The Secret Password Is...

Substitutionary Complexication

Anyone who was a geek in the 1990s knows that all the cool kids would use numbers in their user names. Whether it was l33th@ck3r or z3r0c00l (or shawnp0wers), substituting numbers and characters for letters does add a layer of complexity. It's certainly not enough on its own—don't think the crafty use of an @ symbol or a few "3"s for "e"s will keep you safe—but if you add that to the mnemonic method, it certainly will help. "sIpmnwn1il,bInetb" looks similar to the eye to my password above, but it is much more resistant to a brute-force attack.

Compound Words

In addition to the above-mentioned methods for increasing complexity, a great way to make your password even more secure basically is to have two passwords separated by a string of numbers or characters. Continuing with our booger-picking example above, what if instead of using a comma to separate the phrases, I used a short string of numbers? On its own, something like 6229 is horribly insecure, but if you do something like "sIpmnwn1il6229bInetb", it becomes a really impressive password that is simple to remember. Because I'm talking about the middle of a character string, using an easy-to-remember number is acceptable here.

Based on just a few tricks, I've managed to come up with an excellent password that is easy to remember and not terribly difficult to type. Yay! I'm done! Well, yes and no.

Hey, That's My Luggage Combination!

The problem is that most people log in to more than one computer system or Web site. Some Web site designers have started to adopt an OpenID sort of authentication system, which allows authentication without actually using a separate password, but that isn't the case everywhere. At least in the near future, we'll be stuck with logins and passwords for multiple Web sites. In a perfect world where Web sites store only well-encrypted passwords, and bad guys never steal password databases, a single well-made password would suffice. That is not the world we live in.

It seems every day there's a company whose Web site has been compromised, and passwords have been leaked. Granted, it's often fun to see what sorts of passwords other people use, but it's a sinking feeling to find your password on the list of compromised—especially if it's the same password you use everywhere. The problem is, coming up with a new password for every Web site is difficult to manage.

If you're consistent and sneaky enough, you might be able to have a "pattern" that only you know. For example:

  • wIvljdc_Iapmn = when I visit Linux Journal dot com, I always pick my nose.

  • wIvadc_Iapmn = when I visit Apple dot com, I always pick my nose.

  • wIvwpdo_Iapmn = when I visit Wikipedia dot org, I always pick my nose.

Yes, looking at them side by side, it's easy to tell what the pattern is, but if only one is compromised, it's not terribly clear. Also, in the above examples, I used what letters made sense to me, but they don't line up with syllables, rather with how the word separation occurs in my head.

One Ring to Rule Them All

For many security-conscious readers, possibly even you, these lessons in good password practice may make you angry. For you, if a password isn't 128-characters long, with a combination of letters, symbols, numbers and fairy spells, it's not good enough. I understand—really, I do. Sadly, I also understand that most of the world still thinks "abc123" is a perfectly cromulent password. For you, my cyborg friend, there are password management tools.

When every site has a password like "af&6fw^faew^@f88*hlDSLjfe8wlsfyy&&8s0##~", it goes beyond simple mnemonics to remember. Thankfully, there are tools like KeePassX, which is an excellent password manager for Linux, discussed at length by Anthony Dean in the May 2010 issue (http://www.linuxjournal.com/content/keepassx-keeping-your-passwords-safe).

The idea behind programs like KeePassX, or the popular browser-based LastPass, is that you can keep your passwords as complex, and even as random, as you like. The programs keep your passwords encrypted and require a master password to unlock them. (When creating a master password, it's very important to follow some sort of complexity strategy, like I outlined earlier in this article.)

With a password manager, you can let your brain keep track of a single password, knowing you can retrieve whatever ultra-safe password you need for a site or computer at any time. Granted, this means relying on a program to keep track of your information, so you'll have to use the program to retrieve it, but with programs like LastPass, there are applications for pretty much every operating system, browser and smartphone in existence. It is usually the only practical way to keep truly random passwords in order. If you can train yourself to use a program or service to manage passwords, it can change the way you think of security. It also can keep you safe if a particular account is hacked. The system is only as secure as the master password, however, so be sure that's a good one!

