How to Pick a Genuinely Secure Password
Wed Jan 17, 2007 3:24AM EST
See Comments (157)
When it comes to security, Bruce Schneier is a god among us mere mortals. He has written some of the most influential books on computer security and cryptography ever printed, and his blog is essential reading for anyone on the Internet.
So when Bruce says here's how to create a secure password (and how he creates his own passwords), I listen. His post on the topic is extensive, so I'll try to boil it down to the essentials. If you have the time, I encourage you to read the whole thing, though.
First question: How are passwords cracked, anyway? Primarily through brute force "dictionary" attacks, where software tries to guess a password by running through a series of common phrases or words in various combinations. Sure, we know that "password" and "qwerty" are easy to crack, but password crackers have gotten much more sophisticated these days. Now, they check hundreds of these common "root" passwords (here's a list)... in combination with various "appendages," including all two- and three-digit combinations, single symbols (like ! and ?), dates from 1900 on, and a few others. The crackers also sub in common characters like "3" for "E" and other typical hacker-speak substitutions.
What's that mean? Basically, if you thought the safe-looking pigl3t9! was a secure password, you're sadly mistaken. Any modern password cracker will suss it out in a matter of minutes.
Before you begin to despair, Schneier offers simple rules on how to create a password that cannot be easily cracked by such methods. (Mind you, given enough time, any password can be cracked, though. But this will make it much harder.)
The trick is to use a "root" that is not in that list that I linked above, and to put your "appendage" (or two of them) in an unusual place: Either in the middle of the root or at both the beginning and the end.
Schneier's example is to use a word that you can pronounce but which is spelled "wrong": armwar or pitchsure or baysball are all examples. Then attach your appendage(s): arm9!9war or 1066pitchsure6601 or bay1776sball. It shouldn't take much effort to commit any of these to memory.
See also:
How Pathetic Is Your Password?
Frequent Password Change Policy: A Bad Idea
10 Myths About Windows Passwords
Top 5 Posts
More About Software
Comments on How to Pick a Genuinely Secure Password
Post a Comment
Join in the discussion. Here you'll see the comments in the order they were posted.
-
67 Posted by cheverejd on Thu Sep 3, 2009 3:23PM EDT Report Abuse
To #57, your husband must be finding or figuring out your passwords because he knows you well, and probably guesses. And your deleted e-mails are kept in the "deleted items" folder, or "trash bin"; you would have to delete them from there as well.
-
68 Posted by jflagg1 on Thu Sep 3, 2009 4:34PM EDT Report Abuse
Shoot. I keep my passwords simple so I don't forget them, but I don't keep *any* sensitive info on a machine connected to the net all the time. IMNSHO, that's the best policy.
-
69 Posted by alb4ever20022002 on Thu Sep 3, 2009 2:49PM EDT Report Abuse
someone hacked on my name last night and i got a change of password email and i was like... who did that then i got kicked off my name and i changed the password fast to something harder and someone did the same to my bf name.I don't know how they did it cause my passwords are hard.
-
70 Posted by tromboner950 on Thu Sep 3, 2009 10:21PM EDT Report Abuse
This would be a great and informative article... if this were still the 1990s. Not that many hackers even use brute force software anymore, it's all about phishing now.
-
71 Posted by obj6606@sbcglobal.net on Thu Sep 3, 2009 7:43PM EDT Report Abuse
teycrj
-
72 Posted by filonczuk@sbcglobal.net on Thu Sep 3, 2009 3:59PM EDT Report Abuse
Nice article
-
73 Posted by rocklady49 on Thu Sep 3, 2009 8:47PM EDT Report Abuse
the link to the list link did not load for me. IE said it could not be found, twice.
-
74 Posted by x_cybernet_x on Thu Sep 3, 2009 10:54PM EDT Report Abuse
keylogging is so easy for hackers now its practically scary all they need is to make you open a website email adress text link or exe file to get you the most common danger zones are forums mail boxes websites downloaded files and mp3's even a 6 year old can keylogg you once they get the program totall blashemy
-
75 Posted by griffdog1996 on Sun Jan 21, 2007 10:32AM EST Report Abuse
another idea would be to put your password idea and spell it backwards.You might not want to try to put your name in your password because if anyone knows you then good luck!
