The Secret Password Is...

If your password is as easy as 123, we need to talk.

The first password I ever remember using when I started in system administration was ".redruM" (no quotes). It was by far the craftiest, most-impossible-to-guess password ever conceived by a sentient being. Sadly, a mere 17 years later (wow, it's been a long time!) that password probably could be brute-force compromised in ten minutes—with a cell phone.

Since retinal scans still mainly are used in the movies to set the scene for gruesome eyeball-stealing, for the foreseeable future (pun intended), we're stuck with passwords. In this article, I want to take some time to discuss best practices and give some thoughts on cool software designed to help you keep your private affairs private. Before getting into the how-to section, let me openly discuss the how-not-to.

The Things You Shall Not Do

It's a bad idea to write your password on a sticky note and affix it to your monitor.

Yes, it sounds like a joke, but this happens every day—in almost every business. In fact, sometimes tech folks are guilty of this cardinal sin because they've changed passwords for users and need to let them know their new passwords. Seeing your password written or typed out should cause you physical pain and distress. Displaying it on your monitor is just wrong.

It's a bad idea to use any of the following as your password, or at least as your entire password:

  • Your pet's name, current or past.

  • Your child's name or nickname.

  • Your car's name, model or a car you want.

  • Birth dates of any people you know.

  • Name of your college/high-school mascot.

  • Anything related to your hobbies.

  • Your address in any form.

  • Your telephone number, past or present.

  • Your mother's maiden name (this is less secure than .redruM).

  • Any of the following: password, 123456, abc123, letmein, love, iloveyou, sex, god, trustno1, master, asdfjkl;, qwerty, password123, secret, jesus or ninja.

If I've just described your password or, heaven forbid, actually listed it in the last bullet point (some of the most common passwords), you need to keep reading. Don't change your password yet though, as I'm going to discuss best practices next, but even if you don't read another word, you can't leave your password like it is—really.

The Things You Shall Try to Do

When it comes to passwords, the longer and more complex, the better. Unfortunately, there is an inverse relationship between the quality of a password and a person's ability to remember it. Logically, one would find the balance between easy to remember and sufficiently complex, but because some people forget how to spell their own names, using some tricks of the trade is necessary—preferably, combining the tricks.

The Sentence-Mnemonic Method

if I were to tell you my password is "sipmnwnoilbinetb" and that I can remember it every time, you'd probably be impressed. Watch, I'll type it again without looking back: sipmnwnoilbinetb.

Am I really a cyborg with an eidetic memory? Maybe, but in this case, I've just used the sentence-mnemonic method to remember my password. In reality, when I type that password, I'm saying in my head, "Sometimes I pick my nose when no one is looking, but I never eat the boogers."

This particular mnemonic is good for a couple reasons. One, it's easy to remember. Two, it's a horrible lie, so no one would ever guess that's what I'm typing. And three, because it's embarrassing, it's unlikely that I'd say it out loud while typing. For most people, just using this method for passwords would be an improvement over their current practice. For the best security, however, it's important to add other complexity.

______________________

Shawn Powers is an Associate Editor for Linux Journal. You might find him chatting on the IRC channel, or Twitter

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

dssad

nike free run dam's picture

Classic MBA textbooks and lectures, acquisition is the sharpest double-edged sword, both immediate success may end up dark color end for Eclipse. A group admin how to consolidate, manage the acquisition of brands and businesses, how to maintain the acquired brand's heritage and to promote innovation, and how to maximize the synergies of the group as a whole, no not

It is with pleasure that I

agence de voyage maroc's picture

It is with pleasure that I look at your website and it is great I soon eighty spring and I spend time really nice to read your nice sharing Keep it up and thank you again...

Reply to comment | Linux Journal

film de sexe's picture

I just like the helpful information you provide on your articles.
I will bookmark your blog and take a look at again here regularly.
I'm slightly certain I will be informed a lot of new stuff right right here! Best of luck for the following!

Reply to comment | Linux Journal

zoophilie avec un cheval's picture

I was pretty pleased to uncover this site. I want to to thank you for
ones time for this fantastic read!! I definitely savored every part of
it and I have you saved to fav to check out new stuff in your site.

The best passwords are phrases and alt codes

Richard_T's picture

WHt do you guys think about using ALT codes in your password such as ☺ ☻ ♥ ♦, ╡, etc ?

Nice article, thanks for the

rental mobil's picture

Nice article, thanks for the information. Key=loggers known as spam with Kaspersky.

Favorite (and easily brute-forced) pw's

jobuntu's picture

NCC-1701-D
Kahn!
pa55w0rd
sl@ck3r

Reply to comment | Linux Journal

Anavar's picture

Wow, wonderful blog layout! How long have you been blogging
for? you make blogging look easy. The overall look of your site is
excellent, as well as the content!

Reply to comment | Linux Journal

gonzo film x's picture

Hello I am so thrilled I found your blog, I really found you by accident,
while I was searching on Yahoo for something else, Anyhow I am here now and would just like to say kudos for a incredible post and
a all round exciting blog (I also love the theme/design), I don't have time to read it all at the moment but I have book-marked it and also added your RSS feeds, so when I have time I will be back to read a great deal more, Please do keep up the great work.

Password must not be from the

Bobby Perez's picture

Password must not be from the word you utter every time or from the things you use. This must be very unusual one and strong one

Reply to comment | Linux Journal

http://www.Videosdezoophilie.com's picture

Hi! This is my first visit to your blog! We are a team of volunteers and starting a new initiative in a community in the same niche.
Your blog provided us valuable information to work on.
You have done a marvellous job!

Reply to comment | Linux Journal

clip de sexe gratuit's picture

What's up, of course this article is truly fastidious and I have learned lot of things from it about blogging. thanks.

Reply to comment | Linux Journal

Jeune Femme zoophile's picture

Hi there, I check your blogs daily. Your writing style is awesome, keep it up!

Other problems with passwords

dravey's picture

First of all, I completely agree with Jake548 about so many sites restricting passwords to 8, 10 or 12 characters, as well as with Anonymous (BAD, BAD, BAD) about the complexity of passwords not being the problem anymore, with the use of keyloggers. But I have yet another issue: there are so many websites that require a login password, that are really not sensitive sites with your personal data stored on them. This places a burden on all of us to maintain access to dozens (hundreds?) of sites that aren't that critical. Yes, of COURSE we should be VERY concerned about our banking and credit card sites and all sites that we send financial data to, such as shopping sites and political and charitable sites! But what is the risk that we will suffer bad things if one of our forum sites is hacked? It would be irritating, but probably no serious trouble would be caused. Of course the forum administrator doesn't want irresponsible people to post crap in the forum (I recently had a problem with that on one site), but that's hardly a true security catastrophe. I think we need to come up with a whole new paradigm that distinguishes between potentially devastating security breaches and just annoying behavior and have different kinds of security for each.

How long?

Spike's picture

Many systems only 'use' the first 'n' characters or only allow a certain length. The system rules are often make a memorable passwd very hard to create. "Min 6 chars, max 8 chars mustr have ....". At the end of the day a passwd like 'rover' or 'mypassword' will always be more secure in your head than '$)%kuT&e227' will be on a scrap of paper in your top draw.

I'm so clever

cleverguy@outlook.com's picture

I've been using "TanSbkttSeg." (There are no secrets better kept than the secrets everybody guesses.) for years now for almost every single login, and nobody ever guessed it. :D

[Can you spot the irony?]

Password Haystacks

adsus's picture

Steve Gibson (www.grc.com) had some interesting comments to make about passwords and includes a password 'brute-force' calculator. See here:

https://www.grc.com/haystack.htm

The site also explains how he arrives at the figures generated and you can test your passwords online.

He also explains how "D0g....................." can be more secure than "PrXyc.N(n4k77#L!eVdAfp9" - both passwords sans the quotes of course.

Worth a look

Reply to comment | Linux Journal

go's picture

Hi there just wanted to give you a quick heads up and let you know a few of the images aren't loading correctly. I'm not sure why
but I think its a linking issue. I've tried it in two different internet browsers and both show the same outcome.

Selecting a strong password

awoodhcl's picture

Selecting a strong password has been an issued always. I remembered that I have read in one article that in creating password it shouldn't have to any thing related unto you. However, most people tend to create password that have related into them mainly because it is easy to remember. On the other hand, I got interest on how mnemonic method can do. I think knowing mnemonic method might help to secure any account.

Reply to comment | Linux Journal

sexe fun's picture

What's up friends, how is the whole thing, and what you want to say concerning this piece of writing, in my view its in fact amazing designed for me.

Reply to comment | Linux Journal

bite De cheval en video's picture

Hey! This post couldn't be written any better! Reading through this post reminds me of my old room mate! He always kept chatting about this. I will forward this article to him. Pretty sure he will have a good read. Thanks for sharing!

What drives me nuts is the

Jake548's picture

What drives me nuts is the sites that restrict password length - most of my passwords are far shorter than they should be because the site won't take anything longer than 12 characters. Throw in the standard "8 characters minimum, one capital, and one number or special character" rule and you've given anyone trying to brute-force a password a nice set of parameters to drastically reduce the number of combinations they need to try.

Good article

AWippler's picture

I am a sys admin for a church and we encourage our users to choose a short phrase or a great scriptural truth for their password. We also encourage the method described in this article.

Reply to comment | Linux Journal

Albertha's picture

Masters Degree in a business alliance. This post is a UN volunteer assignment based on the
neonatal nurse practitioner salary in massachusetts assessment
of potential applications of company products
to improved customer business processes and meet customer needs.
Of those, 4, or 5 for an average of two and a half to five years.

Reply to comment | Linux Journal

medical blog's picture

Remarkable! Its genuinely amazing paragraph, I have got much clear idea concerning from this
post.

Password/s

Nickh's picture

Password card anyone?

http://passwordcard.org

Reply to comment | Linux Journal

table à langer's picture

My family all the time say that I am wasting my time here
at net, except I know I am getting know-how daily by reading
thes good content.

Obligatory XKCD reference

bolt's picture

Reply to comment | Linux Journal

hd teen Porn's picture

It is the best time to make some plans for the future and it is time to be happy.
I have read this post and if I could I want to suggest you some
interesting things or suggestions. Perhaps you could write next articles referring to this
article. I desire to read more things about it!

BAD BAD BAD

Anonymous's picture

Come on! You really should know better than to put out this BS. NOBODY guesses your password, except perhaps your mom. It does not matter one bit how complex your password is, and implying to people that making their passwords more complex is going to make them safer is just giving them a (very) false sense of security. Passwords are stolen with keyloggers, not guesses. a five-million character long password can not and will not stop a hacker.

i agree, key-loggers and

eMBee's picture

i agree, key-loggers and brute force. for key-loggers no kind of password help and for brute force only length matters. XKCD got it right.

using "Sometimes I pick my nose when no one is looking, but I never eat the boogers." as a password should be much better than "sipmnwnoilbinetb" (btw: if that sentence is a lie, then you do eat the boogers? ;-)

likewise, "when I visit Linux Journal dot com, I always pick my nose." is probably a good password right there. no need to reduce it to "wIvljdc_Iapmn"

sure, it's a lot of typing, but that's the only cost here...

greetings, eMBee.

Actually, a full sentence is

Ruben's picture

Actually, a full sentence is less secure than the first letters of every sentence to a certain extent. Good keylogging programs go through an entire dictionary before doing anything else.

In the following sentence, all words appear in a dictionary:
"Sometimes I pick my nose when no one is looking, but I never eat the boogers."

"sipmnwnoilbinetb" appears in no single dictionary, and is therefore inherently safer. Sure, the full sentence password has the advantage of length, but the degree of "randomness" is much, much lower. And randomness in passwords is incredibly important.

Actually, a full sentence is

Ruben's picture

Actually, a full sentence is less secure than the first letters of every sentence to a certain extent. Good keylogging programs go through an entire dictionary before doing anything else.

In the following sentence, all words appear in a dictionary:
"Sometimes I pick my nose when no one is looking, but I never eat the boogers."

"sipmnwnoilbinetb" appears in no single dictionary, and is therefore inherently safer. Sure, the full sentence password has the advantage of length, but the degree of "randomness" is much, much lower. And randomness in passwords is incredibly important.

why would a keylogging

eMBee's picture

why would a keylogging program need to do that? it already logged all the keys, and it doesn't make sense to apply spelling correction either, so what's the point?

and for brute force crackers, the number of possible combination of words is a few magnitudes larger than the combination the same number of characters. so i believe that it really doesn't matter if every word in that password is in a dictionary, because the whole sentence isn't.

you are comparing one word which is not in the dictionary with 16 words which are. that's like saying: oh, the characters you use in your password are all listed in that ascii table...

and as for randomness, that sentence is not random to a human, but the same is true for "sipmnwnoilbinetb". that's also not random. but a computer doesn't know that. it can't tell the difference. oh, yes it could generate gramatically correct sentences, but it would still have to go through many more combinations than a combination of bytes would provide.

greetings, eMBee.

Reply to comment | Linux Journal

telecharger de la zoophilie's picture

Keep this going please, great job!

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState