GO World!
Living
Writing
Miscellany
Photos
Vball
Contact
Writing > Theories > All About Passwords
 

 

All About Passwords
For those of you that would like to understand some of the reason behind our push to increase the complexity of the passwords, I?l try and explain briefly.

Passwords or access codes are a way of life in this day and age, but so to are the threats that come with the technology that requires us to use these access codes.? Code breakers have grown in sophistication over the years and much of their development coincides with technologies increase in computing power.? There are programs that have whole dictionaries behind them, which have changed as to include variations on word spelling (i.e. $ could replace dollar or S) and in many cases there are new more advanced methods being developed in how to crack encryption by brute force or by strategy.? Take for example some work done by the National Labor Relation Board on Password Cracking [1] .? Using a program (likely) found on the internet they cracked the word ?xchange in under a one second, yet by adding special characters and simples (some of which are memorable) they were able to increase the crack time to over 2100 hours.

In addition to special characters misspelling is still very useful because it increase the number of possibilities exponentially, although with time, computing power, and new strategies, it is likely that spelling will not be an issue.? Most of this proves unnecessary for all but high-grade password cracking.?

Passwords are most often based on what is personal (and therefore memorable) so research is often the key to understanding what possibilities are likely to be used in a password.? (Pets, phone numbers, family member names, etc.)? Effectively this means that anyone who wants to get into a network, account, computer, etc. can if they have the will, software, and the talent.? What does this mean for us?? We could play the game of completely randomizing all passwords in hopes to thwart all malevolent hackers.? Or even we could use some of the new technology that would use fingerprints to log into a computer.? Undoubtedly this would be somewhat effective if we had reason to be so suspicious.? The reality is that our largest threat is from the inside and not out.? Employees who have authorized logical and physical access of the systems can due huge damage intentionally or unintentionally.? This means that we need to keep employees happy and well trained to prevent both possibilities.?

One might ask why we wouldn? want to use a fully randomized password creator anyway given even the possibility of such threats.? Based on experience, it? not worth trying to have people remember passwords that mean nothing to them.? IT staffs have devoted partial help desks staffs to this procedure and it? frankly not worth the money right now.? Hiring someone reset the passwords on accounts may be simple, but the time is what is not cost effective.?

At this point, until passwords are rendered unneeded by whatever method (social or technological), passwords and codes should be a balance between memory and confusion.


Guidelines:

??????????? Aim for:

-Try making it based on a phrase you?l remember.

-Be six (6) or more characters long.

-Try to include at least one non-alphanumeric character. Listed in Non-Alphanumerics.

-Try use a password that you can type quickly, without having to look at the keyboard.

??????????? Things to refrain from:

-Avoid including a proper name or any variation thereof, a full word from a dictionary of any language, a song title, etc.

-Avoid relating to personal data in any way, e.g., your name, your street name, current or previous significant other's name, previous or current dogs name, SSN, etc.

-Avoid uses any sequences or short repetitive phrases(for example, 'asdfgh', or '8dx8dx).

-Avoid using dates only or all numbers.

-Avoid replacing letters with similar-looking numbers or characters. For instance, capta1n k1rk mr$p0ck are not secure passwords. Some programs used to crack passwords know this trick and include it in their cracking algorithms. While this may seem safe, it is best to only use numbers where they do not logically fit.

-Avoid words or names spelled backwards

-Avoid passwords that could be found in any English or foreign language dictionaries, or easily guessed (such as "lombard").

-Avoid containing your user id within a password.

-Avoid sharing.? We all do this, so if you do, change the password as soon as possible.


Strategies:

Mneumonics can be a powerful tool for the creation of strong, yet memorable passwords. Mneumonics is a big word for a fairly simple concept. You chose a password based on a clue you are not likely to forget, such as a phrase from a book or song, but is not directly associated with you(such as a license plate number):

-Create an acronym from the letters of the words in a phrase, song lyric, or quotation that is memorable to you. For example, "To be or not to be?" could be: "2BRnot2B?"

-Make up an acronym based on a nursery rhyme, a favorite song or movie, or a catchy sentence. For example: "Just Not My Day" could be "~!MyDay"

-Interleave two words or a word and a number sequence that is meaningful to you. For example, your favorite fruit and a memorable year.? For Example "kiwi" and "1987" could be "k1i9w8i7" ...or... "ki19wi87" ...or... "ki1987wi"?

-Deliberately misspell words. Substitute symbols, numbers, and phonetic replacements throughout.? For example: "Mississippi" could be "Mrs.Ippi"

-Make up nonsense words that mean something to you by combining the first syllables of two words. However, avoid using standard abbreviations like "jan, feb, mar, etc." as part of your password.? For Example "Sale at Foleys" could be [email protected]

-Don't forget spaces.? (Windows DOES allows this!!! Not all programs & websites do though) Whole real sentences are allowed in some programs if you desired (with some non-alphanumeric hopefully).