-
76 Posted by smilingcoolman321 on Thu Sep 3, 2009 9:28PM EDT Report Abuse
yeah it seems the site doesnt work...and i agree no one should place themselves as God
-
77 Posted by amzil9 on Thu Sep 3, 2009 2:53PM EDT Report Abuse
simple trick to protect your password : 1- never let your machine connected to the internet when you are not online, finish you online work and shut down you Internet conection when you don't need it. 2- never ever open any file from an e-mail adress you do not know or you are not sure of. 3- watch out with the zip files, file attachements of all kinds unless you are sure of the sender or were expecting those files to be sent to you. 4- watch out with clicking on links on emails you get redirecting you to some other sites, these links open new windows but do some other stuff you are not seeing. 5- Some people who may know you may use your personnal interest against you to get you: if they know for example that you love some actor, singer, food, writer, whatever, they may send you some fictitous information on that subject of interest, and you may then take a big bite of a poisened cake....! DO NOT OPEN THOSE FILES! 6- anyone with physical access to your machine is capable of getting your passwords so easily, so watch out who is touching your machine,a collegue at work, a friend... if they ask you to access your machine for whatever reason, there is NO PROBLEM in standing by them and keeping an eye on them: you never know where trusts is these days..! 7- delete what ever emails you get without opening it if you're not sure of it. 8- if ever yahoo login page, or hotmail or anyother e-mail provider, asks you to log in again when you just logged in.. or when you just opened an e-mail! Close the window and start from the begginng, that's more secure. because those pages asking you to loggin again may be made up exact copies of yahoo login pages or hotmail or other, and when loggin in to those pages , you in fact give your user name and pass and click "send"...to someone somewhere! 9- change your password periodically once a week is good, pick up a day "monady" and chage your pass every that day of the week, but be careful , if you do not really trust your memory (the one in your head not DDRAM!) make note of your password where it cannot be accessible, something like a small stick note to you credit card (without the logging name!), and if you would allow someone take you credit card for a while, then give them your passwords tooo! 11- make sure that apart from all the techniques related in these posts, brute attacks, keylo, etc, without all these complications, ONE WRONG CLICK WOULD SEND ALL YOUR PASSWORDS TO SOMEONE...it takes just one click from you! so LOOK BEFORE YOU CLICK ! 10- just be careful and do not be soooooo obsessed with people working out there just to get your passwords, did not you read in the article of Mr.NULL, "you're just a mere mortal": that may be the only truth in that article..!
-
78 Posted by cliciulina on Thu Sep 3, 2009 3:26PM EDT Report Abuse
It`s a verry good idea indeed!! I think that i`ll use tose kind of triks at my pasword!Thanks
-
79 Posted by ystilo_ipis on Thu Sep 3, 2009 10:58PM EDT Report Abuse
Great idea but somehow from doing a wrong spelling you often forgot your password
-
80 Posted by oricus12843 on Thu Sep 3, 2009 7:46PM EDT Report Abuse
first of all submitting "3" for "E" is not hacker speak, its just an internet thing, not that it matters but it kind of offended me second of all if this guys blog is readily available to all internet users its only a matter of months before hacker programs are changed to fit these new guidlines
-
81 Posted by oricus12843 on Thu Sep 3, 2009 7:46PM EDT Report Abuse
first of all submitting "3" for "E" is not hacker speak, its just an internet thing, not that it matters but it kind of offended me second of all if this guys blog is readily available to all internet users its only a matter of months before hacker programs are changed to fit these new guidlines
-
82 Posted by baskate_2000 on Thu Sep 3, 2009 3:02PM EDT Report Abuse
Interesting, would have been better if I'd been able to access the list of root words, but after four tries, I gave up. Any comment?
-
83 Posted by nimiq915 on Thu Sep 3, 2009 7:39PM EDT Report Abuse
If you're going to have a link in a post be kind enough to make sure it works. passwords (here's a list)... is a dead link. If you were in school I'd grade this an "F". Thanks for wasting my time.
-
84 Posted by gloxbox on Thu Sep 3, 2009 4:10PM EDT Report Abuse
RSA Securid changes your password every 60 seconds. Even cookies and keystroke copycats wouldn't work. Unless of course they copy and enter within 60 seconds. To the lady w/ the nosey husband...sounds like you need a new husband if you have to hide stuff from him.
-
85 Posted by justinrleblanc on Thu Sep 3, 2009 4:45PM EDT Report Abuse
The link to "the list" does not work.
Sponsored Links
My Tech
Please enable your browser's cookies to activate the My Tech column.
Also on Yahoo! Tech
| Computers | Home Office | Wi-Fi & Networking | Phones & PDAs | Cameras & Camcorders | TV & Home Theater | Portable Audio |
|---|---|---|---|---|---|---|
66 Posted by louzyboyz on Thu Sep 3, 2009 6:57PM EDT Report Abuse
this way of making "secure" types of passwords is obsolete here in my country...