How to Pick a Genuinely Secure Password

Wed Jan 17, 2007 3:24AM EST

See Comments (157)

When it comes to security, Bruce Schneier is a god among us mere mortals. He has written some of the most influential books on computer security and cryptography ever printed, and his blog is essential reading for anyone on the Internet.

So when Bruce says here's how to create a secure password (and how he creates his own passwords), I listen. His post on the topic is extensive, so I'll try to boil it down to the essentials. If you have the time, I encourage you to read the whole thing, though.

First question: How are passwords cracked, anyway? Primarily through brute force "dictionary" attacks, where software tries to guess a password by running through a series of common phrases or words in various combinations. Sure, we know that "password" and "qwerty" are easy to crack, but password crackers have gotten much more sophisticated these days. Now, they check hundreds of these common "root" passwords (here's a list)... in combination with various "appendages," including all two- and three-digit combinations, single symbols (like ! and ?), dates from 1900 on, and a few others. The crackers also sub in common characters like "3" for "E" and other typical hacker-speak substitutions.

What's that mean? Basically, if you thought the safe-looking pigl3t9! was a secure password, you're sadly mistaken. Any modern password cracker will suss it out in a matter of minutes.

Before you begin to despair, Schneier offers simple rules on how to create a password that cannot be easily cracked by such methods. (Mind you, given enough time, any password can be cracked, though. But this will make it much harder.)

The trick is to use a "root" that is not in that list that I linked above, and to put your "appendage" (or two of them) in an unusual place: Either in the middle of the root or at both the beginning and the end.

Schneier's example is to use a word that you can pronounce but which is spelled "wrong": armwar or pitchsure or baysball are all examples. Then attach your appendage(s): arm9!9war or 1066pitchsure6601 or bay1776sball. It shouldn't take much effort to commit any of these to memory.

See also:
How Pathetic Is Your Password?
Frequent Password Change Policy: A Bad Idea
10 Myths About Windows Passwords

Comments on How to Pick a Genuinely Secure Password

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 1 Posted by usangel1on1 on Thu Sep 3, 2009 10:28PM EDT Report Abuse

    Great idea simple yet brilliant.. I am presuming that most software will use a dictionary so if a word is miss spelled it will be more dificult to figure it out! I will definitly use this method of password creation. thanks Keith

  • 3 Posted by yasoumalaka2004 on Thu Sep 3, 2009 10:55PM EDT Report Abuse

    Well I just got a program to brute force a rar file using my password. I set the range from 4 - 14 in length using upper case and lower case with numbers which I use and it wont complete length 4 for 8 days. If I use this password for things on the net then how they going to run a brute force of this magnitude? Don't they only get around 5 tries? I think its possible that the advice in this article is a bit of overkill.

  • 4 Posted by yasoumalaka2004 on Thu Sep 3, 2009 10:55PM EDT Report Abuse

    Ok here is an example of a password that takes my opteron @ 2.9Ghz to crack in 276 days with a brute force attack: V9hyX

  • 5 Posted by anrobr on Thu Sep 3, 2009 2:56PM EDT Report Abuse

    Length is important too. As an example, while testing security against a network computer that stored hashes of users from an active directory, an old Athlon 3200+ was able to try EVERY 7 digit combination of uppercase/lowercase letters and numbers in under 21 hours. With 8 digits it went up to 30+ days and at 9 digits, it was basically useless. However, there are newer faster ways as well. (ie rainbow). Of course, as the gents blog states, depending on the app or what is being broken, your mileage will vary.

  • 6 Posted by peitzza on Thu Sep 3, 2009 8:05PM EDT Report Abuse

    Sorry to rain on this parade, but at least for many Wndows XP users (including myself) programs like Ophcrack will crack a password using Rainbow tables within about 5 minutes. This includes all alpha-numeric up to 14 characters. And slightly longer for passwords containing special characters. I didn't believe it until I downloaded the program and tables, and it tried it out on my trusty 13-character alpha-numeric password. It nailed it in under 3 minutes. I guess I need to look around and see if there's a more secure way to store the passwords in XP, but this is what's default for all of us who use it.

  • 7 Posted by stephencshrum on Thu Sep 3, 2009 9:41PM EDT Report Abuse

    Yea this is fine and dandy but he is far from up on the times. Brute force hacking is a thing of yesturday and simple keylogging cookies are what real hackers are using. I would like to see an article or two on that! There are cookies getting embedded inside your antivirus files, windows, and Iexplorer files that cannot be found and will send their packets of info every time the user logs into the internet. This article is junk to me as making a password is rather easy to do. But to keep someone else from getting into your hard drive....alittle more to the point if you ask me!

  • 9 Posted by jdaukulis on Thu Sep 3, 2009 4:31PM EDT Report Abuse

    I grew up in a family that spoke a foriegn language...my passwords are mostly badly misspelled foriegn words.

  • 10 Posted by backstreetangel20 on Thu Sep 3, 2009 3:01PM EDT Report Abuse

    thank you for the advice, but still how actually people can Remember the password without that someone will cracked their password ?

More Posts: First Prev 1 2 3 4 5 Next Last

Post a Comment

Sign In to Post a Comment