A note from experience: in changing any password, the first 15-30 times you enter it may be hard to remember.? After that you should develop a muscle memory in timing and strokes so it will be come nearly a question of habit.? All of this is assuming that you use this password everyday.? Passwords used infrequently are better to be done by associate given that you will not be probably not develop such a muscle memory.? So again, memorable but not personal is the best balance in security and memory.


What to use (Non-Alphanumerics):

{ } [ ] , . < > ; : ' " ? / | \ ` ~ ! @ # $ % ^ & * ( ) _ - + =

Basics

~???????? about / just

!???????? not / don't

@???????? at

#???????? number / count

$???????? money

%???????? percent

^???????? Conjunction (and)

&???????? and

*???????? multiplication / * wildcard

_???????? underscore

+???????? plus

<???????? Less then / Left

>???????? More then? / Right

<>??????? Excluding this

????????? Question / single character wildcard

=???????? equal / for / then / is / (definitive)

-???????? minus,

[???????? open set

]???????? close set

||??????? or

(???????? open parenthesis

)???????? close parenthesis

/\??????? up / above / north

4???????? for

?????????????????? _

Character \

$???????? s???????? ? \

8???????? A???????? ?? \ Avoid these by themselves.

][??????? I???????? ?? / Include these with other combinations.

|-|?????? H???????? ? /? (Password crackers try replacing characters with these possibilities)

3???????? e???????? _/?

Common shortcuts

w/??????? with

w/o?????? without

btw?????? by the way

k???????? okay

Some Chat Room antics a.k.a. Emoticons? (Great Alphanumerics)

:)??????? Happy

^_^?????? Happy

~_^?????? Wink

:[ ?????? Bored, sad

: | ????? Bored, sad

:( ) ???? Loudmouth, talks all the time; or shouting

:* ?????? Kiss

:-) ????? Classic smiley

:-? ????? Licking lips, or tongue in cheek

:-O ????? Open-mouthed, surprised

:-s ????? What?!

