The best password

Printable View

May 27th, 2003, 12:52 AM
vercetti

The best password

I was thinking about a problem with creating the best password. I know it should be a combination of upper/lowercase letters, digits and non-alphabetic characters. Another approach is to pick a favorite sentence (i.e I love Big Mac and Fries), take the first letter of each word (I, l, B, M, a, F) and make up a word of them (ilbmaf) maybe alternating an uppercase and a lowercase letter and ending it with a digit (IlBmAf4). The problem with this approach is in the case the user is using multiple password-accessed applications ( maybe couple email services, few pay-for-content websites, some network-accessible resources) and it adds up to a lot of passwords to remember knowing that it's not wise to use the same password twice and for long periods of time, nor is it smart to write it down. How can a user remember multiple hard-to-guess passwords and which passwords are used to access what resources?
I just want to hear your opinion.
Thanks
May 27th, 2003, 01:05 AM
SirSub

Remembering passwords is kinda like studying for a test, I use flash cards whenever i renew all my passwords, i always use this nifty program to keep track of all my passwords and when to change them, its called Password Corral, it can be found Here
May 27th, 2003, 01:13 AM
vercetti

Thanks for the link. But I disagree on writing passwords on flash cards, mostly because unless you shred them, malicious people can still get to them ( dumpster diving?).
May 27th, 2003, 01:33 AM
IceStorm

Check this site out. http://mmdev.ag.vt.edu/security/securepw.htm
Their are some good ideas on how to create a secure password.
May 27th, 2003, 01:54 AM
bigb

I agree with vercetti on the flash cards.

I personally keep my passwords on a txt file on a floppy full of directories and junk text files.
I name it readme (most people automatically ignore these anyway).
It's a relatively safe approach,

I can encrypt if I want
I don't have to remember my passwords so they can be as complex as I want
(ctrl-x & ctrl-v) and they're keylogger proof too!
It's portable
You can even save some trees

It's just not safe from shoulder surfers.

A decent solution for these password laden times.
May 27th, 2003, 02:00 AM
ammo

Hope you empty that clipboard after cut'n pasting your passwords...

Ammo
May 27th, 2003, 02:30 AM
bigb

Good point, especially on another computer. You can also highlight and drag in most cases.
May 27th, 2003, 02:42 AM
M@rin3 Snip3r

I also use a program called Password Safe. This program is very usefull if your like me and once u change one password you have to change them all right... So u know ihave about 20 differnet appliactions that i need passwords w/ so u know i kinda need htis program. Ill attach this program to my post give it a try if you like.
May 27th, 2003, 03:36 AM
Simo

alt+32 and alt+255 are characters that windows cant recognize. i use them
May 27th, 2003, 03:53 AM
vercetti

Simo, Do you know why doesn't Win recognize those characters?
May 27th, 2003, 04:02 AM
johnnybluecrush

a nifty little gadget to keep track of your passwords:http://www.thinkgeek.com/gadgets/electronic/5a60/
May 27th, 2003, 07:07 AM
jdenny

Quote:

I was thinking about a problem with creating the best password. I know it should be a combination of upper/lowercase letters, digits and non-alphabetic characters. Another approach is to pick a favorite sentence (i.e I love Big Mac and Fries), take the first letter of each word (I, l, B, M, a, F) and make up a word of them (ilbmaf) maybe alternating an uppercase and a lowercase letter and ending it with a digit (IlBmAf4). The problem with this...

First, choose a favorite poem or song (by favorite i mean you can memorize it by heart). Let's take this poem as a test case (the only reason i choose it is because it has 6 or more words in each line, which makes good 6-or-more-character passwords):

It's Been So Good to Have You as a Friend

It's been so good to have you as a friend:
As sweet and rich as honey-colored sun
Slanting steep across a summer lawn,
Gilding life with all that love can lend.
And now that you yourself have griefs to tend,
I want to be the strong and caring one
To count to you the lovely things you've done
Until these troubles pass and sorrows end.
You are so beautiful in form and soul
That you bring happiness to all you're near:
Just as a sea rose, flowering in mist,
Makes a paradise of some bleak shoal,
Turning truth to something far more clear,
No pain unsoothed or rain-swept cheek unkissed.

