Reply New Topic
2011/6/6 20:58:43
#1
Offline
Home away from home

Strong, memorable passwords

There's a good podcast by Steve Gibson looking at password strength and brute force attacks (MP3, 44MB), which is well worth a listen. He has an interesting take on what makes a password 'cracking resistant'.

He says that the difficulty of a password *doesn't* come from the amount of randomness in it, as is usually stated. The strength is actually a factor of the search space size (note that this assumes you have eliminated dictionary attacks).

If your password is all lower case, then each additional letter you add makes it 26 times hard to brute force. But if you have *just one* each of lowercase, number, capital and symbol in your password, then each additional character makes the password 95 times harder to crack, because you've increased the per-character search space that the attacker must investigate.

The upshot of all this is that you don't need to have random passwords that you can't remember. So long as you have included at least one of each class of character, then you can 'pad' the password with a private but memorable pattern of characters (effectively a salt) to make it long. Length is the most important thing in increasing the difficulty of brute force attacks.

So in summary, to have a very strong yet memorable password, he suggests:

1. Use at least one lowercase, capital, number and symbol.
2. Then pad the password out with your own private but memorable 'pattern' to make it long.

For more info, see his 'Password haystacks' page, which has a cool meter that gives you the actual search space size. Of course, reusing passwords across multiple sites is still a very, very bad idea.


2011/6/7 1:17:58
#2
Offline
Webmaster

Re: Strong, memorable passwords

This is a good idea! From an ImpressCMS standpoint, it could be hard to invent something that pushes people to do this. I could imagine a warning when the password is too short or not having numbers or uppercase or symbols, but is still remains the responsability of the user to have a decent password.

The warning might be possible though. Any ideas on this?

_________________

Me on OpenHub


2011/6/7 1:40:02
#3
Offline
Home away from home

Re: Strong, memorable passwords

How about a simple link to some password tips on the Wiki?


2011/6/7 2:51:37
#4
Offline
Home away from home

Re: Strong, memorable passwords

people choose easy passwords for mainly 2 reasons;

1. they don't understand the impact of security & how easily passwords can be cracked or guessed or the tricks crackers use to gain access.
2. because an easy password is easy to remember:

password is easier to remember than 1Rthg&6FW

but why should a password be hard to remember? because people over-think them, and because of reason 1 above.

so how would you go about making a password that seems random, but is easy to remember & contains all the neccessary requirements?

think about it logically. 1 way of producing a memorable random password that contains no words and makes no sense whatsoever but is easy to remember to yourself.

take your address for example

199 Bond Street,
Staveley
Chesterfield
Derbyshire
United Kingdom

everyone knows their own address & phone number.

so a password derived from your address that is easy to remember.

199BdStSyCdDeUdKm

strengthen that by turning it into an email like address

199BdStSyCdDeUdKm@123456.com

where 123456 is your phone number.

and there you have a very long password, easy for you to remember. i took the 1st & last letter of each word of the address.

it could be your mothers address, friends work address. the point is, you derived your password from something that you can easily remember & turned it into a phrase that can be easily recounted by yourself.

that is 1 way of producing a good strong password. it doesn't need to be random, but it does need to be remembered.

[edit]
the above address is fictional btw. it does not exist, i'm not that dumb. (for those spammers that think i might be) just thought i'd mention that!!!!


Edited by Vaughan on 2011/6/8 12:07:35
Edited by Vaughan on 2011/6/8 12:08:14
_________________
Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!

2011/6/7 4:41:00
#5
Offline
Home away from home

Re: Strong, memorable passwords

A very nice idea! You should write a blog about it.

_________________
http://on.fb.me/x5lEdX

2011/6/7 8:25:57
#6
Offline
Home away from home

Re: Strong, memorable passwords

Creating a pass phrase instead of a pass word is a very good practice. Another level of complexity to add is something unique to each instance of the passphrase - don't just use the same passphrase on every site.

Add part of the URL or site name to your passphrase and now you've got a unique passphrase for every website, but it's still easy to remember.

iCmS/50BdStSyCdDeUdKm@123456.com
or 50BdStSyCdDeUdKm@123456.com[impresscms]

and there you have it!

_________________
Christian Web Resources
Facebook

Reply New Topic extras
 Previous Topic   Next Topic
You can view topic.
You can start a new topic.
You can reply to posts.
You cannot edit your posts.
You cannot delete your posts.
You cannot add new polls.
You cannot vote in polls.
You cannot attach files to posts.
You can post without approval.