March 1, 2003

Choosing Strong Passwords

- By Raj Shekhar -

Passwords are the most common approach for identifying a user's
identity. We use passwords to secure our computers, to send or receive
emails or to access special resources. Password guessing has always been
the favourite method of cracking into computers or circumventing
security measures.

Commonly two methods to guess a password are used:

  • The cracker has some personal information about the user. Frequently
    people use the names of their cats, dogs or spouses as their passwords.

  • A brute force attack is one in which all possible words of a
    certain length are attempted until a correct one is found. Crack
    dictionaries
    which contain a list of common words and phrases can
    easily be found on the Internet. Good crack dictionaries contain entire
    scripts to popular movies and entire sets of song lyrics.

There are a number of suggestions on what you should not choose
as your password but very few suggestions for choosing good
passwords. The best password is obtained when the characters of the
password are chosen completely at random. This password can be a little difficult
to remember. Here are a few guidelines which can help you in choosing
strong, almost random, but easy to remember passwords.

Use Long Passwords

Choose passwords that are as long as allowed by the software. Make your
passwords at least 10 or 12 characters long. Short passwords do
not leave enough choices to prevent their being guessed by repeated
trials. Ideally your password should contain at least one character from
each of the following categories:

  • upper case letters (ABC)
  • lower case letters (abc)
  • digits (123)
  • punctuation and other symbols (!$%)

For example:

`Rash1978BRuno!blaCk'
may seem absolutely random but will be quite easy to
remember for someone whose name is Raj
Shekhar, who was born on 1978, who had a dog
named Bruno (notice how the upper case and lower case
letters have been mixed), and whose favourite color is
black. (Again, notice the mix of upper and lower case.)

If you had used only one of these as your password, crackers with some
personal knowledge about you would have compromised it. However, if these
are mixed in with other characters and words, they can increase the
length of your password without compromising its security -- while
keeping it easy to remember.

Use Shocking Nonsense

Q: How do I choose a good password or phrase?

A: Shocking nonsense makes the most sense

Shocking nonsense means to make up a short phrase or sentence that
is both nonsensical and shocking; that is, it
contains grossly obscene, racist, impossible or another extreme
mix of ideas. This technique is permissable because the
passwords is never (ideally) revealed to anyone with
sensibilities to be offended.

A very weak example is
`Bart Simpson beats up Einstein'.
or with some mixing of upper and lower case characters,
`bartSimpsonBeatsUpEinstein'.
Making up many far more shocking or entertaining examples
is left as an exercise for the reader.

Shocking nonsense passwords which are quite long cannot be easily cracked by use
of brute force attack.

Use the First Letter of Each Word

Another technique for creating strong passowrds is to use the first
letter of each word of an easily remembered phrase. For example
`Mhall'
is formed by taking the first characters of of each word in the sentence
`Mary had a little lamb'.

This technique can be further strengthened by mixing the password with
some digits and punctuations. For example,
`M!hal%l'.

An even stronger password can be obtained by typing one key to the
left on a standard QWERTY keyboard. The above password after
applying this technique becomes
`N!gpk%k'.

Conclusions

Choosing a strong password is just a small step in securing your
resources. Using the guidelines above will help you choose
passwords that are easy to remember, and at the same time strong.

If you have any suggestions for this article please let me know at
lunatech3007 at yahoo dot com.

Category:

  • Security