Copyright by Nicholas Gordon (nick[at]poemsforfree[dot]com - http://www.poemsforfree.com/itsbee.html)

Then, derive your favorite password from each line of the poem (excluding the title) like this (be creative):

1b59thyaf
a5arahcs
9lwatlcl
antyyh9tt
1wtbtsac0
tctytltyd
...etc...

Last, keep a readme file in the account:line# format like this (or other format, again be creative):

primary e-mail: 1
database app: 2
antionline.com: 3
www.sans.org: 4
slashdot.org: 5
techrepublic.com: 6

What a geeky list, isn't it? Anyway, do you understand what this list is for? Assuming that your ID is vercetti on all those accounts, by looking at the list you know that your primary e-mail password is 1b59thyaf, your database app password is a5arahcs, and so on...

See also the posts I made last year on this subject:
http://www.antionline.com/showthread...hreadid=233600
http://www.antionline.com/showthread...hreadid=234974

Peace always,
<jdenny>
May 27th, 2003, 10:53 AM
Networker

hereby an excellent paper about password based encryption.

The conclusion is:

Quote:

http://www.net-security.org/dl/artic...ryptoSalts.pdf
The unfortunate truth is that if the users pass phrase is weak, it will still be possible to break it using a dictionary attack. When building encryption software it is always a good idea to prevent users from choosing weak passwords.

It is a good idea to quickly search trough a small dictionary of English words for the users pass phrase, and if found suggest that they change it. Since at this point we have the original pass phrase and we do not have to derive it through the S2K function, this search can be fairly quick.

Another good idea is to include a random number generator in the software so that a user
has the ability to select a random pass-phrase. This has its own problems since it’s
extremely hard for users to memorize such pass phrases.
The last and most important advice is not to make it easy for an attacker to retrieve the
encrypted data. Without having local access to the file there is no way to mount a dictionary
attack in the first place.

As indiana said: choose but choose wisely ....
May 27th, 2003, 11:51 AM
instronics

Hello everyone.

I would like to add 3 links here.

http://www.antionline.com/showthread...hreadid=239044

http://www.antionline.com/showthread...sword+practice

http://www.antionline.com/showthread...hreadid=233600

Cheers ;)
May 27th, 2003, 02:04 PM
Tiger Shark

Ahem..... I have to say that all these methods are fine for the likes of us.... BUT..... The users are _generally_ too lazy or too unimaginative to keep up that level of security.

You must also realize that the password for a user should be directly proportional to their rights - the important part there is "their rights". Users that have access to extremely sensitive data usually understand that and come up with appropriate passwords. Users with extensive rights are the same...... It's the little buggers at the bottom of the pile that generally do little or nothing to assist the admin in keeping the system secure. But if admin tries to enforce a draconian password policy he gets, either, the wrath of the users, or, squashed by his superiors....... So, a creative solution is required such that a lowly user can change their password every 60 days for example, but also be able to remember it or even write it down if they want..... Heck.... Let's go all the way..... Keep the same "password", write it down _and_ put it on a sticky on their monitor........ ;)

Tell the user to pick a secret word that is at least 5 letters and no longer than 7 letters...... Lets use "Tropics"..... I like the tropics....... wish I was there......<s>. Now they should add a special character of their choice to the front and a number of their choice to the back.... We'll use "$" and "2" making their secret word "$Tropics2"...... Notice we also make them uppercase the first letter......

