How to Build Better Passwords

Passphrases And "Shocking Nonsense"
In the past, we've described several ways to generate passwords that are both hard for someone else to guess, and yet easy for you to remember. For example, back in 2003 we discussed a "passphrase" idea. While the specific examples in that article are now outmoded, the idea of using a passphrase was, and is, sound. In fact, passphrases have really caught on as a way to produce long, secure, and memorable passwords.

For one thing, passphrases can be of any arbitrary length -- even out to 20, 40, 60 characters, or more, without a lot of trouble. But, because they're made of a series of words rather than totally random characters, they're much easier to remember than conventional passwords of similar length.

But not all passphrases are created equal: As we saw earlier, phrases that are found in dictionaries and collections of quotations are particularly bad -- even a long passphrase, if based on a well-known quote, may be very easy to guess.

Likewise, passphrases that follow conventional rules of grammar provide a pattern that a clever program can exploit. So, the best passphrases do not follow normal grammar rules.

The excellent passphrase FAQ, How To Choose A Passphrase suggests a technique called "shocking nonsense."

In a corporate environment, of course, "shocking nonsense" would have to be employed with great care, and only under the aegis of an official, clearly outlined policy that explained the "shocking nonsense" for what it is: an attempt to circumvent dictionary-based and grammatical attacks by using words and linguistic constructs that will never be found in normal speech or references. Still, this approach may be inappropriate in today's litigious environment.

Fortunately, there are other ways to generate highly secure passphrases. Perhaps the best-known tool is the freely available Diceware created by A. G. Reinhold. His approach employs one or more many-sided die to generate truly random number sequences; you use the random number sequences to look up words from a list of some 8,000 short, easy-to-remember words and character strings. By rolling the dice and combining the resulting random words, you easily can construct a reasonably long passphrase that will be hard to crack or guess in its own right; and which can be made harder still by editing the final passphrase to include capitalization, numbers, and punctuation.

There also are several software tools listed on Reinhold's site, above, that can further automate the process; although at a cost of true randomness. For example, most passphrase software relies on a computer's pseudo-random number generator, which isn't truly random.

What If Long Passwords/Phrases Aren't Allowed?
Passphrases are a great way to achieve a high level of password strength, but amazingly, some hardware and software systems still limit you to very short passwords, perhaps as few as six or eight characters. In this case, a passphrase isn't terribly useful, so it's probably best to revert to a true, totally random password using uppercase, lowercase, numbers, and punctuation.

"PassGen2" is a free, online password-generating Java applet that's good for creating login passwords, WEP encryption keys, one-time-use pads, and many other uses.

If you'd rather keep your password-generation local and offline, the open source "PWGen for Windows" will help.

I prefer to use Roboform because it not only can generate good passwords but also can remember them for me: For example, to prevent a wireless hacker from easily accessing and changing my Wireless Access Point's security settings, I've protected the WAP-management software with a totally random 20-character password, using uppercase and lowercase letters, plus numbers and punctuation. An example of such a password (I just asked Roboform to generate a new one to show you) is: "mKz!3@$NyY$Pr*u&%#rp" The odds of anyone guessing a password like that in any reasonable length of time are tiny. Of course, the odds of me remembering that also are tiny, which is why I just let Roboform remember and store the password internally, protected by the tool's built-in triple-DES encryption. I only have to remember one password -- the master password for Roboform itself -- and it handles all the rest. It can remember a huge number of passwords, and can generate password strings up to an insanely difficult 512 random characters in length.

The downside of Roboform is that, although there's a limited-use free mode, it's really a commercial product. Because it's proprietary, copyrighted code, not all the workings of its encryption and password generation are fully revealed. That's not a problem in my own use, but in situations requiring the very highest levels of security, an open-source password tool, like PWGen (above), may be a better choice. If you go that route, two additional open source tools, Password Safe and KeePass, will help you manage and use your password with minimal hassle and confusion.

Short, Long, And Medium
As a general rule of thumb, in any situation where security really matters, I've abandoned passwords shorter than eight characters. All my passwords ranging from eight to about 20 characters are generated as random mixes of uppercase, lowercase, numbers, symbols and punctuation. The more sensitive the application, the longer and more complex the password I use.

In special cases where I need the very highest levels of security, and/or passwords longer than about 20 characters, and/or portability (where I need to be able to remember a long password on my own, without software assistance), I'll use a passphrase.

Of course, you can do things differently; I offer the above only as an example.

But the important thing is to realize that short passwords, and easily guessed longer passwords, are next to useless. If you haven't changed your approach to passwords in the last few years, this might be a good time to do just that -- and to look at the tools that make generating and using even very long, highly-secure passwords much easier.

- Fred Langa, InformationWeek