Crackin’ Passwords

Before you get too excited or concerned, don’t worry, I’m going to tell you how to make really good (crackin’) passwords, not how to go about cracking passwords.

A client in South Perth (Hi Sharman) was asking me today if it was possible to make different passwords for each of her accounts that were still complex enough to be secure but easy enough for her to remember.

Private and not so private

Just about every organisation you deal with these days, whether government or commercial, wants you to set up an account via the internet. Most people are pretty vigilant when it comes to keeping their health and financial details safe and secure, so they usually pay a bit of attention to making a good password for these accounts. These passwords will be relatively complicated and certainly won’t use family member’s names or birth dates (I mean, who would do that, right?).

Complex passwords are usually difficult to remember, though, and to make it even harder, we’re told not to use the same password for each account. Consequently, accounts that we don’t think of as important don’t get passwords any more complicated than “password123” or “buster” (the dog’s name).

Hacking 101

But that’s a problem because while we may not think the account is important, it is still likely to have some information in it that a hacker will find valuable.  Hackers will try to crack accounts that are perceived as unimportant because they know they will have pathetic passwords (let’s not beat around the bush here).

They may only know your name to begin with, but once they crack into a poorly secured account, they may then know your email address. Armed with this information, it is a little bit easier to get into another relatively poorly secured account and get even more information about you. From here they continue on gathering more and more information until, eventually, they may be able to log into your webmail account.

Remember that feature that most websites offer if you’ve forgotten your password? That’s right, they’ll send the password (or a way to reset it) to your email address. So, now that the hacker has access to your email account, they can go wild on all your other accounts!

Lockdown

I’ve seen some incredibly secure but totally impractical passwords. One of my clients was using a WiFi password that looked something like this (23 hexadecimal characters):

9D3C8702A9197CBB2A638ED4B626586CC875D150F

Very secure – no-one is cracking that one… but who wants to type that in every time a friend asks if they can connect their laptop to your WiFi? And you can’t memorise it, so you have to write it down which then lessens its security anyway.

But passwords needn’t be that extreme.

Is it always about length?

First of all, I’m going to give you some tips about making a secure password. This on its own won’t make a password any easier to remember, but this will give you some ideas of what to include to make your simple to memorise password hard to crack.

1. Length

The longer the password, the longer it takes to crack. As computers get more and more powerful, they can crack longer passwords much faster, so keep in mind that the following table is dated from some time in 2009. An 8 character password is okay at the moment, but some more secure organisations are already moving to 10 character passwords. The table below shows how long it would take for a password cracking tool to crack various lengths of passwords.

(By the way, I don’t know where I got this image from so if you know the original author, can you let me know so I can give due credit?)

How Fast to Hack Passwords
This table is from circa 2009 and shows how long it takes to hack passwords of different lengths when they are only using lowercase letters vs all characters.

 

2. Mixed Case

Password cracking tools actually use dictionaries of words. A list of words that big is daunting to a person, but its nothing to a computer. However, most passwords are case-sensitive these days, which means that an uppercase “A” is treated as though it is a different character to a lowercase “a”. So, if you mix uppercase and lowercase letters in your password, it is no longer the simple task of just trying a list of dictionary words, now the hacking tool also has to try all combinations of uppercase and lowercase for each word it tries.

3. Numbers

Including numbers in a password simply adds even more character combinations for a hacking tool to have to try and that just makes it take more time to crack.

4. Non-Dictionary Words

Because hacking tools go through a list of dictionary words first, if you make up a word, or mix numbers into the middle of it or even just mis-spell a word, this makes it harder to crack the password.

Remember your Greek mythology?

Mnemosyne (pronounced with a silent M) is the name of the goddess of memory in Greek mythology. From her name is derived the word “mnemonics” which are special strategies used to help make the task of memorisation easier. One of the commonest mnemonic devices is to imagine crazy images or whacky stories about something you wish to memorise in order to help it stick in your mind.

For example, imagine I’m going to the grocery store and I need to pick up a French loaf, a bunch of celery and a pack of cereal (that’s a normal shopping list, right?). I could imagine holding the French loaf in one hand, the bunch of celery in the other and using them as drumsticks to beat a rhythm on the box of cereal. As the “drumsticks” are hitting the box of cereal, the contents are shaking around and making a sound like maracas. By the time I get to the grocery store, there is no way I’ve forgotten that bizarre image, so I have no problem remembering the three items.

Putting it all together.

Now that you have all the information about what you need to make a secure password and how to help remember it, lets put that all together to make a hypothetical password for a Facebook account.

