How to Pick a Genuinely Secure Password

Wed Jan 17, 2007 3:24AM EST

See Comments (157)

When it comes to security, Bruce Schneier is a god among us mere mortals. He has written some of the most influential books on computer security and cryptography ever printed, and his blog is essential reading for anyone on the Internet.

So when Bruce says here's how to create a secure password (and how he creates his own passwords), I listen. His post on the topic is extensive, so I'll try to boil it down to the essentials. If you have the time, I encourage you to read the whole thing, though.

First question: How are passwords cracked, anyway? Primarily through brute force "dictionary" attacks, where software tries to guess a password by running through a series of common phrases or words in various combinations. Sure, we know that "password" and "qwerty" are easy to crack, but password crackers have gotten much more sophisticated these days. Now, they check hundreds of these common "root" passwords (here's a list)... in combination with various "appendages," including all two- and three-digit combinations, single symbols (like ! and ?), dates from 1900 on, and a few others. The crackers also sub in common characters like "3" for "E" and other typical hacker-speak substitutions.

What's that mean? Basically, if you thought the safe-looking pigl3t9! was a secure password, you're sadly mistaken. Any modern password cracker will suss it out in a matter of minutes.

Before you begin to despair, Schneier offers simple rules on how to create a password that cannot be easily cracked by such methods. (Mind you, given enough time, any password can be cracked, though. But this will make it much harder.)

The trick is to use a "root" that is not in that list that I linked above, and to put your "appendage" (or two of them) in an unusual place: Either in the middle of the root or at both the beginning and the end.

Schneier's example is to use a word that you can pronounce but which is spelled "wrong": armwar or pitchsure or baysball are all examples. Then attach your appendage(s): arm9!9war or 1066pitchsure6601 or bay1776sball. It shouldn't take much effort to commit any of these to memory.

See also:
How Pathetic Is Your Password?
Frequent Password Change Policy: A Bad Idea
10 Myths About Windows Passwords

Comments on How to Pick a Genuinely Secure Password

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 6 Posted by peitzza on Thu Sep 3, 2009 8:05PM EDT Report Abuse

    Sorry to rain on this parade, but at least for many Wndows XP users (including myself) programs like Ophcrack will crack a password using Rainbow tables within about 5 minutes. This includes all alpha-numeric up to 14 characters. And slightly longer for passwords containing special characters. I didn't believe it until I downloaded the program and tables, and it tried it out on my trusty 13-character alpha-numeric password. It nailed it in under 3 minutes. I guess I need to look around and see if there's a more secure way to store the passwords in XP, but this is what's default for all of us who use it.

  • 7 Posted by stephencshrum on Thu Sep 3, 2009 9:41PM EDT Report Abuse

    Yea this is fine and dandy but he is far from up on the times. Brute force hacking is a thing of yesturday and simple keylogging cookies are what real hackers are using. I would like to see an article or two on that! There are cookies getting embedded inside your antivirus files, windows, and Iexplorer files that cannot be found and will send their packets of info every time the user logs into the internet. This article is junk to me as making a password is rather easy to do. But to keep someone else from getting into your hard drive....alittle more to the point if you ask me!

  • 9 Posted by jdaukulis on Thu Sep 3, 2009 4:31PM EDT Report Abuse

    I grew up in a family that spoke a foriegn language...my passwords are mostly badly misspelled foriegn words.

  • 10 Posted by backstreetangel20 on Thu Sep 3, 2009 3:01PM EDT Report Abuse

    thank you for the advice, but still how actually people can Remember the password without that someone will cracked their password ?

  • 11 Posted by hananlemann on Thu Sep 3, 2009 4:15PM EDT Report Abuse

    Dear Christopher (Sounds better than Mister Null) A couple of your links don't work such as the one root passwords: http://us.lrd.yahoo.com/_ylt=AsV6UXda7vupmw2sTF5YhXAsLpA5/SIG=11ihpp9cl/**http%3a//geodsoft.com/howto/password/common.htm The original atricle was good. I suggest you keep your comments shorter and the links fresher. Thanks for your info in any case. With Respect, Hanan

  • 12 Posted by alakina_p on Thu Sep 3, 2009 2:49PM EDT Report Abuse

    The information is very useful right now but it will probably be useless within a year. Thank's for the help, in any case!

