How to Pick a Genuinely Secure Password

21 01 2007

When it comes to security, Bruce Schneier is a God among us mere mortals. He has written some of the most influential books on computer security and cryptography ever printed, and his blog is essential reading for anyone on the Internet.So when Bruce says here’s how to create a secure password (and how he creates his own passwords), I listen. His post on the topic is extensive, so I’ll try to boil it down to the essentials. If you have the time, I encourage you to read the whole thing, though.

First question: How are passwords cracked, anyway? Primarily through brute force “dictionary” attacks, where software tries to guess a password by running through a series of common phrases or words in various combinations. Sure, we know that “password” and “qwerty” are easy to crack, but password crackers have gotten much more sophisticated these days. Now, they check hundreds of these common “root” passwords (here’s a list)… in combination with various “appendages,” including all two- and three-digit combinations, single symbols (like ! and ?), dates from 1900 on, and a few others. The crackers also sub in common characters like “3” for “E” and other typical hacker-speak substitutions.

What’s that mean? Basically, if you thought the safe-looking pigl3t9! was a secure password, you’re sadly mistaken. Any modern password cracker will suss it out in a matter of minutes.

Before you begin to despair, Schneier offers simple rules on how to create a password that cannot be easily cracked by such methods. (Mind you, given enough time, any password can be cracked, though. But this will make it much harder.)

The trick is to use a “root” that is not in that list that I linked above, and to put your “appendage” (or two of them) in an unusual place: Either in the middle of the root or at both the beginning and the end.

Schneier’s example is to use a word that you can pronounce but which is spelled “wrong”: armwar or pitchsure or baysball are all examples. Then attach your appendage(s): arm9!9war or 1066pitchsure6601 or bay1776sball. It shouldn’t take much effort to commit any of these to memory.


Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: