Unbreakable crypto: ...

Unbreakable crypto: Store a 30-character password in your brain’s subconscious memory.

-- Tom

 

Computer game secures crypto systems from rubber hose attacks.

-- Tom

 

The easiest way to create a long, secure password is to pick a quote from your favorite author/musician/actor/politician/whatever and use the first letter of each word.

Example:

Quote: "We hold these truths to be self-evident, that all men are created equal"

Turns into: whtttbsetamace

Then maybe throw an exclamation point at the end and you'll be set.

 

Sounds good -- but don't forget that way too many sites won't accept special characters in passwords (despite their inclusion being recommended practice), and a great many do require including at least one numeric character.

(edit) Also, many sites have a relatively narrow "window" of acceptable password length (e.g., 8-12). Might be a trick coming up with a good phrase that would generate the right length of initials.

 

I use a similar method. My password based on that sentence would be:

Wh777653974m4c3

But I wouldn't use such a famous quote For LUKS passphrases, I concatenate multiple such blocks, from different sources, that tell a story. In multiple languages. Remembering 50-100 characters is easy. Each machine has an identity that changes the story slightly.

 

I'm sure eventually, if not already, rainbow tables will be around for common sayings.

It's trivial to check for the numeric reprsentations for letters too. For a website that you can't hit over and over it should be fine. But something that can be hit like a keepass database, I dunno..

 

I don't start with common sayings. I use a few sentences, from multiple books.

 

Common phrases should be avoided for obvious reasons. Instead, use a nonsense phrase that you construct to be memorable.

I also find it aggravating that websites have such crazy and seemingly random password rules. Some require alphanumeric only, some allow special characters but only a special subset. Most cap the number of characters to 12 and almost none allow 20+
There has got to be some way to require all web developers to read this cartoon:
http://xkcd.com/936/

 

Well, I recently switched from LastPass to KeePass and decided to change all of my passwords I had stored there. There were over 120 of them and I did this within a few days, so it gave me a look at the different password rules.

Many of them actually allowed 20 or more characters, but some had varying rules as you know. The biggest short password offender was Netflix (with only 10), and I'm pretty sure that was the only one under 14. A utility billing site capped it at 14, and that really should be longer. EA's Origin had a stated limit of 16, but only 15 worked for me. But, most of the others could go to 20 or more.

 

SirDrexl,
thanks for checking on specific sites.
Most of the worst offenders for me have been banks. I did a bit of checking myself and was pleased to find a couple of banks that fixed their password policies. AMEX was the worst offender. The previous policy was 6-8 characters with a long list of invalid combinations plus zero special characters. They recently changed it to 8-20 characters but still ban special characters. The "not case sensitive" part is really very strange though.