What really is a strong password?

Strong Password:

@N*RM&LM7DmMDq!Z@^s^7esu0Pjki9R8iroL6FlRghlaXP%c*l%0

Randomly generated.

Another one:

Ya!yG$jEcblxbMJUU5liy9ILlCnqXEH52fvvQytd9lOhanIk#IUn

 

How do I use Norton Identity Safe (That fills my logins and automatically synchronize between my computers), KeePass (which generates and stores all the passwords) and KeySrambler (That leaves no keylogger to steal my passwords) I use strong passwords as well as: fFs3E@zDf$cl8f'!.$;,

 

There are two forms of strong passwords:

1) The completely random high entropy (and hard to remember ones):

CnD9oxO80UiXiAr8E&xT



2)The not-so random but still uncrackable kind (and easy to remember)

W1lD3rS//S3cUr1Ty

This password is still strong and would take 1.34 billion trillion centuries to crack.

That said obviously don't use a simple trick like that. Basically remember that all you need to do is force an attacker to have to brute force your password. Once you do that all you need to do is make it impractical to do so. This example does that.

If you are going to use a haystacks method I recommend no using easy substitutions like "1" for "i" and so on. Every brute forcer since... well ever.. does these substitutions so be sure to make your own pattern based off of each website.

Check out the GRC's Haystack page Steve Gibson explains it alot better than I can.


*Recommended length is 20+ characters these days as supper computers can crack 13-14 characters in a relatively fast amount of time (a few years). and personal computers are catching up fast.

 

When I suggest someone uses a password I never tell them "use random numbers and letters" because it just frustrates them, they end up writing it down, and they often forget it and then have to rely on those recovery questions, which are horrible.

Instead I usually have them take two unrelated words that they can remember ~6letters each and put them together.

DonutAlgebra

Then I tell them to pick 5 letters that aren't their birthday. Maybe their friends birthday or whatever.

DonutAlgebra51972

Then it's up to them. Question mark or exclamation point.

DonutAlgebra51972?

Could it be more secure? Absolutely. Is it fairly easy to remember? Yep.

I think a password like DonutAlgebra51972? would take a significant time for a desktop computer to bruteforce. It uses two unrelated dictionary words, 5 random numbers, and a symbol.

If someone wanted a harder password I might suggest (based on the above example) 519Don?utAlg!ebra72 to break the dictionary words apart. This is harder to type out and a bit more difficult to remember but would be harder to break with a dictionary attack.

For something like a master password this might be more useful. It depends on the situation. If I wanted to protect my hard drive from a supercomputer I'd have to get trickier and I'd likely make it 4 words split by symbols.

I don't like using random numbers and letters. If you write your password down:
1) You can lose it! In the case of truecrypt this can be horrible.
2) Someone else can see/find it! Again, horrible.

I like a password that's easy to remember.

 

I also really hate super super long passwords. I want my GMail password to be secure but I really don't want to have to type in 50 characters on my phone to sync.

 

Despite all of the solid information supporting long, complex passwords, I'm afraid that more than a few major companies allow far fewer than 20 characters (and some do not even use case-sensitivity or punctuation marks).

American Express, for example, allows a maximum of 14 characters in a password, is not case-sensitive, and you can't use punctuation marks. The saving grace is, I suppose, that they have a feature in place that locks the account after several (I forget how many) unsuccessful attempts, and the card holder must then call AE to get their account unlocked.

 

They should really allow for more than that but if they lock the account after even 100 failed attempts a strong 14 character password will be fine.

 

voice, retina, palm, tongue passwords

*thumbs up*

 

I've been locked out a time or two (before I started using a password manager and would periodically forget the password) and it was FAR fewer than 100 attempts... more like 4-6 unsuccessful attempts... that trigger the lock.

Not long ago... like up until a year ago... their maximum password length was 8 characters. It never ceased to amaze me that a credit card company, that must lose millions of dollars per year to fraudulent activity, would allow only an 8-character account password.

 

Even if they had a 5 character password simply bruteforcing wouldn't let you in if they locked you out after a few tries.