:-t ????? Unsmiley

:-[ ????? Unsmiling blockhead; also criticism

:C ?????? Astonished

:~) ????? A cold

; ) ????? Wink

(::()::) Band-Aid, meaning comfort

^5 ?????? High five

*<:-) ??? Santa Claus

+:-) ???? Priest

+O:-) ??? The Pope

@}-}-- ?? A rose

<:-( ???? Dunce

#:-o ???? Shocked

>:-< ???? Angry

>:-< ???? Mad

>:-(????? Annoyed

>=^ P ??? Yuck

O+ ?????? Female

O-> ????? Male

\_/ ????? Empty glass

\~/ ????? Full glass

~~~~8} ?? Snake

(_\_)(_|_)(_/_)??? dancing ass off

<o> <o>?? staring


Some Chat Room abbreviations (recommend to be used in combo with something)

afasik as far as I know

asap?? as soon as possible

atw??? at the weekend

awhfy? are we having fun yet?

awol?? absent without leave

b4???? before

bbfn?? bye bye for now

bcnu?? be see?n you

brb??? be right back

btw??? by the way

cm???? call me

cu???? see you

cul8ter?????? see you later

dk???? don? know

dur? do you remember

e2eg?? ear to ear grin

eod??? end of discussion

F????? Friends?

F2F??? Face to Face

fya??? for your amusement

fyi??? for your information

<g>??? grin

gr8??? great

gsoh?? good sense of humour

h2cus? hope to see you soon

hak??? hug and kisses

ic???? I see

idk??? I don? know

idts?? I don? think so!

iow??? in other words

j4f??? just for fun

kc???? keep cool

khuf?? know how you feel

l8r??? later

m8???? mate

mtfbwu may the force

be with you

nc???? no comment

nwo??? no way out

o4u??? only for you

O!ic?? Oh, I see!

rofl?? rolling on the floor laughing

rotflmao????? Rolling on the floor laughing my ass off

ruok?? are you okay?

sc???? stay cool

sol??? sooner or later

t+???? think positive

t2ul?? talk to you later

tafn?? that? all for now

tuvm?? thank you very much

w4u??? waiting for you!

wuwh?? wish you were here

X!???? Typical woman!

Y!???? Typical man!
Lots of Examples on passwords (We don't recommend using these exact passwords; if feel you must, add, delete, modify, or other wise change them some how.)

Some other ideas for deriving a good password from a sentence that means something to you.? Remember memorable is good, personal is bad.

HsE<yt? ????? "Has he left yet?"

RNYDY$??????? "Rainy day Fund"

!ASITS9!????? "!A stitch in time saves nine!"

fSa7yA??????? "Four score and seven years ago"

2BRnot2B????? "To Be or Not To Be"

??????????? Examples of good and bad passwords based on hello:

hello???????? bad, a dictionary word in multiple languages.

h3ll4???????? bad, because the vowels of the dictionary word "hello" have been REPLACED by the digits 3 and 4.

he22o???????? bad, because two characters in the dictionary word "hello" have been REPLACED by the digit 2.

he3ll9o ????? good, because digits/special characters have been EMBEDDED between the characters of a dictionary word, but have not replaced them.

he_ll/o ????? good, because digits/special characters have been EMBEDDED between the characters of a dictionary word, but have not replaced them.

7he3ll9o ???? better, because a leading digit has been added to a good password.

7he_ll/o????? better, because a leading digit has been added to a good password.

#yorh3ll0$??? best, because your password has multiple alphanumeric, your is not spelled right, and it's a phrase you can remember (i.e. count your hellos)

!<>nh8llo$??? best, because your password has multiple alphanumeric, in isn't complete and anyone is implied, and it's a phrase you can remember (i.e. don't exclude [anyone] in hello)

Bad Password followed by Good Password

student1 ???? bad, Just a lowercase word with a number; very easy to crack.

Stu&1Dnt ???? good, Misspell and split the word; also add some capital letters and punctuation.

indy500 ????? bad, Just a lowercase word with a number, plus it's a common phrase.

iNDy5Hn't{ ?? good, Change capitalization, remove the double zero, and add a brace.

dog3cat ????? bad, Still just words with a number

do3gc3at ???? good, The same words and the same number so you can remember it, but chopped up so that it's hard to guess.

abc123 ????????????? bad, A standard pattern, easily guessed by the computer's cracking dictionaries.

a1bB2$c3 ???? good, Double up the b's, add a capital letter and a dollar sign.

ats1029 ????? bad, Initials plus birth date. Easily researched - not too secure.

1a0T2s9 ????? good, One capital letter, plus mixing the numbers and letters. Much, much tougher to crack.

Teacher2 ???? bad, An example from a second-grade teacher to be.

ItchK-5Grd ?? good, A sentence, "I teach K through 5th grade."

14France ???? bad, The 14 is from Bastille Day, 14 July.

VvlaFr14 ???? good, Based on a sentence, "Vive la France," with the same 14.


Remembering your passwords:

We won't say don't write them down.? We will say don't use a pencil!!!

Here are some programs that you can use that will store your passwords.? These are free, and encrypted.? You WILL have to remember a master password.? These programs are local to a single computer, but the files containing your passwords can be backed-up.? (Don't print them out, it's just like using a pencil)

Both of these use a blowfish encryption method

??????????? Techie data:????? Block cipher: 64-bit block; Variable key length: 32 bits to 448 bits; Much faster than DES and IDEA; http://www.counterpane.com/blowfish.html

*Access Manager

Advantage - Simple, idiot proof icons

Disadvantage - Database isn't easily maintained (backed-up & switched)

Website - http://www.citi-software.co.uk/am/index.htm

*Password Safe

Advantage - Has an option to backup your database.

Disadvantage - Isn't as clean as Access Manager and doesn't contain filtering features for many passwords.

Website - http://www.counterpane.com/passsafe.html


Password Cracking Test Results

Test Setup

Server: Compaq P5500 with Two Zeon 400Mhz CPU

Crack SW: L0pht Cracker

Default Setup: Dictionary/Brute Hybrid Enabled 2 Characters

Test Results Matrix


Password Type

Length

Example

Estimate Time

Dictionary A-Z

8

Exchange

<1 Sec

 

9

Exchange A

<1 Sec

 

10

Exchange Ab

<1 hr 15 min

 

11

Exchange Use

<1 hr 20 min

 

12

Exchange User

<1 hr 20 min

 

13

Exchange UserA

<3 his 2 min

 

14

Exchange UserAb

<3 hrs 10 min

Alpha Numeric A?; 0-9

8

4Exchange

<23 hrs 50 min

 

9

4Exchange

<25 hrs 10 min

 

10

4Exchangel

<27 hrs 30 min

 

11

   
 

12

4Exchangel 2A

<34 hrs 50 min

 

13

   
 

14

4Exchange2User

<39 hrs 20 min

Alpha Numeric Plus Special Characters

A? O? [email protected]#$%^&*()-_+=

8

[email protected]

<130 hrs 10 min

 

9

   
 

10

[email protected]!

<203 hrs 30 min

 

11

   
 

12

   
 

13

   
 

14

4Exch&4U&[email protected]

<223 hrs 50 min

Alpha Numeric Plus Advanced Special Characters
A-Z, O-9 [email protected]#$%^&*()-_+= {}`~?? <>:;|\,./[]

8 **

[email protected]

<2365 hrs 10 min

 

9

   
 

10

[email protected](4U]

<2170 hrs 8 min*

 

11

   
 

12

   
 

13
14

[email protected]~pec4U!]

<2335hrs41min*

*-The estimated time displayed after 2 characters found

Editor:

Richard S. Jeong