Now here comes the fun..... They must jumble that sequence up any way they please but they must use all the characters..... We'll do it this way "piT$2rocs"....... Now that's a nice little password that would be hard to crack and very difficult to remember...... ;)

But I can write a little sticky saying "My password is 562193478" and put it right in the middle of my monitor because each character has a numeric position in that sequence, ($=1, T=2, r=3 etc.).. Anyone trying that as the password will get a big fat "access denied". Anyone who knows this system and guesses that dear old Millie chose her dog's name "spotty" will still be 2 characters short which are harder to guess at and a brute force tool is still going to take a while before it comes up with the credentials to access this user's _properly_ limited permissions. Not worth it really......

Now comes 60 days later...... Dear old Millie doesn't have to change that secret character sequence..... She just re-jumbles the sequence, writes a new sticky and she is "off to the races".........

If you enforce a minimum password length of 7 characters then the user can't cheat and you can enforce a "no re-use of password" policy for say 2 years to prevent repitition but you have given them an opportunity to be more secure without the horrendous task of coming up with new passwords that are hard for them to remember all the time.

NOTE: You won't get all of them to use this system..... There are always the "whiners" who say it is too difficult..... IME, they are the ones that have the least rights anyway..... Just enforce the 7 characters and live with it...... :mad:
May 27th, 2003, 02:36 PM
ammo

Quote:

Originally posted here by Simo
alt+32 and alt+255 are characters that windows cant recognize. i use them

You know, while it's true that in some cases using non-displayable characters can be more secure (for example, I believe l0ftcrack doesn't (or at least didn't in the past) show these characters in cracked passwords), it's however relevent to point out that having to type 4 keys to get only one character could be spent better by choosing 4 regular characters:
that alt+255 gives you only 256 more possibilites to test,
while adding 4 regular characters would give you (26*2+10)^4=14776336 more possibilites...
(26 chars * 2 for caps + 10 numbers)

This might not convince everyone or anyone but it's still worth considering...

Ammo
May 27th, 2003, 02:38 PM
sickyourIT

no offense to anyone, but for the most part, I can remember even all of my complex usernames and passwords. A lot of people overlook this, but you can always create complex passwords, and work on improving how well you remember things as opposed to trying to remember your workarounds. (I'm sure "MemorY" will love this post)

also, using a similar password and changing one character is a good one.

for instance, if your password is b4sketball for espn.com, you can easily make it b4sketb9ll for something else. but in an 8 letter password, and having 36+ possible substitutes, they have a .34% (not 34%, but .34%)chance in figuring it out, once they know your other password. most people don't put forth this much effort to track down multiple sites, usernames, etc. if you switch your username in a similar fashion, it makes it even harder (.0042%) to figure it out.

just my two cents.
May 27th, 2003, 03:56 PM
Noia

First off; Simo, Alt+32 is a Space... and if I'm not mistaken, 255 is NULL....I'm not sure...

If you want a good password..theres a way of doing it..

First...Find a line or moto that you can remember...some thing like Confusius (or what ever that persons name was) Let's take the Password from Entrapment as an Example:

Don't use cannon to kill Mosquito

Step one; Make it one word with Capital on every word: Don'tUseCannonToKillMosquito
Step two; Replace atleast one word or letter with a number: Don'tUseCannon2KillMosquito
Step three; REMEMBER THE PASSWORD.. :D

Passwords like this have the advantage that their long, easy to remember and hard to crack....just make sure you can type it fast enough :)

- Noia
May 27th, 2003, 11:02 PM
R0n1n

Or you could just go with ditching the use of passwords all together, they have always been one of the weakest links in security, a much better option would be to make use of biometrics and there are some decent devices now available which can actually make this practical. Smartcrards/ tokens are also useful. Get away from just going with what someone knows and make use of something they have or something they are.

In practice the majority of users will choose a simple to remeber password or think that they have increased the security greatly by subsitiuting a letter for a number, e.g. password becomes passw0rd, its still easy to crack and actually creates a false sense of security that does more bad then good.

Single sign on systems can help get around the need to remeber lots of username/password combinations, but if you use a password for those you still have a very weak protection mechanism in place.