How to Pick a Genuinely Secure Password

Wed Jan 17, 2007 3:24AM EST

See Comments (157)

When it comes to security, Bruce Schneier is a god among us mere mortals. He has written some of the most influential books on computer security and cryptography ever printed, and his blog is essential reading for anyone on the Internet.

So when Bruce says here's how to create a secure password (and how he creates his own passwords), I listen. His post on the topic is extensive, so I'll try to boil it down to the essentials. If you have the time, I encourage you to read the whole thing, though.

First question: How are passwords cracked, anyway? Primarily through brute force "dictionary" attacks, where software tries to guess a password by running through a series of common phrases or words in various combinations. Sure, we know that "password" and "qwerty" are easy to crack, but password crackers have gotten much more sophisticated these days. Now, they check hundreds of these common "root" passwords (here's a list)... in combination with various "appendages," including all two- and three-digit combinations, single symbols (like ! and ?), dates from 1900 on, and a few others. The crackers also sub in common characters like "3" for "E" and other typical hacker-speak substitutions.

What's that mean? Basically, if you thought the safe-looking pigl3t9! was a secure password, you're sadly mistaken. Any modern password cracker will suss it out in a matter of minutes.

Before you begin to despair, Schneier offers simple rules on how to create a password that cannot be easily cracked by such methods. (Mind you, given enough time, any password can be cracked, though. But this will make it much harder.)

The trick is to use a "root" that is not in that list that I linked above, and to put your "appendage" (or two of them) in an unusual place: Either in the middle of the root or at both the beginning and the end.

Schneier's example is to use a word that you can pronounce but which is spelled "wrong": armwar or pitchsure or baysball are all examples. Then attach your appendage(s): arm9!9war or 1066pitchsure6601 or bay1776sball. It shouldn't take much effort to commit any of these to memory.

See also:
How Pathetic Is Your Password?
Frequent Password Change Policy: A Bad Idea
10 Myths About Windows Passwords

Comments on How to Pick a Genuinely Secure Password

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 147 Posted by mo2land on Thu Sep 3, 2009 7:24PM EDT Report Abuse

    i w'd like to apreciat da work

  • 148 Posted by shelby_keeler on Thu Sep 3, 2009 9:18PM EDT Report Abuse

    Thanks for this. Even thought i have had this password for a year, my myspace got hacked into and, they changed everything, i probably have the longest password in the world. TO # 124 I totally agree with you.

  • 150 Posted by z_apps_37 on Thu Sep 3, 2009 11:02PM EDT Report Abuse

    If you know anybody with SCO (Caldera) Unix, Try this; in the command sheck you can get the passwd program to give you suggestions for passwords. It gives you phonetic ways to remeber them. If you keep pressing It will come up with thousands of 8 to 10 character suggestions like “YiHaMy1nOg” or “TykSv1y3tZ” It depends on the security setting of the system you can test. I have a system to do this on and always use this for my passwords.

  • 151 Posted by wolkid1 on Thu Sep 3, 2009 10:49PM EDT Report Abuse

    So, Mr.Null guy, I am assuming that you know this because you brute force hack? If so, then won't you be wanted by the government? Honestly, how do I know that you won't use your password sense against me after I post this?

  • 152 Posted by raw.lobby on Thu Sep 3, 2009 8:29PM EDT Report Abuse

    ok i like his ideas....but sorry to tell u...no hackers use dictionary guessers these days...its called a keylogger ppl use them monitors every key stroke you touch theres no way to get past tht unless u don't open up stupid files

  • 153 Posted by sonu.padal on Thu Sep 3, 2009 9:33PM EDT Report Abuse

    hey, it's great idea. I wil follow this method,the length of the password matters the strength of password

  • 154 Posted by grigorem on Thu Sep 3, 2009 4:13PM EDT Report Abuse

    Are you stupid to write something like this?? Stop dreaming about finding the perfect password people. Your password maybe the best choice but most of the times websites are haked using security flaws in the website scripts or server. NOT by haking your password. A lot of people over here mention that almost any website today lock your account after 3-5 attempts to login if the password is wrong. The dictionary attacks are not for websites and this article is stupid enoght to consider that the only treath... Instead of password attaks in real life I am confronting every day attaks based on server flaws, attaks based on scripts flaws, on upload flaws, based on stupid settings on the servers or devil keyloggers recording the password as you type it... no matter if it's 66 characters long. I am a web programmer and in almost 10 years of dealing with diffrent attaks on my websites I can tell you only 1% was related to succesfully password attaks. This is the real life. Verry diffrent from the stories security experts write for you. Chinese dicovering colisions in algorithms like MD5 (in use all over here), hakers gaining access rights on the servers. Your password?? Hwo cares about that if there are so many other ways to get inside...

  • 155 Posted by omer_metin2007 on Thu Sep 3, 2009 7:45PM EDT Report Abuse

    Please send me the password of this id of messenger andreeea_anny_deea,it's mine ,and I can't remember my password.please send it to my mail omer_metin2007@yahoo.com,please very much.thank you

  • 156 Posted by binargs on Thu Sep 3, 2009 3:08PM EDT Report Abuse

    this is a better way to do security.... http://cirlare.com/htmls/resources/passphrases.html

More Posts: First Prev 7 8 9 Next Last

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.