Choosing An Extremely Secure Password

dserban

Aug 18 2007, 01:36 PM

If you are good at remembering very long, very cryptic alphanumeric passwords, this article is not for you.
For the rest of us mere mortals, here is a method for choosing extremely secure passwords that you don't need to actually remember - you only need to remember some patterns for generating passwords that you and only YOU know.
In this example I am using two command line utilities that come bundled with any Linux distribution. I'm running Windows XP, so these are the cygwin counterparts:

CODE

# echo "appserver" | md5sum | md5sum
707c3d6c4e93e43ba03bf0a5ef3a605a *-
#

a) Leading six characters of host name, spaced out
b) Trailing six characters of MD5 sum above, spaced out
a)                                                             a p p s e r
b)                                                              3 a 6 0 5 a
c) Your password to connect to the machine called "appserver": a3pap6s0e5ra

# crypt appserver | crypt - | crypt -
Zmct2/xG/czm6
#

a) Leading six characters of host name, spaced out
b) Trailing six characters of crypt hash above, spaced out
a)                                                             a p p s e r
b)                                                              G / c z m 6
c) Your password to connect to the machine called "appserver": aGp/pcszemr6

# echo "dbserver" | md5sum | md5sum
6b0828ab640ffb600892468b97762fef *-
#
# crypt dbserver | crypt - | crypt -
.bIjOuGL2XVoE
#

I'll leave it as an exercise to you to determine the other two passwords (to connect to the machine called "dbserver").
But you can use md5sum or crypt as many times as you want, and in any combination you want, and set up the interspersing pattern just the way you see fit.
Passwords generated this way are immune to dictionary attacks and the good thing is that you don't need to remember them since you can recreate them every time.
The only security issue remains to secure the process of recreating your passwords.

Also, check out these articles:

http://lifehacker.com/software/top/geek-to...ords-184773.php

http://lifehacker.com/software/passwords/h...cked-247355.php

wutske

Aug 19 2007, 03:01 PM

mine is completely random and only took me a week to learn it

, it's in my fingers now.

Habble

Aug 20 2007, 06:26 AM

A good thing to do with passwords, is think up a phrase that means something to you, remember the first letters of each word in the phrase, then put them together. e.g.
Phrase: "How do you do? I'm fine thank you!"
Ends up as:
hdydifty
Then mix around the cases...
hDydIFtY
And add a number or two. (You could use something like the year you were born)
Eventually you end up with something like this:
hDy1993dIFtY

Good thing about this, is if anyone else sees it, they wont be able to remember it!

HellFire121

Aug 22 2007, 05:54 AM

A good thing to also do is include special characters in sites and services that allow it. Characters such as @#$% etc etc can be really good at providing that extra security which can be the difference between a weak password and a strong one.

You can usually easily remember a password with a percentage in it, like add in 50% or something and it sticks in your head rather than some random string of text or numbers.

-HellFire

Daniel666

Aug 22 2007, 11:46 AM

I have a 7 character password, completly random string of numbers my dad gave me when i was hacked on a game, ive used it for 5 years now, its in my head and probably wont ever come out

ethergeek

Aug 22 2007, 05:17 PM

You're probably better off just using a generator that can use the system random number generator...far better entropy.

Take a look at KeePass (win32) and KeePassX (gnu/linux) for a really nice password manager/generator app.

Arbitrary

Aug 23 2007, 05:24 AM

Indeed, that is a good idea. Most of my passwords are random, and after much overuse I've managed to remember them all.

Something else I've been doing with passwords: I tend to keep my passwords in what I call 'tiers'. Basically, there's one tier for the 'stupid' passwords, as in passwords used flippantly to register at some forum that I'll probably only access once. Since I don't care much for these passwords, I tend to reuse the same password over all these 'stupid' websites, as it doesn't really matter if someone else finds out.

My second 'tier' is for the relatively important ones, and I tend to (1) use a more secure password and (2) create three passwords that I alternate between these relatively important websites. Then when I get to a site I just pick one of the passwords.

The third 'tier' is for the most important accounts (such as email), and there I have no two passwords that are the same. This way, I can minimize on memorizing too many passwords, but I'll still leave my most important accounts with a secure password that is not used elsewhere. Besides, at times I want to reaccess some forum I registered at long ago, and if I had chosen a new password for every registration, I'd never access any of my old accounts.

