Infrastructure
Commentary
6/15/2005
03:14 PM
Fred Langa
Fred Langa
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Langa Letter: How To Build Better Passwords

Stronger passwords don't have to be hard to create or use, Fred Langa says. Here are tools and tips that can help.

Passphrases And "Shocking Nonsense"
In the past, we've described several ways to generate passwords that are both hard for someone else to guess, and yet easy for you to remember. For example, back in 2003 we discussed a "passphrase" idea. While the specific examples in that article are now outmoded, the idea of using a passphrase was, and is, sound. In fact, passphrases have really caught on as a way to produce long, secure, and memorable passwords.

For one thing, passphrases can be of any arbitrary length -- even out to 20, 40, 60 characters, or more, without a lot of trouble. But, because they're made of a series of words rather than totally random characters, they're much easier to remember than conventional passwords of similar length.

But not all passphrases are created equal: As we saw earlier, phrases that are found in dictionaries and collections of quotations are particularly bad -- even a long passphrase, if based on a well-known quote, may be very easy to guess.

Likewise, passphrases that follow conventional rules of grammar provide a pattern that a clever program can exploit. So, the best passphrases do not follow normal grammar rules.

The excellent passphrase FAQ, How To Choose A Passphrase suggests a technique called "shocking nonsense."

"Shocking nonsense" means to make up a short phrase or sentence that is both nonsensical and shocking in the culture of the user, that is, it contains grossly obscene, racist, impossible or other extreme juxtaposition of ideas. This technique is permissible because the passphrase, by its nature, is never revealed to anyone with sensibilities to be offended.

In a corporate environment, of course, "shocking nonsense" would have to be employed with great care, and only under the aegis of an official, clearly outlined policy that explained the "shocking nonsense" for what it is: an attempt to circumvent dictionary-based and grammatical attacks by using words and linguistic constructs that will never be found in normal speech or references. Still, this approach may be inappropriate in today's litigious environment.

Fortunately, there are other ways to generate highly secure passphrases. Perhaps the best-known tool is the freely available Diceware created by A. G. Reinhold. His approach employs one or more many-sided die to generate truly random number sequences; you use the random number sequences to look up words from a list of some 8,000 short, easy-to-remember words and character strings. By rolling the dice and combining the resulting random words, you easily can construct a reasonably long passphrase that will be hard to crack or guess in its own right; and which can be made harder still by editing the final passphrase to include capitalization, numbers, and punctuation.

There also are several software tools listed on Reinhold's site, above, that can further automate the process; although at a cost of true randomness. For example, most passphrase software relies on a computer's pseudo-random number generator, which isn't truly random.

What If Long Passwords/Phrases Aren't Allowed?
Passphrases are a great way to achieve a high level of password strength, but amazingly, some hardware and software systems still limit you to very short passwords, perhaps as few as six or eight characters. In this case, a passphrase isn't terribly useful, so it's probably best to revert to a true, totally random password using uppercase, lowercase, numbers, and punctuation.

"PassGen2" is a free, online password-generating Java applet that's good for creating login passwords, WEP encryption keys, one-time-use pads, and many other uses.

If you'd rather keep your password-generation local and offline, the open source "PWGen for Windows" will help.

I prefer to use Roboform because it not only can generate good passwords but also can remember them for me: For example, to prevent a wireless hacker from easily accessing and changing my Wireless Access Point's security settings, I've protected the WAP-management software with a totally random 20-character password, using uppercase and lowercase letters, plus numbers and punctuation. An example of such a password (I just asked Roboform to generate a new one to show you) is: "mKz!3@$NyY$Pr*u&%#rp" The odds of anyone guessing a password like that in any reasonable length of time are tiny. Of course, the odds of me remembering that also are tiny, which is why I just let Roboform remember and store the password internally, protected by the tool's built-in triple-DES encryption. I only have to remember one password -- the master password for Roboform itself -- and it handles all the rest. It can remember a huge number of passwords, and can generate password strings up to an insanely difficult 512 random characters in length.

The downside of Roboform is that, although there's a limited-use free mode, it's really a commercial product. Because it's proprietary, copyrighted code, not all the workings of its encryption and password generation are fully revealed. That's not a problem in my own use, but in situations requiring the very highest levels of security, an open-source password tool, like PWGen (above), may be a better choice. If you go that route, two additional open source tools, Password Safe and KeePass, will help you manage and use your password with minimal hassle and confusion.

Previous
2 of 3
Next
Comment  | 
Print  | 
More Insights
2014 Next-Gen WAN Survey
2014 Next-Gen WAN Survey
While 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.