How to Pick a Genuinely Secure Password
Wed Jan 17, 2007 3:24AM EST
See Comments (157)
When it comes to security, Bruce Schneier is a god among us mere mortals. He has written some of the most influential books on computer security and cryptography ever printed, and his blog is essential reading for anyone on the Internet.
So when Bruce says here's how to create a secure password (and how he creates his own passwords), I listen. His post on the topic is extensive, so I'll try to boil it down to the essentials. If you have the time, I encourage you to read the whole thing, though.
First question: How are passwords cracked, anyway? Primarily through brute force "dictionary" attacks, where software tries to guess a password by running through a series of common phrases or words in various combinations. Sure, we know that "password" and "qwerty" are easy to crack, but password crackers have gotten much more sophisticated these days. Now, they check hundreds of these common "root" passwords (here's a list)... in combination with various "appendages," including all two- and three-digit combinations, single symbols (like ! and ?), dates from 1900 on, and a few others. The crackers also sub in common characters like "3" for "E" and other typical hacker-speak substitutions.
What's that mean? Basically, if you thought the safe-looking pigl3t9! was a secure password, you're sadly mistaken. Any modern password cracker will suss it out in a matter of minutes.
Before you begin to despair, Schneier offers simple rules on how to create a password that cannot be easily cracked by such methods. (Mind you, given enough time, any password can be cracked, though. But this will make it much harder.)
The trick is to use a "root" that is not in that list that I linked above, and to put your "appendage" (or two of them) in an unusual place: Either in the middle of the root or at both the beginning and the end.
Schneier's example is to use a word that you can pronounce but which is spelled "wrong": armwar or pitchsure or baysball are all examples. Then attach your appendage(s): arm9!9war or 1066pitchsure6601 or bay1776sball. It shouldn't take much effort to commit any of these to memory.
See also:
How Pathetic Is Your Password?
Frequent Password Change Policy: A Bad Idea
10 Myths About Windows Passwords
Top 5 Posts
More About Software
Comments on How to Pick a Genuinely Secure Password
Post a Comment
Join in the discussion. Here you'll see the comments in the order they were posted.
-
47 Posted by brozenec on Thu Sep 3, 2009 3:14PM EDT Report Abuse
I get locked out of my online bank accounts, credit cards etc. if my password attempt fails after 3-4 times. This articles implies the hackers have an infinite number of tries. How do they get around the limit?
-
48 Posted by pbouscaren on Thu Sep 3, 2009 8:04PM EDT Report Abuse
How about fixing the link to the list of common root words? There's little more frustrating than to read an article with broken links. C'mon, let's class it up a little... especially when the main Yahoo page links to the article! While the flame is on, what is up with all those links I keep seeing to 'closed to replies' topics? Flame off... Any replies? If the topic is still open, that is... Ugh!
-
49 Posted by btrfli1172 on Thu Sep 3, 2009 3:14PM EDT Report Abuse
God? I think you mean god. Does Yahoo! have editors???
-
50 Posted by masotil on Thu Sep 3, 2009 7:10PM EDT Report Abuse
deathtolivinglifetodead - (Re: 44 and 50) Thank you for the explanation. I know that somehow it is done, but I am trying to figure out the logistics involved. Would not the first login session (on PC or terminal 1) have to disconnect before attempting a second guess? The hackers must enlist hundreds of hacked computers to run such assaults. The prize must be worth the effort. Like you say, a PayPal account, a bank account or valuable information. It is probably easiest to hack into a government computer. Most government agencies have primitive websites with probably primitive security provisions.
-
51 Posted by rrg5401 on Thu Sep 3, 2009 8:53PM EDT Report Abuse
Thanks for the insight. You're doing a great job!
-
52 Posted by jerryweb on Thu Sep 3, 2009 4:33PM EDT Report Abuse
Wha?
-
53 Posted by patthurbon on Thu Sep 3, 2009 8:01PM EDT Report Abuse
Only the one and only real God is capitalized, any other time you make up a god or refer to a god it should not be capitalized. How can you be a writer and not know that?
-
54 Posted by laurenstoll on Thu Sep 3, 2009 4:57PM EDT Report Abuse
I dont know about the password security thing. My obssessive husband always seem to be able to be able to get into my e mails. I have changed my password many times and deleted emails I think he should not see; but he keeps printing out e mails I deleted recently or have sent . Any thoughts on how this may be possible?
-
55 Posted by magcolas on Thu Sep 3, 2009 7:03PM EDT Report Abuse
Most informative...Thanks
-
56 Posted by dengo_dream2003 on Thu Sep 3, 2009 3:41PM EDT Report Abuse
Ahmedm.ghanem@gmail.com
-
57 Posted by chaudharys5 on Thu Sep 3, 2009 3:22PM EDT Report Abuse
Hi Myth Buster, None of your lists are available as some has Hacked into this site too.....Now what? P
-
58 Posted by rockgirl232001 on Thu Sep 3, 2009 8:47PM EDT Report Abuse
I believe there are passwords that can be broken but now by reading this article, i can choose my passwords more wisely.
-
59 Posted by mikeyk255 on Thu Sep 3, 2009 7:20PM EDT Report Abuse
This article is tripe. Most passwords are found using trojans and other methods far better than a brute force attack, apart from taking a very long time to do even with several modern computers most secure sites will not allow more than 3-5 seperate attempts at entry without freezing your access. Another internet scare.. Just what we need
-
60 Posted by tiendacaribe on Thu Sep 3, 2009 10:08PM EDT Report Abuse
Hello, I must admit nice article full on information and very well detailed. I will get down to the point, when I was passwords I use spanish words and combine them with english words, for the moment this has worked out just fine and no problems.
-
61 Posted by legage7159 on Thu Sep 3, 2009 6:48PM EDT Report Abuse
just keep changing your password every time you get on like I do because I can never remember the password I last used. i have a different password for every site I want to visit, that changes constantly
-
62 Posted by leerhok on Thu Sep 3, 2009 6:48PM EDT Report Abuse
When it's that easy to crack passwords - how come so very few bank accounts are emptied by hackers???
-
63 Posted by amzil9 on Thu Sep 3, 2009 2:53PM EDT Report Abuse
i just wonder why i hacker could spend so long time to brute attack someone when there are so many easy way ways to get peoples passwors, i mean all their passwords...! you can just send someone a link calling his attention to some website on a certain server and when the victim clicks on taht link, you can trigger an installing process in the background of the victim system(which means the victims does not see anything) ...even if the victim closes that web page, the installing process goes on untill it finishes..but install WHAT? that process install a very small program somthing like (100kb), and that programm cannot be detected as mawlware or trojan, for it does not contain any information that can harm the system, no suspicious scripts...that program only detects log in and password inputs on any active page, take that passwords process, and simply send them to some given e-mail adress...MOROVER, that program can be distructed from distance after having stolen ALL YOURPASSWORDS...! so watch out, and make sure that a beautiful postcard you get next time can very simply be set up as a program to steal your password WITHOUT ANY HARM TO YOUR SYSTEM.... Why try to get in from the window when you can get in from the door...!
-
64 Posted by charlotterob on Thu Sep 3, 2009 3:22PM EDT Report Abuse
Is not only the password that you need to worry about, but is also the amount of characters that the software or realm will actually use to process the handshake. For example let's say you create a password containing 13 characters 1234567890abc, but the system or software will only use 10 characters from the 13 that you have created, now your secure password is not secure anymore. Meaning that when you input your password into the realm or login credential screen fields the system or software will only use 1234567890 and will ignore the abc characters. Now the question is will a "secure" password can help you? We think that in order to fix this problem, is to start teaching a little bit of system security and social skills starting from the head IT person at a business , and from the ROOT USER at a home. Cesar F Security Expert@ www.hackersatwork.com
-
65 Posted by charlotterob on Thu Sep 3, 2009 3:22PM EDT Report Abuse
Is not only the password that you need to worry about, but is also the amount of characters that the software or realm will actually use to process the handshake. For example let's say you create a password containing 13 characters 1234567890abc, but the system or software will only use 10 characters from the 13 that you have created, now your secure password is not secure anymore. Meaning that when you input your password into the realm or login credential screen fields the system or software will only use 1234567890 and will ignore the abc characters. Now the question is will a "secure" password can help you? We think that in order to fix this problem, is to start teaching a little bit of system security and social skills starting from the head IT person at a business , and from the ROOT USER at a home. Cesar F Security Expert@ www.hackersatwork.com
Sponsored Links
My Tech
Please enable your browser's cookies to activate the My Tech column.
Also on Yahoo! Tech
| Computers | Home Office | Wi-Fi & Networking | Phones & PDAs | Cameras & Camcorders | TV & Home Theater | Portable Audio |
|---|---|---|---|---|---|---|
46 Posted by akrupu@verizon.net on Thu Sep 3, 2009 2:49PM EDT Report Abuse
cannot get onto HEAR A LIST this happens a lot on your articles