberately mispelled words in “secure” work environments. Hell, you can even write them down on a master list in your desk, as long as you spell them correctly on the list and remember how you mucked them up. If anyone snoops and tries to use them, they won’t work.

For a long time it was authors or film directors - which aren’t dictionary words - with the number substitution:

J4n34ust3n, g0dd4rd, h1tchc0ck

This gets you in trouble if you have a shared password (like the admin account) and you choose Dostoevsky.

My new favorite thing is pattern passwords. My current password is 12 characters long, yet I don’t have to think about spelling or phonetics, it’s set up for ease of typing. And it makes no sense whatsoever. But at 12 characters, I can have it entered in a portion of the time it took me to enter my previous 8 character password! Try something like this

For my secure passwords I take a song that I know all the lyrics to and use the first letter of each word in the first two or three lines.
For Example: America the Beautiful has the following first two lines
Oh beautiful for spacious skys
For amber waves of grain
This becomes:
ObfssFawog
If I need an alpha numeric, sub in the number 4 for the two fors.
Ob4ss4awog
I can leave a note on my desk reminding me America or ATB and I doubt anyone would be able to crack my password.
Or you could use a poem, or a couple of lines from a play, just something you know by heart.
Romeo, Romeo, wherefore art thou Romeo?
Becomes RRw4atR with a hint of R and J

Someone suggested in another thread of this kind that you begin your compressed phrase or whatever with a symbol, since most brute force attacks start with letters or numbers.

Since reading that thread, I’ve taken to having a symbol, then a compressed letter/number phrase, and repeat the phrase. It’s really simple to remember, but an incredibly strong password, and even if someone knew the phrase, it’s unlikely they’d get the password from it.

E.g. “seventy-six trombones led the big parade” => $76tltbp76tltbp

The only drawback to this is that the password field on my Blackberry browser will only accept alphanumeric characters.

I thought most IT guys used “secret” as their password. At least that is what I find on the yellow stickie notes under their keyboards most of the time.

I think that was me. I routinely start my passwords with a non-alphanumeric. Even if you’re using a real word (like ^tiger), the dictionary attack is less likely to catch on. They do know enough to substitute number and characters for letters (1 for i, @ for a, 3 for e), but unless there’s a word in the form _tiger), it’ll probably not hit it.

(Of course, you should also mix things up at bit, too.)

The symbol for letter substitutions are well known. Any password cracker worth her salt will have s=$ and e=€ and other such substitutions programmed in.

A basic dichotomy of passwords is that they must be strong enough to be secure but sufficiently easy to remember to be usable. Many of the methods above fail the latter. Some time ago, I saw an article, probably on /., that pointed out that long passwords are, by their nature, reasonably secure while being very easy to remember. So Black Rabbit’s password could easily be ‘Close my eyes … numbers’, spaces and all or run together. Running a dictionary attack against such a passphrase is immensely more difficult, especially since languages are so vast and you don’t necessarily know the language used.

But it also depends upon the platform: for example, Windows 3.x, NT 3 & 4, 98, and ME, split the password into groups of 7, and had fun after 14, so the optimum password was 14 characters, whereas NT 4 with certain patches and later versions will accept passwords of up to 127 characters but with mixed networks containing NT4 and earlier machines you must do certain things at the network level - I don’t have the books to hand. Other applications and platforms (e.g. Unix) have different security parameters.

The network level is also important: you don’t want someone with a packet sniffer to see the plain text passwords. So you must implement some sort of encryption. You’ll need to look into the manuals for this.

Lastly, there are the business aspects. How much security is needed? There’s no point implementing an ultra-secure system if the data isn’t worth securing. You wouldn’t require a one-time pad for your departmental holiday planner, would you? What are the effects - financial, legal etc - of a breach in security? How much security can you afford? SecureID tokens are expensive. You may require a seperate server - don’t forget the running costs of the machine - to run the security system.

Security is not a trivial matter.

That’s good, Rick. Meanwhile, I went in this morning and changed the defalut password on the new RAID to the same one my Boss gave the server five years ago. :rolleyes:

Oh, I see you meant dictionary, not brute force. Figures. Still, my passwords are now several orders of magnitude more complex than they were, thanks to your advice.

How about using a phrase that contains words from more than one language? Like 1dos3quatro5ses?

I use the same method, but I also do this trick where I superimpose two passwords on top of each other. I type in the first password, go back to the first character, then enter the second password using the cursor key to interleave the characters of the second password among those of the first passwords. I actually could not tell you, character for character, some of my passwords unless I used a word processor or wrote them out by hand. (Of course, now that I wrote that, someone will write up a program that uses that assumption; then I’ll have to start using offsets from a Fibonnacci sequence (oh, crap; now that’s no good, either):)).

Note that my little scheme could be defeated by a key logger, if they paid attention. I honestly worry about stuff like that and try not to access my bank or brokerage websites from work. On the few occasions that I do need to get to these websites, I reposition the cursor with mouse clicks instead of the arrow keys. (Yes, I’m that paranoid; my entire future is dependent on fidelity’s www.401k.com website not being compromised).

There are some scary ways they can crack passwords in much less than the thousands of years people predict from brute force methods. There’s some form of cracking that uses a huge (Terabyte-sized) hash table that somewhow drops the time to hundreds of seconds, but that’s an attack on the computer itself, not the password. Here’s a cite that has pretty pictures. There’s a link on that page to a Wikipedia entry for rainbow tables, but my eyes glazed over pretty quickly when I gave it a quick once-over. My IT guy at work occasionally has to take over a Windows machine, and he just boots from a Linux CD to do something that overwrites the admin password with one of his choosing. It takes about a minute.

Defenses against the rainbow table are to use non-alphanumeric characters and longer passwords, both of which cause the decryption time to increase geometrically. But then, processor speed and RAM will increase and we’ll be back where we started.

Also, any smart admin can set the BIOS to prohibit booting from CD-ROMs to defeat the Linux boot-CD method, but then all the guy needs to do is to install the hard drive on another computer whose BIOS allows booting from the optical drive. That’s why we physically remove the hard drives every night and lock them in safes.

It seems to be kind of like the cold war, and we have to keep upping the stakes until Russia runs out of money, so to speak.

If you don’t have a key logger, a typical complicated password would probably suffice for passwords to on-line sites, because they’d need physical access to the server to get at your information. Not only that, they’d need a court order to, um, get around the FISA.

Shucks; missed the edit window. I just read the cite, and it looks like it’s easier to use rainbow tables than I thought. I’d been working from memory of a paper I read a few years ago, and I’d mistakenly remembered Terabytes instead of Gigabytes. I think I’ll move everything over to “pass phrases,” which I used when setting up my wireless router (I just counted: it’s 31 characters long.) I really hope Fidelity is as paranoid as I am.

Is he overwriting the password or just getting into the folders?