Reading a bit on account of the recent hacking has made me painfully aware that my understanding of good password practices has gotten somewhat dated. I realize the best currently-available solution would be to adopt a password manager, but I hesitate to go there because there aren’t many logins I need to protect. Stipulating that this is only second-best, I’m curious whether there’s a good strategy for constructing passwords which are easy to remember but hard to crack…
For example, suppose I take a long word and insert a random number string in the middle, leaving no dictionary words on either side of the break. (Say, supercalifragilistic-7243-expialidocious.) Assume further that I use a different word and number string for each site I care about (email, financial, etc.) For convenience, I will use a generic password for sites the security of which doesn’t much concern me. I understand all those are exposed if a hacker cracks any one of them.
Recognizing this isn’t the best solution, is it “pretty good”? Is there a better one, short of a password manager?
It sounds not terrible, but it seems to me that you could do better using pass phrases. Security-wise, they’re stronger and they’re easier to remember. However easy to remember, though, that would only scale if you only have a few of them. Just pick five or six words at random and it will literally take any cracker a few hundred years to figure them out.
A password that is long but simple is generally better than one that is short and uses complex characters. Each character makes it exponentially harder. I won’t say whether yours is the “best” but it is better for brute force and similar cracking.
Long and easy to remember is to pick a quote or song lyric and use the first letters. Mix it up by using special character translations (e.g. if lyrics mention money, use $, or love, use <3). “Mary had a little lamb” you could e.g. do “Mha_lL” if you consider underscore to be a lowercase (“little” lamb, “^” for big, etc.) cue. Now pick something way more complex as I can’t think of one now that I don’t already use.
One big problem is if you’re going to be using the password on a phone or tablet, complex characters can be harder to access.
Other things I might do: have each password have the same “root” and add something on to fit the website, such as “passwordSDMB” and “passwordGMAIL” (preferably better than that). This takes care of discrepancies in password requirements; one might want at least 5 characters, while one wants 8 characters with at least one: lower case, capital, number, and character. Usually the stricter websites are the ones you won’t mind being stolen of course (“you want to pay my bills? go ahead”).
A longer password is safer against brute force permutation attacks - so ***sweatyballs ***is safer than sweaty
A more complex password is safer against dictionary attacks - so sWeat_ybaLls is safer than sweatyballs.
It’s worth noting that ‘dictionary’ doesn’t mean the OED or Websters - it means a list of strings that are to be tested against your password - for this reason, 5weaty or ***Sw3a7y *** (employing common substitutions and/or normal capitalisation) probably isn’t significantly safer than sweaty.
And if someone is attacking with rainbow tables, (I think) all bets are off, because they are only trying to find something that generates the same hashed value as your password (having stolen the users table directly out of the database by breaking into the system, as occurred recently on the SDMB) - the defence against this, from the user perspective, is to change your password.
I normally use thelurkinghorror’s method for things I want to be secure, though to the extent of AaronX’s length exception, jovan’s passphrase is probably better. The lateness of the question is surely why I’m the first to say correct horse battery staple.
These sites are utter shit and should not be used or even trusted. In the worst case scenario they’re just an excuse to phish your password. In the best case, they give you a sense of false security.
I tried LETmeIN1234, a shitty, shitty password if there ever was one. The site says that it would take a desktop 412 years to crack it. Nope. It would go down in a few minutes at most, if not seconds. The only way these sites could really tell you how strong your password is by actually trying to crack it. I checked their source code and they use a hopelessly trivial calculation.
Heh. Yeah… let me set up my own website for you to give me your passwords so I can see how strong they are. No way I’d do anything pernicious with that…
The more characters you use, the longer it usually takes.
The code is cracked via a program, there is no human actually sitting there and typing in aaaaaa, aaaaab, aaaaac, ……. (besides me just now). These programs do some 500-5000 guesses per second, depending on the power of the computer running it and what type of check the program runs (6 or 12 characters etc).
Those things are not very useful. That one considers “abcdefghijklmnopqrstuvwxyz” to be unbreakable, for example. In general you have to consider the scheme used to select the password, not just the number of characters in it.
Pick a word that has some special meaning only to you, or maybe you and your significant other.
Replace some of the letters in that word with numbers or non-alphanumeric characters.
Come up with a common way to abbreviate the name of websites you login to. So Netflix might be ntflx (no vowels) or ntlx (drop even numbered letters). To follow this pattern Amazon would be amzn or aao. These can be all caps or lower case, but be consistent.
4.Subtract the number of letters in your abbreviated website name from the number of letters in your special word, and put that number at the end. Feel free to use a 0 if necessary or a - if the difference results in a negative number. Obviously, you don’t have to use subtraction, you can add or multiply or whatever.
So, say your special word is sunshine. We change sunshine to $un$hIne. Your Netflix password, using the no vowels method, would be ntflx$un$hIne3. Your Amazon password, using the drop even numbered letters method would be aao$un$hIne5.
I use this sort of method for my passwords, except my online banking. Online banking is completely different and completely unique. Because it’s a one off, it’s easy to remember.
I have an essentially random string of letters that I’ve memorized. About 20 characters long.
It isn’t really random, as it was created using a pattern that I can easily remember but is essentially unknowable to someone else. So, for example, I just need to remember:
Based on the phrase “4 score and 7 years ago our fathers brought forth on this continent a new nation”
Use the first letter of each word and maintain numbers.
For words starting with a vowel, use the first two letters.
This results in 4san7yagoufbfontcann
So, that is my base password and has been for more than a decade (note: obviously not my actual password). A nonsense string but once you’ve had it in your head for a while easy enough to remember and worse case I can always reconstruct it.
Then I have an algorithm for modifying that for each individual use, such as:
pick a word for the website in question. Let’s say for Amazon I pick “books”
Overwrite that word into the password at the character position equal to the number of letters in the word as all upper case (so “BOOKS” would replace positions 5-9 in the base password.
If the second letter of the word is a vowel overwrite an exclamation point in the second position, otherwise overwrite a percentage sign.
So, at this point when I sign up for Amazon, all I have to remember is that my password is “books” and I know what I type is:
4!anBOOKSufbfontcann
Longish password, no dictionary attack. If someone does compromise that password then it isn’t a big help in figuring out others (though if they compromise a second and are able to tie both of them to me they’ll be on their way.
A bit convoluted in the start but second nature to me now and in the years I’ve been doing it I’ve not had an account compromised that I’m aware of.
Ya know, good non-random password constructions are rather like formulaic ways for beating the market. If you really have one, logic dictates that you shut up about it. It’s going to become less effective if it becomes widely known and copied. In the case of passwords, because you alert would be crackers to consider that particular scheme in their attacks.
FWIW, I read somewhere that an easy way to create an uncommon password is to shift your hands over one key to the right and type out your normal password.
So “correct horse battery staple” becomes vpttrvy jptdr nsyyrtu dys[;r.
This is very close to literally the worst advice you could possibly give. The absolute most important thing about password security is that none of your passwords to sites you give a damn about should ever be related to any of your other passwords. They should absolutely not be related in a way easily-constructable from the site’s name. A person who uses “12345” on one site, “password” on a different site, “qwerty” on a third site, and their dog’s name on a fourth site may have lousy security, but it’s at least still better than the person who uses “nBb@cCUw7%832&Pg7^6)g,jhbf+” on every site (or equivalently, “nBb@cCUw7%832&Pg7^6)g,jhbf+goog” on Google, “nBb@cCUw7%832&Pg7^6)g,jhbf+face” on Facebook, “nBb@cCUw7%832&Pg7^6)g,jhbf+hotm” on Hotmail, etc.).
At some point or another, you’re going to set up an account on some site or another, and either through malice or just poor security on the site, your username and password on that site is going to fall into an attacker’s hands. When (not if) that happens, you’ll be screwed on that site, but so long as that’s the only place you used that password (or a variant of it), that’s the full extent of the damage. But if you’ve ever used that same password (or a variant of it) anywhere else, you’re screwed there, too.
Another important point to remember: Any scheme you’ve ever heard for making a “simple but secure” password isn’t nearly as secure as it looks. If you’ve heard of it, then so have the attackers, and they’re going to try attacks that are based on it. Thus, for instance, “vpttrvy jptdr nsyyrtu dys[;r” is no more secure than the “correct horse battery staple” it’s based on: It looks more secure, but that’s just to a human eye, and it’s not human eyes you’re trying to fool.
There is no way you’re going to outsmart the mass of dedicated people with a potentially huge financial motivation to break your passwords with a simple trick you just thought up, and there’s so much “folk wisdom” out there about passwords that’s just wrong.
Just use a password manager, and keep the keyfile on a USB key you keep on your person (and, obviously, some backups in important places).
But all of this is moot if the hackers attack the password DB for the site, like they did for the SDMB. Everyone’s password is encoded in the SDMB database. The hackers were able to copy that and once they break the encryption, all of the passwords will be in plain text for them to see. No need to try and figure out your password, it’s right there for them to read.
Then they look at the email address that they stole for your user and see that it is jsmith331 @gmail.com. So they go to gmail and see if the password they stole works for that email account. If it does, bingo! That password is probably used at other websites. Check all the major bank and credit card websites using jsmith331 @gmail.com as the user name with the password they found in the SDMB hack and see what they can get into.
Of course that doesn’t mean you just say “screw it” and start using “password123” for everything, but straining your memory for esoteric passwords is becoming less and less of a big deal. Why would a hacker spend days trying to figure out a single person’s password when he can spend a week hacking the website and get 100’s of passwords? A much better payoff for the time invested.