  1. Mnemonic: Lets make a crazy phrase related to Facebook. How about, “My face likes to friend books”. You then have to form a weird image of this in your mind. Lets imagine your face searching for books in a library and then rubbing its nose on them in order to make friends.
  2. Length: Now, remove the spaces (you can’t usually use them in passwords, anyway) and you already have a good password length to start with: “Myfacelikestofriendbooks”.
  3. Mixed Case:  Add some capital letters. For memory purposes, it helps if you use the same pattern all the time. For example, only capitialise the first letter of the words related to the website (Facebook): “myFacelikestofriendBooks”
  4. Non-dictionary Words: Spell some words incorrectly or use some shorthand (R for “are”, 2 for “to”, etc): “miFacelykes2frendBooks”
  5. Numbers: Add some extra numbers. In this case, I’ve used the year that password was created: “miFacelykes2frendBooks12”

Test your strength

When you’ve finished making your password, go to Microsoft’s Safety and Security Center to test the strength of your password.

 

Let us know

We’d love to hear what you think. Please offer us your thoughts, opinions and suggestions below in the “Speak your mind” section.

10 Comments

  1. Cool, thanks Nathan. I am starting to get a huge collection of passwords, as are the kids, and it’s getting hard to keep track. Your explanation was easy to understand and very helpful, although your shopping list was rather dubious….

    I often find it easier to remember a password or bank account has a pattern or a “rhythm” when you say it (to yourself, of course!), so that may help some people also.

  2. Thanks Sandi. Good suggestion – I know what you mean by the rhythm (not the same rhythm made by the celery and the French loaf though, right? 🙂 ).

  3. Hi Nathan,

    Thanks for the article. I spend a fair amount of time in IT security circles as InfoSec (I hate the term “Cyber Security”) is a passion of mine. I have particular trying to help the non-technical users to be more secure which I believe ultimately benefits everyone. Passwords continue to be the #1 headache for end users and IT Department alike.

    The key problem being that users either pick a simple password they can remember or they write the password down in an insecure place, such as a post-it note. So I found a hybrid solution that seems to work well.

    What I’ve been doing with users is to encourage them to write down their difficult to remember passwords and keep them in a secure place such as in their wallet with their credit cards. This way they have a password that’s difficult to crack, but is still vulnerable to theft. So the next step is to assign the user with a 4 digit pin number. I have noticed that many ATM users seem to have no difficulty with this (and I got this idea while waiting in line for an ATM).

    The 4-digit pin is then added to the end of the user’s password. So if the password written down by the user was 8HoZtGqGDf and their pin number is 0743 the two are combined to make their account password 8HoZtGqGDf0743

    Except the user does not write their pin number down as they did with the password, instead they memorise it because it’s short and simple. Unlike the first 10 characters of their password which had to be written down.

    Now the user has a complex password that’s difficult to crack, but if they lose the password that’s written down or it gets stolen the 4 digit pin remains unknown to the theft who can then be locked out after a set number of failed login attempts.

    It might not a perfect solution but I’ve found it works well and most users are willing to partake as it helps keep them secure without adding to much burden.

    • Thanks for your alternative idea, Dan. I can see that this would be a very convenient and easy to use method.

      I guess after a theft, when the thief tried to use the password and it didn’t work, they would assume that the password had already been changed rather than guessing that it was a 2 part password and they were missing one part.

      The only issue I see is if everyone in a workplace (or home) is aware that that is what everyone does to create their passwords. In that scenario, if someone wanted to do some hacking, and is aware of where you keep the first part of your password, it effectively reduces your password to nothing more than a 4 digit code.

    • I enjoyed reading Dan Buzzard’s tip – great idea mate! also the password length table Nathan is a good one, though if its from 2009 I wonder how much faster it is to crack passwords these days with modern technology.

      Hope you are well mate!

      • Hi Paul, glad you enjoyed it. Yes, I’m sure that the table from 2009 is no longer applicable with today’s much faster computers – I guess the ease of password cracking is the main reason we don’t use WEP security for WiFi any more.

  4. Yes, I believe my method of splitting the password in two would fail quickly against an offline attack. An encrypted hard drive in the hands of an attacker would be very fast to crack if the attacker had both the written password and knowledge of the pin.

    The two scenarios in which I deployed my password scheme was for Active Directory users whereby the number of failed logins before getting locked out can be set by group policy. Only 3 troublesome users (post-it notes under the keyboard) were put onto the scheme to add a layer of security to their otherwise poor practices.

    Another use was in an old folks home to help residents with their Skype and email logins.

    The 4 digit pin could be replaced by a password of any length or complexity, so long as the user can remember it. I use a similar scheme for hard drive encryption whereby I memorize a unique 20 char alphanumeric key for each of my 4 drives then add a universal 12 char key to the end of each. Although the 12 char key is the same for each drive it serves to add a tremendous computational burden to the already complex and unique keys on each drive.

Comments are closed.