Not Quite a Retina Scan...

Thankfully, some companies are taking an honest look at users and realizing password security isn't something they can force feed. Regardless of articles like this, people still will use the names of their dogs to secure their bank accounts. Some companies have begun to use two-step authentication, which adds a physical response to a password challenge.

Someone certainly can steal your password, but what if in order to log in to your e-mail account, you not only had to enter your password correctly, but also had to respond to a text message sent to your phone? It certainly would eliminate the long-distance hacks, because it's unlikely hackers even would know your cell-phone number, much less be able to respond to a text message sent to it.

Two-step, or two-factor, authentication isn't terribly popular yet, but the concept is powerful. If we can continue to come up with complex, yet convenient methods for proving authentication, we will make the world safer and safer. That doesn't mean we can become lax on how we create our passwords, however. Because at least for the near future, secure passwords are the only way to keep our data private.

So Class, What Did You Learn?

You all learned that Shawn apparently picks his nose—at every Web site he visits. Seriously though, hopefully this article has helped you figure out your own method for creating passwords. Please don't use my exact method, but rather use it to come up with your own. Until we can have retinal scanners on every laptop, we're going to have to secure our passwords the old-fashioned way, like barbarians. So remember, "Sdrphn,iwoae!" (Shawn doesn't really pick his nose, it was only an example.)

Password image via Shutterstock.com.

______________________

Shawn Powers is an Associate Editor for Linux Journal. You might find him chatting on the IRC channel, or Twitter

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

dssad

nike free run dam's picture

Classic MBA textbooks and lectures, acquisition is the sharpest double-edged sword, both immediate success may end up dark color end for Eclipse. A group admin how to consolidate, manage the acquisition of brands and businesses, how to maintain the acquired brand's heritage and to promote innovation, and how to maximize the synergies of the group as a whole, no not

It is with pleasure that I

agence de voyage maroc's picture

It is with pleasure that I look at your website and it is great I soon eighty spring and I spend time really nice to read your nice sharing Keep it up and thank you again...

Reply to comment | Linux Journal

film de sexe's picture

I just like the helpful information you provide on your articles.
I will bookmark your blog and take a look at again here regularly.
I'm slightly certain I will be informed a lot of new stuff right right here! Best of luck for the following!

Reply to comment | Linux Journal

zoophilie avec un cheval's picture

I was pretty pleased to uncover this site. I want to to thank you for
ones time for this fantastic read!! I definitely savored every part of
it and I have you saved to fav to check out new stuff in your site.

The best passwords are phrases and alt codes

Richard_T's picture

WHt do you guys think about using ALT codes in your password such as ☺ ☻ ♥ ♦, ╡, etc ?

Nice article, thanks for the

rental mobil's picture

Nice article, thanks for the information. Key=loggers known as spam with Kaspersky.

Favorite (and easily brute-forced) pw's

jobuntu's picture

NCC-1701-D
Kahn!
pa55w0rd
sl@ck3r

Reply to comment | Linux Journal

Anavar's picture

Wow, wonderful blog layout! How long have you been blogging
for? you make blogging look easy. The overall look of your site is
excellent, as well as the content!

Reply to comment | Linux Journal

gonzo film x's picture

Hello I am so thrilled I found your blog, I really found you by accident,
while I was searching on Yahoo for something else, Anyhow I am here now and would just like to say kudos for a incredible post and
a all round exciting blog (I also love the theme/design), I don't have time to read it all at the moment but I have book-marked it and also added your RSS feeds, so when I have time I will be back to read a great deal more, Please do keep up the great work.

Password must not be from the

Bobby Perez's picture

Password must not be from the word you utter every time or from the things you use. This must be very unusual one and strong one

Reply to comment | Linux Journal

http://www.Videosdezoophilie.com's picture

Hi! This is my first visit to your blog! We are a team of volunteers and starting a new initiative in a community in the same niche.
Your blog provided us valuable information to work on.
You have done a marvellous job!

Reply to comment | Linux Journal

clip de sexe gratuit's picture

What's up, of course this article is truly fastidious and I have learned lot of things from it about blogging. thanks.

Reply to comment | Linux Journal

Jeune Femme zoophile's picture

Hi there, I check your blogs daily. Your writing style is awesome, keep it up!

Other problems with passwords

dravey's picture

First of all, I completely agree with Jake548 about so many sites restricting passwords to 8, 10 or 12 characters, as well as with Anonymous (BAD, BAD, BAD) about the complexity of passwords not being the problem anymore, with the use of keyloggers. But I have yet another issue: there are so many websites that require a login password, that are really not sensitive sites with your personal data stored on them. This places a burden on all of us to maintain access to dozens (hundreds?) of sites that aren't that critical. Yes, of COURSE we should be VERY concerned about our banking and credit card sites and all sites that we send financial data to, such as shopping sites and political and charitable sites! But what is the risk that we will suffer bad things if one of our forum sites is hacked? It would be irritating, but probably no serious trouble would be caused. Of course the forum administrator doesn't want irresponsible people to post crap in the forum (I recently had a problem with that on one site), but that's hardly a true security catastrophe. I think we need to come up with a whole new paradigm that distinguishes between potentially devastating security breaches and just annoying behavior and have different kinds of security for each.

How long?

Spike's picture

Many systems only 'use' the first 'n' characters or only allow a certain length. The system rules are often make a memorable passwd very hard to create. "Min 6 chars, max 8 chars mustr have ....". At the end of the day a passwd like 'rover' or 'mypassword' will always be more secure in your head than '$)%kuT&e227' will be on a scrap of paper in your top draw.

I'm so clever

cleverguy@outlook.com's picture

I've been using "TanSbkttSeg." (There are no secrets better kept than the secrets everybody guesses.) for years now for almost every single login, and nobody ever guessed it. :D

[Can you spot the irony?]

Password Haystacks

adsus's picture

Steve Gibson (www.grc.com) had some interesting comments to make about passwords and includes a password 'brute-force' calculator. See here:

https://www.grc.com/haystack.htm

The site also explains how he arrives at the figures generated and you can test your passwords online.

He also explains how "D0g....................." can be more secure than "PrXyc.N(n4k77#L!eVdAfp9" - both passwords sans the quotes of course.

Worth a look

Reply to comment | Linux Journal

go's picture

Hi there just wanted to give you a quick heads up and let you know a few of the images aren't loading correctly. I'm not sure why
but I think its a linking issue. I've tried it in two different internet browsers and both show the same outcome.

Selecting a strong password

awoodhcl's picture

Selecting a strong password has been an issued always. I remembered that I have read in one article that in creating password it shouldn't have to any thing related unto you. However, most people tend to create password that have related into them mainly because it is easy to remember. On the other hand, I got interest on how mnemonic method can do. I think knowing mnemonic method might help to secure any account.

Reply to comment | Linux Journal

sexe fun's picture

What's up friends, how is the whole thing, and what you want to say concerning this piece of writing, in my view its in fact amazing designed for me.

Reply to comment | Linux Journal

bite De cheval en video's picture

Hey! This post couldn't be written any better! Reading through this post reminds me of my old room mate! He always kept chatting about this. I will forward this article to him. Pretty sure he will have a good read. Thanks for sharing!

What drives me nuts is the

Jake548's picture

What drives me nuts is the sites that restrict password length - most of my passwords are far shorter than they should be because the site won't take anything longer than 12 characters. Throw in the standard "8 characters minimum, one capital, and one number or special character" rule and you've given anyone trying to brute-force a password a nice set of parameters to drastically reduce the number of combinations they need to try.

Good article

AWippler's picture

I am a sys admin for a church and we encourage our users to choose a short phrase or a great scriptural truth for their password. We also encourage the method described in this article.

