Commentary
6/15/2005
03:14 PM
Fred Langa
Fred Langa
Commentary

Langa Letter: How To Build Better Passwords

Stronger passwords don't have to be hard to create or use, Fred Langa says. Here are tools and tips that can help.



Good passwords are essential for PC security. Even the world's strongest encryption algorithms or logon procedures won't protect you if you use the wrong kind of password.

And even if you once were safe, you may not be today: Passwords that were fine even just a few years ago may now be vulnerable to attack because of huge advances in hardware and software: Malicious hackers have tools that can make hundreds to thousands of guesses in seconds. Passwords that might once have taken months or years to crack can now be cracked in minutes or hours.

It takes very little skill to mount a password attack. The simplest form of attack is based on dictionary lists: The cracking software simply tries every possible word listed in an online dictionary. Any password found in the dictionary will thus soon be discovered. This type of software is extremely simple to create because no deep analysis or cryptographic skill is needed. It's high-school level stuff, and yet it can defeat many passwords!

Similarly, passwords based on common phrases are very weak. A malicious hacker can use a dictionary of famous quotations in much the same way as using a dictionary of individual words: Any password based on familiar quotes is likewise easily discovered.

It's only a little more complicated for a malicious hacker also to cover the most common permutations of words and phrases. For example, some people choose a password or phrase, and then touch-type that word or phrase, but shift their hands one character to the right, left, up, or down from the normal typing position. The resulting output looks like gibberish, but really isn't: It retains a regular pattern that a computer easily can sniff out.

So-called "elite" or "l33t" speak was once a useful way of increasing a password's complexity, but the rules of "l33t" substitution are now well known. Similarly, taking a common word or phrase and trying to make it more complex through random capitalization and by appending numbers does little to add real security: For example, a lowly P3 PC running a widely available cracking tool at just 500 MHz was able to guess the password "ChEcK12" in only 26 seconds; and today's top-of-the-line PCs could perform the same crack almost instantly. (For more examples of just how quickly simple password techniques like this can be bypassed, see this page from McMaster University). It's scary stuff.

What Makes A Good Password?
So, what makes a better password? There are three major factors: length, complexity, and randomness. We've already touched on randomness. A good password will be a truly unique combination of characters, and that means that the password should not appear in any form in any dictionary, book of quotations, and so on. The password also should not be based on simple substitutions or transpositions of common words or phrases: If any underlying pattern remains -- the less truly random a password is -- the easier it is to be cracked.

Complexity also is easy to understand. For example, if you limit yourself to the lower-case letters of the English alphabet, each character in your password will have only 26 possible values. Simply allowing uppercase and lowercase letters means that each character in the password can have 52 different values. Add in numbers (0-9) and you have 62 possible values; add the punctuation and symbol characters commonly found on a US-English computer keyboard, and you have a total of about 92 unique (non-repeating) possible values. Clearly, using all the kinds of characters available to you significantly increases the complexity of a password.

Length also is hugely important: A two-character password, where each character could be any of 92 possible values, affords just 8464 unique combinations. Three characters allow 778,688 possibilities; four yields 71,639,296, and so on. So clearly, longer passwords are better because the number of possible character combinations increases exponentially with length.

But note that while something like "71,639,296" password possibilities would be daunting in human terms, it's nothing to the brute strength of a PC. This online calculator lets you play with variables to see how long a "brute force" password-cracking program would have to run to defeat passwords of varying lengths and complexities. Note that the "speed -- thousands of passwords per second" figure depends not only on the speed of a given PC, but also on the efficiency of the cracking software, which is hugely variable in itself. But the calculator is seeded with an exceedingly low number, which significantly under-represents the power of today's PC's and software. For a more realistic view of contemporary threat levels, crank up the "speed" variable by several orders of magnitude. (For a hardware-based starting point, you may wish to note that the common Intel P6 is capable of processing hundreds of millions of instructions per second. Note also the real-life cracking results reported earlier by McMaster University.

Passphrases And "Shocking Nonsense"
In the past, we've described several ways to generate passwords that are both hard for someone else to guess, and yet easy for you to remember. For example, back in 2003 we discussed a "passphrase" idea. While the specific examples in that article are now outmoded, the idea of using a passphrase was, and is, sound. In fact, passphrases have really caught on as a way to produce long, secure, and memorable passwords.

For one thing, passphrases can be of any arbitrary length -- even out to 20, 40, 60 characters, or more, without a lot of trouble. But, because they're made of a series of words rather than totally random characters, they're much easier to remember than conventional passwords of similar length.

But not all passphrases are created equal: As we saw earlier, phrases that are found in dictionaries and collections of quotations are particularly bad -- even a long passphrase, if based on a well-known quote, may be very easy to guess.