  • 13 Posted by gyctn on Sun Jan 21, 2007 6:18AM EST Report Abuse

    yes,the man has a good idea,and when i next take a password i will drop a letter out the words i use.

  • 14 Posted by inetenforcement on Thu Sep 3, 2009 4:24PM EDT Report Abuse

    With Windows Vista here in a few days, the new hard drive lock feature will make it difficult for intruders to expliot. Its even voice activated to the pitch of your voice!! Xp is still here for a while but not for long. It will take a few years for it to fade out like the past OS'S. Keep an email address private for yourself that is only used for business, like one for your friends and another for your banking. Doing this will lessen your chances of being victimized. We have to remember that the email addresses we "think" we own are not ours which means the obvious. An administrator always knows your password. So when you keep personal info in your browsers database, such as email, it is there for someone to see.

  • 15 Posted by brosha5 on Thu Sep 3, 2009 3:13PM EDT Report Abuse

    This article is stupid. Any Admin with half a brain locks-out a password after 3 failed attempts. Was this written in 1980?

  • 16 Posted by kuhen25 on Thu Sep 3, 2009 4:54PM EDT Report Abuse

    Well, that's a great articuel, but you can't do much when your password gets phished. People fall for that so easily.

  • 17 Posted by comfortzonenow on Thu Sep 3, 2009 3:28PM EDT Report Abuse

    I couldn't get your (here's a list) link for common "root" passwords to work. Could you please post a URL for this?

  • 18 Posted by alfex68 on Thu Sep 3, 2009 2:50PM EDT Report Abuse

    Nice article. http://www.crimsonsock.com

  • 19 Posted by bigje55 on Thu Sep 3, 2009 3:07PM EDT Report Abuse

    maybe if we truly make the crime of hacking someones password or company for monetary gain or whatever reason, like 20 yrs in jail this practice would stop!!!! big jerry in bullhead,AZ

  • 20 Posted by abiel_paltao on Thu Sep 3, 2009 2:44PM EDT Report Abuse

    it is the best article ive read.. having a mispelled word is a great idea. but is it ok to use a 6-11 numbers as a password???

  • 21 Posted by abiel_paltao on Thu Sep 3, 2009 2:44PM EDT Report Abuse

    it is the best article ive read.. having a mispelled word is a great idea. but is it ok to use a 6-11 numbers as a password???

  • 22 Posted by jackie_caley on Thu Sep 3, 2009 4:26PM EDT Report Abuse

    how the heck are we ever gonna remember our passwors any more? write it down and take it with us everywhere? that is so stupid.....gosh i feel a bit smart now....never thought people would take this rubbish seriously.....tssk tssk....

  • 23 Posted by philipcrabtree on Thu Sep 3, 2009 8:09PM EDT Report Abuse

    I'm surprised that using a foreign or obscure language has never come up. Imagine trying to hack in to an "American" computer but the root is in a phonetically spelled version of a Swahili word. It's not likely that the hacker has spent as much time learnin multiple languages as he has spent learning his "craft"--all things computers.

  • 24 Posted by tlmail1 on Thu Sep 3, 2009 10:12PM EDT Report Abuse

    why not use passwords that even you can't remember using as much symbols and uppercase/ lowercase combos, write them down. DON'T LOSE THEM!!! then spend $40 on a microsoft fingerprint reader. The only way someone could figure out your passwords is if they break into your house. Good thing we live in America and not france. We still can shoot ppl who tresspass in our homes. California courts may just say that the burglar really didn't wanna kill you, he just wanted to steal your identity and they send you to jail anyway. :(

  • 25 Posted by jacek_czerwinski_corp on Thu Sep 3, 2009 4:26PM EDT Report Abuse

    what can said? the best security before crack to attack soft and break password can will one option two systems operatin which one keep keys second system and every try on or join to files with other commands how normal itself computer doing is delete, and crack can not see how command use for open system second thanks keys security in first system operation, trying work crack is nonsens because all key keep in system first what can not give possible work how normal crack how in game which orgynal file change for crack, or other idea, and crack dont have option for search keys in first system. so good luck.

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.