Reply to comment | Linux Journal

Albertha's picture

Masters Degree in a business alliance. This post is a UN volunteer assignment based on the
neonatal nurse practitioner salary in massachusetts assessment
of potential applications of company products
to improved customer business processes and meet customer needs.
Of those, 4, or 5 for an average of two and a half to five years.

Reply to comment | Linux Journal

medical blog's picture

Remarkable! Its genuinely amazing paragraph, I have got much clear idea concerning from this
post.

Password/s

Nickh's picture

Password card anyone?

http://passwordcard.org

Reply to comment | Linux Journal

table à langer's picture

My family all the time say that I am wasting my time here
at net, except I know I am getting know-how daily by reading
thes good content.

Obligatory XKCD reference

bolt's picture

Reply to comment | Linux Journal

hd teen Porn's picture

It is the best time to make some plans for the future and it is time to be happy.
I have read this post and if I could I want to suggest you some
interesting things or suggestions. Perhaps you could write next articles referring to this
article. I desire to read more things about it!

BAD BAD BAD

Anonymous's picture

Come on! You really should know better than to put out this BS. NOBODY guesses your password, except perhaps your mom. It does not matter one bit how complex your password is, and implying to people that making their passwords more complex is going to make them safer is just giving them a (very) false sense of security. Passwords are stolen with keyloggers, not guesses. a five-million character long password can not and will not stop a hacker.

i agree, key-loggers and

eMBee's picture

i agree, key-loggers and brute force. for key-loggers no kind of password help and for brute force only length matters. XKCD got it right.

using "Sometimes I pick my nose when no one is looking, but I never eat the boogers." as a password should be much better than "sipmnwnoilbinetb" (btw: if that sentence is a lie, then you do eat the boogers? ;-)

likewise, "when I visit Linux Journal dot com, I always pick my nose." is probably a good password right there. no need to reduce it to "wIvljdc_Iapmn"

sure, it's a lot of typing, but that's the only cost here...

greetings, eMBee.

Actually, a full sentence is

Ruben's picture

Actually, a full sentence is less secure than the first letters of every sentence to a certain extent. Good keylogging programs go through an entire dictionary before doing anything else.

In the following sentence, all words appear in a dictionary:
"Sometimes I pick my nose when no one is looking, but I never eat the boogers."

"sipmnwnoilbinetb" appears in no single dictionary, and is therefore inherently safer. Sure, the full sentence password has the advantage of length, but the degree of "randomness" is much, much lower. And randomness in passwords is incredibly important.

Actually, a full sentence is

Ruben's picture

Actually, a full sentence is less secure than the first letters of every sentence to a certain extent. Good keylogging programs go through an entire dictionary before doing anything else.

In the following sentence, all words appear in a dictionary:
"Sometimes I pick my nose when no one is looking, but I never eat the boogers."

"sipmnwnoilbinetb" appears in no single dictionary, and is therefore inherently safer. Sure, the full sentence password has the advantage of length, but the degree of "randomness" is much, much lower. And randomness in passwords is incredibly important.

why would a keylogging

eMBee's picture

why would a keylogging program need to do that? it already logged all the keys, and it doesn't make sense to apply spelling correction either, so what's the point?

and for brute force crackers, the number of possible combination of words is a few magnitudes larger than the combination the same number of characters. so i believe that it really doesn't matter if every word in that password is in a dictionary, because the whole sentence isn't.

you are comparing one word which is not in the dictionary with 16 words which are. that's like saying: oh, the characters you use in your password are all listed in that ascii table...

and as for randomness, that sentence is not random to a human, but the same is true for "sipmnwnoilbinetb". that's also not random. but a computer doesn't know that. it can't tell the difference. oh, yes it could generate gramatically correct sentences, but it would still have to go through many more combinations than a combination of bytes would provide.

greetings, eMBee.

Reply to comment | Linux Journal

telecharger de la zoophilie's picture

Keep this going please, great job!

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix