Strong, memorable passwords

Posted by Madfish on 1307419123
There's a good podcast by Steve Gibson looking at password strength and brute force attacks (MP3, 44MB), which is well worth a listen. He has an interesting take on what makes a password 'cracking resistant'.

He says that the difficulty of a password *doesn't* come from the amount of randomness in it, as is usually stated. The strength is actually a factor of the search space size (note that this assumes you have eliminated dictionary attacks).

If your password is all lower case, then each additional letter you add makes it 26 times hard to brute force. But if you have *just one* each of lowercase, number, capital and symbol in your password, then each additional character makes the password 95 times harder to crack, because you've increased the per-character search space that the attacker must investigate.

The upshot of all this is that you don't need to have random passwords that you can't remember. So long as you have included at least one of each class of character, then you can 'pad' the password with a private but memorable pattern of characters (effectively a salt) to make it long. Length is the most important thing in increasing the difficulty of brute force attacks.

So in summary, to have a very strong yet memorable password, he suggests:

1. Use at least one lowercase, capital, number and symbol.
2. Then pad the password out with your own private but memorable 'pattern' to make it long.

For more info, see his 'Password haystacks' page, which has a cool meter that gives you the actual search space size. Of course, reusing passwords across multiple sites is still a very, very bad idea.

This Post was from: https://www.impresscms.org/iforum/viewtopic.php?topic_id=4810&post_id=43248