Likewise, passphrases that follow conventional rules of grammar provide a pattern that a clever program can exploit. So, the best passphrases do not follow normal grammar rules.

The excellent passphrase FAQ, How To Choose A Passphrase suggests a technique called "shocking nonsense."

"Shocking nonsense" means to make up a short phrase or sentence that is both nonsensical and shocking in the culture of the user, that is, it contains grossly obscene, racist, impossible or other extreme juxtaposition of ideas. This technique is permissible because the passphrase, by its nature, is never revealed to anyone with sensibilities to be offended.

In a corporate environment, of course, "shocking nonsense" would have to be employed with great care, and only under the aegis of an official, clearly outlined policy that explained the "shocking nonsense" for what it is: an attempt to circumvent dictionary-based and grammatical attacks by using words and linguistic constructs that will never be found in normal speech or references. Still, this approach may be inappropriate in today's litigious environment.

Fortunately, there are other ways to generate highly secure passphrases. Perhaps the best-known tool is the freely available Diceware created by A. G. Reinhold. His approach employs one or more many-sided die to generate truly random number sequences; you use the random number sequences to look up words from a list of some 8,000 short, easy-to-remember words and character strings. By rolling the dice and combining the resulting random words, you easily can construct a reasonably long passphrase that will be hard to crack or guess in its own right; and which can be made harder still by editing the final passphrase to include capitalization, numbers, and punctuation.

There also are several software tools listed on Reinhold's site, above, that can further automate the process; although at a cost of true randomness. For example, most passphrase software relies on a computer's pseudo-random number generator, which isn't truly random.

What If Long Passwords/Phrases Aren't Allowed?
Passphrases are a great way to achieve a high level of password strength, but amazingly, some hardware and software systems still limit you to very short passwords, perhaps as few as six or eight characters. In this case, a passphrase isn't terribly useful, so it's probably best to revert to a true, totally random password using uppercase, lowercase, numbers, and punctuation.

"PassGen2" is a free, online password-generating Java applet that's good for creating login passwords, WEP encryption keys, one-time-use pads, and many other uses.

If you'd rather keep your password-generation local and offline, the open source "PWGen for Windows" will help.

I prefer to use Roboform because it not only can generate good passwords but also can remember them for me: For example, to prevent a wireless hacker from easily accessing and changing my Wireless Access Point's security settings, I've protected the WAP-management software with a totally random 20-character password, using uppercase and lowercase letters, plus numbers and punctuation. An example of such a password (I just asked Roboform to generate a new one to show you) is: "[email protected]$NyY$Pr*u&%#rp" The odds of anyone guessing a password like that in any reasonable length of time are tiny. Of course, the odds of me remembering that also are tiny, which is why I just let Roboform remember and store the password internally, protected by the tool's built-in triple-DES encryption. I only have to remember one password -- the master password for Roboform itself -- and it handles all the rest. It can remember a huge number of passwords, and can generate password strings up to an insanely difficult 512 random characters in length.

The downside of Roboform is that, although there's a limited-use free mode, it's really a commercial product. Because it's proprietary, copyrighted code, not all the workings of its encryption and password generation are fully revealed. That's not a problem in my own use, but in situations requiring the very highest levels of security, an open-source password tool, like PWGen (above), may be a better choice. If you go that route, two additional open source tools, Password Safe and KeePass, will help you manage and use your password with minimal hassle and confusion.

Short, Long, And Medium
As a general rule of thumb, in any situation where security really matters, I've abandoned passwords shorter than eight characters. All my passwords ranging from eight to about 20 characters are generated as random mixes of uppercase, lowercase, numbers, symbols and punctuation. The more sensitive the application, the longer and more complex the password I use.

In special cases where I need the very highest levels of security, and/or passwords longer than about 20 characters, and/or portability (where I need to be able to remember a long password on my own, without software assistance), I'll use a passphrase.

Of course, you can do things differently; I offer the above only as an example.

But the important thing is to realize that short passwords, and easily guessed longer passwords, are next to useless. If you haven't changed your approach to passwords in the last few years, this might be a good time to do just that -- and to look at the tools that make generating and using even very long, highly-secure passwords much easier.

What password tools do you use? What do you consider to be a reasonable minimum and maximum length? Do you "recycle" passwords, using the same passwords in different situations; or do you insist on one-use, non-repeating passwords? Share your tips, trick, and opinions, in the discussion area!


To discuss this column with other readers, please visit Fred Langa's forum on the Listening Post.

To find out more about Fred Langa, please visit his page on the Listening Post

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2021 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service