Langa Letter: How To Build Better Passwords - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:14 PM
Fred Langa
Fred Langa

Langa Letter: How To Build Better Passwords

Stronger passwords don't have to be hard to create or use, Fred Langa says. Here are tools and tips that can help.

Passphrases And "Shocking Nonsense"
In the past, we've described several ways to generate passwords that are both hard for someone else to guess, and yet easy for you to remember. For example, back in 2003 we discussed a "passphrase" idea. While the specific examples in that article are now outmoded, the idea of using a passphrase was, and is, sound. In fact, passphrases have really caught on as a way to produce long, secure, and memorable passwords.

For one thing, passphrases can be of any arbitrary length -- even out to 20, 40, 60 characters, or more, without a lot of trouble. But, because they're made of a series of words rather than totally random characters, they're much easier to remember than conventional passwords of similar length.

But not all passphrases are created equal: As we saw earlier, phrases that are found in dictionaries and collections of quotations are particularly bad -- even a long passphrase, if based on a well-known quote, may be very easy to guess.

Likewise, passphrases that follow conventional rules of grammar provide a pattern that a clever program can exploit. So, the best passphrases do not follow normal grammar rules.

The excellent passphrase FAQ, How To Choose A Passphrase suggests a technique called "shocking nonsense."

"Shocking nonsense" means to make up a short phrase or sentence that is both nonsensical and shocking in the culture of the user, that is, it contains grossly obscene, racist, impossible or other extreme juxtaposition of ideas. This technique is permissible because the passphrase, by its nature, is never revealed to anyone with sensibilities to be offended.

In a corporate environment, of course, "shocking nonsense" would have to be employed with great care, and only under the aegis of an official, clearly outlined policy that explained the "shocking nonsense" for what it is: an attempt to circumvent dictionary-based and grammatical attacks by using words and linguistic constructs that will never be found in normal speech or references. Still, this approach may be inappropriate in today's litigious environment.

Fortunately, there are other ways to generate highly secure passphrases. Perhaps the best-known tool is the freely available Diceware created by A. G. Reinhold. His approach employs one or more many-sided die to generate truly random number sequences; you use the random number sequences to look up words from a list of some 8,000 short, easy-to-remember words and character strings. By rolling the dice and combining the resulting random words, you easily can construct a reasonably long passphrase that will be hard to crack or guess in its own right; and which can be made harder still by editing the final passphrase to include capitalization, numbers, and punctuation.

There also are several software tools listed on Reinhold's site, above, that can further automate the process; although at a cost of true randomness. For example, most passphrase software relies on a computer's pseudo-random number generator, which isn't truly random.

What If Long Passwords/Phrases Aren't Allowed?
Passphrases are a great way to achieve a high level of password strength, but amazingly, some hardware and software systems still limit you to very short passwords, perhaps as few as six or eight characters. In this case, a passphrase isn't terribly useful, so it's probably best to revert to a true, totally random password using uppercase, lowercase, numbers, and punctuation.

"PassGen2" is a free, online password-generating Java applet that's good for creating login passwords, WEP encryption keys, one-time-use pads, and many other uses.

If you'd rather keep your password-generation local and offline, the open source "PWGen for Windows" will help.

I prefer to use Roboform because it not only can generate good passwords but also can remember them for me: For example, to prevent a wireless hacker from easily accessing and changing my Wireless Access Point's security settings, I've protected the WAP-management software with a totally random 20-character password, using uppercase and lowercase letters, plus numbers and punctuation. An example of such a password (I just asked Roboform to generate a new one to show you) is: "[email protected]$NyY$Pr*u&%#rp" The odds of anyone guessing a password like that in any reasonable length of time are tiny. Of course, the odds of me remembering that also are tiny, which is why I just let Roboform remember and store the password internally, protected by the tool's built-in triple-DES encryption. I only have to remember one password -- the master password for Roboform itself -- and it handles all the rest. It can remember a huge number of passwords, and can generate password strings up to an insanely difficult 512 random characters in length.

The downside of Roboform is that, although there's a limited-use free mode, it's really a commercial product. Because it's proprietary, copyrighted code, not all the workings of its encryption and password generation are fully revealed. That's not a problem in my own use, but in situations requiring the very highest levels of security, an open-source password tool, like PWGen (above), may be a better choice. If you go that route, two additional open source tools, Password Safe and KeePass, will help you manage and use your password with minimal hassle and confusion.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2 of 3
Comment  | 
Print  | 
More Insights
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll