How to Pick a Genuinely Secure Password

Wed Jan 17, 2007 3:24AM EST

See Comments (157)

When it comes to security, Bruce Schneier is a god among us mere mortals. He has written some of the most influential books on computer security and cryptography ever printed, and his blog is essential reading for anyone on the Internet.

So when Bruce says here's how to create a secure password (and how he creates his own passwords), I listen. His post on the topic is extensive, so I'll try to boil it down to the essentials. If you have the time, I encourage you to read the whole thing, though.

First question: How are passwords cracked, anyway? Primarily through brute force "dictionary" attacks, where software tries to guess a password by running through a series of common phrases or words in various combinations. Sure, we know that "password" and "qwerty" are easy to crack, but password crackers have gotten much more sophisticated these days. Now, they check hundreds of these common "root" passwords (here's a list)... in combination with various "appendages," including all two- and three-digit combinations, single symbols (like ! and ?), dates from 1900 on, and a few others. The crackers also sub in common characters like "3" for "E" and other typical hacker-speak substitutions.

What's that mean? Basically, if you thought the safe-looking pigl3t9! was a secure password, you're sadly mistaken. Any modern password cracker will suss it out in a matter of minutes.

Before you begin to despair, Schneier offers simple rules on how to create a password that cannot be easily cracked by such methods. (Mind you, given enough time, any password can be cracked, though. But this will make it much harder.)

The trick is to use a "root" that is not in that list that I linked above, and to put your "appendage" (or two of them) in an unusual place: Either in the middle of the root or at both the beginning and the end.

Schneier's example is to use a word that you can pronounce but which is spelled "wrong": armwar or pitchsure or baysball are all examples. Then attach your appendage(s): arm9!9war or 1066pitchsure6601 or bay1776sball. It shouldn't take much effort to commit any of these to memory.

See also:
How Pathetic Is Your Password?
Frequent Password Change Policy: A Bad Idea
10 Myths About Windows Passwords

Comments on How to Pick a Genuinely Secure Password

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 26 Posted by dmsteph6577 on Thu Sep 3, 2009 3:45PM EDT Report Abuse

    With most windows XP pro Admin system setups, if your hacker penetrates one login, he can use that particular one for many other things. Attempting to get the cracked account admin rights is one way...another is simply using that one account to bypass the 3 failed try method. 2 attempts, then correct login with another user...rinse repeat. This is also very painful if you have a fox in the henhouse.

  • 27 Posted by x_cybernet_x on Thu Sep 3, 2009 10:54PM EDT Report Abuse

    man mr null how the heck do you handle these comments?

  • 28 Posted by raleigh825 on Thu Sep 3, 2009 8:27PM EDT Report Abuse

    You would think that a large corporation such as Yahoo would hire a credentialed technical writer to create its columns, but once again, it looks like a m_npower temp got made full time without doing the old background check. What am I talking about? Christopher Null's lack of command of the written English word. No Chris, not English beer, like a pint of Courage. English language, like the grammar, composition, and spelling you skipped classes on. How insensitive to your readers faith; how politically incorrect; to have the lack of concern or an editing staff that reads the drivel you're allowed to post. Its one thing to quip humor about a god among us mere mortals, but another when your ignorance has you taking the name of the creator(G_d), out of context. I seriously doubt Mr. Bruce Schneier's book editor would have allowed that slip. Shame on all of you. Go read the NY Times, where Null and Void isn't the name of a discount law firm.

  • 29 Posted by alpaslow on Thu Sep 3, 2009 2:51PM EDT Report Abuse

    I am having trouble understanding the scope of this article. The substance here is strong on changing the common spelling of words such as baseball, which could have been expressed in a few short lines. My concerns are now enhanced by trying to understand more on how hacker software works especially brute force software. I for one see little information on this subject. If we knew more about what it searches for one would have a much greater understanding of what type, and catagory of words to avoid. ( For example a younger person may choose a sports figure password - VINCEYOUNG who is a rookie quarterback for Tennessee but someone older may pick BABERUTH for their password.) How does this software react with the say higher security areas? Does anything have the ability to over-ride a two or three try before the secure area shuts down? What are the guidelines in writing such software? Surely we need expressed a clear concept of what is targeted and what is and is not possible. The article was too weak to support much good in that respect.

  • 30 Posted by masotil on Thu Sep 3, 2009 7:10PM EDT Report Abuse

    I keep hearing about hackers feats at cracking passwords. Most programs or sites with password access limit the number of tries to a few before locking up. Three strikes (or five) and you are out. How then can hackers run thousands (or a zillion) trial passwords before hitting the right one?

  • 32 Posted by nc2f on Thu Sep 3, 2009 7:34PM EDT Report Abuse

    This article didn't mention server sites that now require you to ALSO enter the security word that is displayed as an image. Doesn't this prevent these programs from automatically running multiple attempts at tying to hack a password?