 

That's the system I use to create my passwords. However, according to Microsoft's Password Checker, both my password (13 char) and the example above are both strong but not the best

I may slightly modify the method to make it longer by using easily remembered short phrase such as:
W1lD3rS//S3cUr1Ty1sc00L*

Edit: The 00 in 'c00L' are both zeros btw

 

Good post Eagle Creek!

I wonder how many minds that comic has helped change; certainly mine when I saw it.

I've noticed a lot of the password strength checkers tend to arbitrarily rate the password in the comic poorly simply because it has no numbers or capitals.

This is a password strength checker that appears to rate things more realistically, if it helps anyone:
http://rumkin.com/tools/password/passchk.php

 

Name & D.O.B. Eagle born 01/05/1980 = Eagle01051980

Eagle)!)%!(*)

replace numbers with the symbols above numbers. Never forget 'em that way.

 

WPsGaLanjfeotBBIwyiydtmttmw

from

"Well, Prince, so Genoa and Lucca are now just family estates of the Buonapartes. But I warn you, if you don't tell me that this means war"

-http://www.online-literature.com/tolstoy/war_and_peace/1/

 

Had an idea for this some time ago that would enable a user to have long, random appearing passwords but not have to remember them. It works like this. Start with a good sized text file, then encrypt it. The result will look like this.

When you need a password, copy and paste from it, starting and ending at odd points in the lines. You don't have to remember what you copied, just where you started and ended. For instance, you start the copy on the 5th line, 3rd character and ended on the 7th line, 10th character. All you have to remember is 5,3,7,10, which gets you this password:

nL8sxTudep8h1jN4QQoXu/mhFoFkHeSS7VA6j74bzTmo+thFuWeSXqZ1PtrV+S
B6fdOJIIiy1yy+QDu2TIEosqlduaevLE041a//B78Or4uKBbB/42ygrO9SNxRo4W
/fSTHZiJZZ

Even if an attacker has the source text, without knowing the length of the password, the number of possibilities is ridiculous, especially if your source text has a few hundred lines. Just don't use line and character numbers that match up to any personal info.

 

Don't go by the MS checker. I just put in "aaaaaaaaaaaaaaaaaaaaaaaaaaa" and it called it "best"

 

I'm guessing that rainbow tables may include "a*", "b*" etc for strings much longer than nominal length.

 

The first password you posted would take:

This is a raw brute force attack. No dictionary's nothing. chances are you are safe against online attacks (they are the slowest) but an off line dictionary attack it can be cracked. It would still take time though. I got it in about two hours. My attack went through a 900MB dictionary file and the software combines words after going through the list and FINALLY adds numbers to the end of each one on the third pass.

An Online attack would take forever so I didn't even try it. I did it against a password protected Zip file.

So online you are fine with this password, Offline (the attacker has the hash(s) or the protected file) not so much.

As for GMail you do have the option to enable 2 factor authentication. This would allow you to use a weaker password and still be secure.

EDIT:

Just to add I made sure my dictionary had the words in it but in a alphabetical order. So I was guaranteed to get it eventually.

 

Good to know. I realize that a dictionary attack is where my method would fall short, but online it wouldn't matter.

If I were doing truecrypt I would use my later method:
519Don?utAlg!ebra72

I would be very surprised if any attack could bruteforce is in a feasible amount of time.

 

start with a space random letters and numbers spce in between at end add a few spaces = strong

 

Exactly. The second one I couldn't get using the same attack. Online attackers are always slower as the attacker has to send the username + password and than wait for a yes or no (essentially). And of course places like google force captcha after a certain # of failed logins and will even block logins after a while too.

 

Yeah, simply stopping them after a few incorrect passwords will work well for offline attacks. If it's account wide it'll even work for online attacks, if it's specific to the computer it'll unfortunately be easily worked around via botnet or even proxy.

For something like my GMail I use a similar method to the 1.2 million billion trillion or whatever it was =p

 

The topic actually inspired me to take the time and beef up my gmail password. It is now quite a bit longer.