A realistic approach to creating ...

Village Elder

A realistic approach to creating very strong passwords Tue, Feb 20. 2007

The challenge with using strong passwords is that strong passwords are difficult to remember. They often get written down defeating the security benefits of the passwords strength. On the other side of the problem, easy to remember passwords are almost always easy to crack or out right guess.

Most security engineers will strike a compromise and go for passwords that contain words or partial words with some character substitution.

The fundamental issue here is that humans remember words well. It’s the foundation of our use of language. But we can use another approach to create very strong passwords that are also easy to remember.

The trick? Derive passwords from something as easy to remember as words; phrases. Easy to remember phrases can be used to generate very strong passwords.

Let’s take a sample phrase to use as our seed. I tend to prefer obscure quotes from movies or literature. I look for quotes that I find myself remembering but that aren’t popular. Lets take a quote from the Sam Raimi movie “Evil Dead II”:

“I got you didn’t I you little sucker!”

We can take an acronym approach to generate:
igydiyls!

We could also take a syllable approach to generate:
igydniylsk!

We could take a last letter approach to get:
itutiuer!

Next we want to strengthen the password without losing its mnemonic properties. We can accomplish this with some character replacement. I’ll use our first example and extend it. I try to use characters in the replacement that aren’t common. For example, I wouldn’t swap an e for a 3, or an i for a 1 or an a for an @. Those are too predictable.

In this case I’ll swap:

“.” For the letter “d” d stands for dot.
“6” for the letter “G” similar shape but not very common
“b” for the character “!” often called a ‘bang’.

And lastly I’ll substitute the character “s” for a shift on the keyboard so the very next character will be shifted to uppercase.

Now I get:

i6y.iylB

Ok now that’s a pretty good password! If your administrator handed you this password you would probably cringe, knowing you would have a hell of a time trying to remember it. Now when I type it I recite the quote. In my head of course 

I (type i) got (6) you (y) didn’t (.) I (i) you (y) little (l) sucker (SHIFT) ! (B)

I hope this helps. Please post comments if you have any nifty password tricks.
Posted by John Curry in Security Comments: (4) Trackbacks: (2)

Trackbacks
Trackback specific URI for this entry

The Village Elder - Security Samurai
There is a new StillSecure blog. No, its not Martin McKeay's blog. John Curry, our director of customer security at StillSecure has started a blog called the Village Elder. John is a great engineer and a very technical dude. We
Weblog: StillSecure, After All These Years
Tracked: Feb 27, 22:39
Easy to Remember, Difficult to Guess Passwords.
Alan Shimel has a link to a new blog, a co-worker of his, in his latest blog post. The blog is advertised by Alan as ‘a little more technical than most, but if you are into the nuts and bolts of security and networking and general IT wizardry, Th...
Weblog: .:Computer Defense:.
Tracked: Feb 28, 06:53

Comments
Display comments as (Linear | Threaded)

#1 - Brian said:
2007-02-21 09:16 -

Check out "rainbow table attacks", which have effectively made your 8-character password obsolete (save for in systems that salt their hashes, such as Unixes). Now I take the type of passwords you talk about, and string two together separated with punctuation. Thus, I would use
What the f is your problem
(W7f1urPr0b)
with
This ain't my momma's cookin'
(T8ntMm'scKn)
and turn it into
W7f1urPr0b#T8ntMm'scKn

(hypothetically...)

#2 - Wilbur 2007-02-28 07:22 -

Have you performed any analysis of the passwords, perhaps with common phrases? It's easy to suggest that they are strong but I think that there are a lot of letters that are not as commonly the first letter of a word in a phrase. Some simple analysis could show the distribution.

There are already password attackers that factor all the "elite" speak letters and numbers in, they don't increase the distribution nearly as much as you might think.

#3 - John Curry said:
2007-02-28 08:45 -

Thats a good point Wilbur! Perhaps it's too much to say this method will create 'very strong' passwords. I know that I have seen some pretty ugly passwords in the field. Often terrible things like:

baseb@ll
r1234
mypass

Eeeks, keeps me up at night! I think compared to passwords of that level the technique I propose would fair pretty well.

I certainly wouldn't suggest any of the standard 3l173or 'elite' character replacements, they are just to common now, and I always feel dirty when I think about using them.

If anyone can use this technique to beef up their passwords a few notches in the right direction, then I think my work is done.

Perhaps I'll do a follow up post on how to create 64 character passwords for the non mensa member :-)

That gives me another idea. password olympics! I think I'll see about setting up some cracking tools to test who's 8 character password hold out the longest. hrm.. let me look into that!

#4 - John Curry - on behalf of Jordan said:
2007-03-01 17:50 -

The comment below was valiantly attempted to be posted here only to fail because I haven't worked out all my blogging mojo yet. Jordan sent this in with another great link on password policy. Thanks Jordan, I think I have this sorted now :-) -john
---
That's a great writeup. We recommend something similar, though without
quite as much detail on our password page at the University of Florida:

http://infosec.ufl.edu/athome/passwords.shtml

Thanks for the explanation.


The author does not allow comments to this entry