  • 33 Posted by tangent_man_98 on Thu Sep 3, 2009 9:55PM EDT Report Abuse

    The U.S. Department of Defense has recognized the need to educate its users on created on Information Assurance (IA) issues. All of the web-based IA training is freely available to U.S. residents. One such training course is a product designed to help people develop more secure passwords. The online training takes about 15 minutes to complete and provides some valuable guidelines on how to secure your password. There are several other free training products available on CD. They even pay for shipping and handling if the address is in the U.S. For a complete description of all the IA training products available for free, please visit: http://iase.disa.mil/eta/ProductDes.pdf

  • 34 Posted by deathtolivinglifetodead on Thu Sep 3, 2009 3:39PM EDT Report Abuse

    At this time in age if someone wants your password that badly they arn't going to brute you.. and if they do they can have a multi system with multi proxies going to brute it in a few hours.. Regardless of size of a password. They truely dont give enough credit to a person who if they are that interested in hacking something of useless or NO value they will be willing to spend a few 100 dollars extra to set up a few good computers to brute.. Nobody is truely safe from hackers.. Look at the government computers.. A few years ago they admitted to having over 5,000,000+ hacker attacks on government protected computers and they also stated that they only catch about 1 out of every 50,000 hacker attacks. Even at that they would rather higher the hacker then punish them.. In all respect, this column is useless because if government computers with 50+ character passwords and encryptions are not safe from "simple commoners" that can connect from anywhere, then what's the chance that some random person can be protected? That's right there isnt any way in the world that your ever safe. Hackers get smarter every day and the only true way you can be safe is to have a 15+ character pass and change it daily. Which if the hacker is that determined will just keylog you rather than brute a constant changing pass. --Thanks for your time.

  • 35 Posted by raleigh825 on Thu Sep 3, 2009 8:27PM EDT Report Abuse

    Wow!! Not only is Christopher Nulls (if I put an apostrophe in, Yahoo substitutes the phrase #39 for it) biography written by him, its all about him, with plenty of shameless self promotion. The nerve to call his self a writer. By whose creditials?? His own?? A biography is written by another person, who omits any injection of ego from the information. Its also a list of tenure chronologically written so that we may appreciate the contributions made through various publications. Its not a place for wow wee let me toot my own horn a dozen times. I haven't seen such self absorbed narcisisstic pandering, since the Clinton era. No, Im not jealous. Im embarrassed and offended. Yahoo must be so desparate to cut corners, they allow content creators to simply roll their own columns, including FTP right onto the final publishing server.

  • 36 Posted by deathtolivinglifetodead on Thu Sep 3, 2009 3:39PM EDT Report Abuse

    Masotil, they can run multiple Proxies which when the site reads it they see a totally different person on a different computer from what it understands. So they can have BILLIONS of guesses every hour just because the computer thinks its a new person after every 2 or 3 tries..

  • 37 Posted by raaltunethemad on Thu Sep 3, 2009 8:25PM EDT Report Abuse

    How to make a 'genuinely' secure' password eh? LoL what planet are you from to sat this? NOTHING IS SAFE, you say so yourself..you are a fool to lead people to believe your flashy headline will pull the readers in, give up the subject matter. People- I assure you this clown knows something, but wont reveal the core of the issue- HACKERS ARE REAL, THEY WILL FIND A WAY, THATS WHAT THEY DO!!!!! YOU ARE NEVER SAFE!

  • 38 Posted by massbrit3 on Thu Sep 3, 2009 7:10PM EDT Report Abuse

    I have a simple way to create a password that is not based on any word or number subsitution. Pick a phtase that you can remember, like "wouldnt it be nice to have some eggs for breakfast", then take the first letter of each word wibnthsefb, then you can do a substition, w1bnths3fb You can pick a short or long phrase, but you have to admit phrases are easy to remember, and how hard would "w1bnths3fb" could be tough to crack ....

  • 39 Posted by calico7227 on Thu Sep 3, 2009 3:16PM EDT Report Abuse

    When I clicked on 'here's a list', I got the familiar 'this page cannot be displayed', Did anyone else have this problem? Very informative article. Thanks!

  • 40 Posted by sxschickensxs on Thu Sep 3, 2009 9:52PM EDT Report Abuse

    Most people need not worry about having a truly " ultimate " password, hackers have a high goal, and usually it doesn't concern the average person.

  • 41 Posted by alkhimey on Thu Sep 3, 2009 2:50PM EDT Report Abuse

    Easier way is to use an abbreviation of a phrase you know. For example: "yamtssfa" is an abbreviation of a line from the Beatles song "Yesterday", and stands for: "Yesterday All My Troubles Seemed So Far Away". This password looks totaly random, yet easy to remember for the one who knows the phrase (all you have to do is to remember the phrase)

  • 42 Posted by deathtolivinglifetodead on Thu Sep 3, 2009 3:39PM EDT Report Abuse

    Only thing I can really think that hackers would try to steal would be EBAY, Paypal, or the saddest one.. Gamer accounts for games that items have value to be sold over the internet or maybe the hacker just wants the items for themselves.. All in all, change your pass daily and your safe.

  • 43 Posted by fkogo on Thu Sep 3, 2009 4:00PM EDT Report Abuse

    how dare you call a mere man God? Do you really have an idea who God is?

  • 44 Posted by steveruona on Thu Sep 3, 2009 9:43PM EDT Report Abuse

    I know only the surface of this tech-talk but have a basic understanding of what they're talking about. Reading all these comments has been so funny, there should be a panel-comedy show with this stuff as the topic. I'm laughing my head off. Thats how you save your password

  • 45 Posted by rgodfrey3 on Thu Sep 3, 2009 8:38PM EDT Report Abuse

    Their link to the common words don't work!!! That sure is helpful, huh?

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.