SilverFox

Aug 23 2007, 05:49 AM

Arbitrary, I do passes simpler.

1. Simple/unimportant: On forums I rarely use, very unlikely to get hacked things or my nicksev passes. They're simple phrases, names, and other things. I use them a lot also.
2. Email and unknown things: I use a password like delldimsension350 or something that is right in front of me, that is long and not guessable. This is for mid-level things. I change it every 3-5 months. I have even used phone numbers and family members SSNs.
3. Secure/Critical: These are the most important, I never use the same password. I use thee types on my dedicated server, my IRC shells and my virtual host. These are things that I can't really recover and that are critical and literally are risking financial investments. Examples are:
gfyh546klhdflghl56hlkhdgflhdli5hlhdrlkghrdk5l6hklhgldfh56ilhldkghfldk56htklhh
Impossible to guess and hard to brute-force. I store these in a file some where on my local disk, obscure (example not with a name like passwords.txt).

Thats my recommendation to anyone else, but even the best password is vulnerable to humans. I've got so many passes just by good ol' SE.

Another note, daniel666 said his password has never been hacked, he's wrong. He gave me it once (I posted a thread on astahost about not giving out pases using his hacked account).

Also I don't recommend using &;"',<> in passwords that link to mysql, as they might be filtered. Same with space.

Habble

Aug 23 2007, 06:31 AM

Yeah, I have an insecure password that I use to sign up to things I don't entirely trust, a relatively secure thing that i use to sign up to most things that aren't crucially important, and a very secure password for important things.

Sten

Aug 23 2007, 08:33 AM

my password (my newest one, basically my habbo one cos i dont wanna get hacked) it really good.
no one will ever guess it, probably cos theyre too SMART, lol, its also funny.

Latest Entries

Doveshire Designs

Oct 22 2007, 11:03 PM

I use long passwords 12 to 16 characters. Also any letter that can be represented by a number such as an i can be a 1 or an e can be a 3 I replace the letter with the number. so for instance you could you the password cuddl3m0nst3r and add a number sequence at the end such as your fav number mixed with the month your mother was born. then it would end up being cuddl3m0nst3r702.

kelvinmaki

Sep 12 2007, 12:15 PM

QUOTE(Alegis @ Sep 12 2007, 09:49 AM)

Oh the problem isn't picking the password, many people who "claim they have been hacked" have been known to just write it down somewhere in sight or give it to the first moron that claims he's from the company where said person has an account.

That's true though. Many people create very difficult password with all kinds of combination for hackers to crack it, and similarly, for themselves to remember it. So they have to write it somewhere or store it online. DON'T WRITE IT ANYWHERE. REMEMBER THEM.

Alegis

Sep 12 2007, 09:49 AM

patronus4000

Sep 12 2007, 04:12 AM

o.O Well, I think my passwords will be cracked fairly quickly. According to the article, the password Fgpyyih804423 in 160 seconds using the most basic rainbow tables. That's basic. So if the Extended table is used (containing non-alphanumeric symbols), then it's possible that every password can be hacked. Just goes to prove the point that one should never store important files on a computer, especially on the Internet. You never know when someone will nose their way into your stuff.

Good thing for most of us that (1) Ophcrack is huge in file size, so most will not be downloading/installing it any time soon and (2) there really isn't a reason for random people to hack into most of our accounts - we aren't really famous/powerful people after all to attract the attention of evil crackers. I think. xP

Serena

Laurence

Sep 11 2007, 08:25 PM

For all my passwords, they're 20+ letters and numbers, they're really easy to remember, because it's my student ID number on my school card, and my password. It Ophcrack can crack that password can be cracked in 160 seconds... mine would only take like 5 minutes. Maybe I should make some capitals.

ADD REPLY / Got an Opinion!	a humble request :-)	RAPID SEARCH!	Free Hosting	[X]
Express your Opinions, Thoughts or Contribute more info. to help others. Ask your Doubts & Queries to get answers, So that "Together We can help others!"	Register FREE for AD-FREE forum, Create your own topics, Ask Questions, track topics, setup subscriptions & notifications and Get a Free Website w/ Email and FTP.		500MB Space No Ads, CPanel, FTP, PHP, MySQL, EMails - 100% FREE

Choosing An Extremely Secure Password - Examples

Choosing An Extremely Secure Password - Examples

Latest Entries