How to Pick a Genuinely Secure Password

Wed Jan 17, 2007 3:24AM EST

See Comments (157)

When it comes to security, Bruce Schneier is a god among us mere mortals. He has written some of the most influential books on computer security and cryptography ever printed, and his blog is essential reading for anyone on the Internet.

So when Bruce says here's how to create a secure password (and how he creates his own passwords), I listen. His post on the topic is extensive, so I'll try to boil it down to the essentials. If you have the time, I encourage you to read the whole thing, though.

First question: How are passwords cracked, anyway? Primarily through brute force "dictionary" attacks, where software tries to guess a password by running through a series of common phrases or words in various combinations. Sure, we know that "password" and "qwerty" are easy to crack, but password crackers have gotten much more sophisticated these days. Now, they check hundreds of these common "root" passwords (here's a list)... in combination with various "appendages," including all two- and three-digit combinations, single symbols (like ! and ?), dates from 1900 on, and a few others. The crackers also sub in common characters like "3" for "E" and other typical hacker-speak substitutions.

What's that mean? Basically, if you thought the safe-looking pigl3t9! was a secure password, you're sadly mistaken. Any modern password cracker will suss it out in a matter of minutes.

Before you begin to despair, Schneier offers simple rules on how to create a password that cannot be easily cracked by such methods. (Mind you, given enough time, any password can be cracked, though. But this will make it much harder.)

The trick is to use a "root" that is not in that list that I linked above, and to put your "appendage" (or two of them) in an unusual place: Either in the middle of the root or at both the beginning and the end.

Schneier's example is to use a word that you can pronounce but which is spelled "wrong": armwar or pitchsure or baysball are all examples. Then attach your appendage(s): arm9!9war or 1066pitchsure6601 or bay1776sball. It shouldn't take much effort to commit any of these to memory.

See also:
How Pathetic Is Your Password?
Frequent Password Change Policy: A Bad Idea
10 Myths About Windows Passwords

Comments on How to Pick a Genuinely Secure Password

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 1 Posted by usangel1on1 on Thu Sep 3, 2009 10:28PM EDT Report Abuse

    Great idea simple yet brilliant.. I am presuming that most software will use a dictionary so if a word is miss spelled it will be more dificult to figure it out! I will definitly use this method of password creation. thanks Keith

  • 3 Posted by yasoumalaka2004 on Thu Sep 3, 2009 10:55PM EDT Report Abuse

    Well I just got a program to brute force a rar file using my password. I set the range from 4 - 14 in length using upper case and lower case with numbers which I use and it wont complete length 4 for 8 days. If I use this password for things on the net then how they going to run a brute force of this magnitude? Don't they only get around 5 tries? I think its possible that the advice in this article is a bit of overkill.

  • 4 Posted by yasoumalaka2004 on Thu Sep 3, 2009 10:55PM EDT Report Abuse

    Ok here is an example of a password that takes my opteron @ 2.9Ghz to crack in 276 days with a brute force attack: V9hyX

  • 5 Posted by anrobr on Thu Sep 3, 2009 2:56PM EDT Report Abuse

    Length is important too. As an example, while testing security against a network computer that stored hashes of users from an active directory, an old Athlon 3200+ was able to try EVERY 7 digit combination of uppercase/lowercase letters and numbers in under 21 hours. With 8 digits it went up to 30+ days and at 9 digits, it was basically useless. However, there are newer faster ways as well. (ie rainbow). Of course, as the gents blog states, depending on the app or what is being broken, your mileage will vary.

More Posts: First Prev 1 2 3 4 5 Next Last

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.