What really is a strong password?

Discussion in 'privacy general' started by Eagle Creek, Oct 20, 2011.

Thread Status:
Not open for further replies.
  1. Eagle Creek

    Eagle Creek Global Moderator

    Joined:
    Jul 27, 2004
    Posts:
    734
    Location:
    The Netherlands
    Reading this thread (and in fact, several others in the past few months) I started wondering something: what exactly is a strong password?

    At first we tried to teach our users not to use any easily guessable passwords, like "admin", "sex", "house" or anything similar. We also advised them not to use any plain versions of personal information: birth dates, children's names, etc. They could easily being cracked by simple guessing, and/or by conventional dictionary attacks.

    To prevent the latter, we told them to use a password that's as complex as possible. A combination of lowercase and uppercase, combined with at least one number or exotic character.

    With brute force, "A1b*" could be easily found in a short amount of time. So, we added the advice for a minimum password length and discouraged the use of any dictionary words.

    However, longer passwords like "Te$t@dm1n" and passwords made out of leet (l33t) are also weak, using advanced dictionaries.

    This causes ordinary people to remember at least 20 different passwords that look like *&GHfdskhFYJFjhj*@$!: made out of complete gibberish, almost impossible to remember.

    Given the fact that biometric isn't as reliable as we thought (or either is very expensive), and a PKI or key card construction isn't a realistic solution for home users, we need to find another solution.

    Something that's gaining popularity in the last few years, is the use of complete passsentences in stead of passwords.

    Take a look at this little comic:
    http://xkcd.com/936/

    This would conclude that an ordinary sentence, which is made out of 4 random words, without any modifications (no numbers, no uppercase, no !#@* etc.) might even be stronger than one of those passwords we considered very safe.

    When testing pass sentences at password strengh checkers (like PCTools' and Microsoft's), they usually come out very weak. The calculation used in the comic, proves otherwise.


    What's your thought about it?
    What kind of password do you use? (note: not WHAT password :ninja: :D)
     
  2. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Strong Password:

    @N*RM&LM7DmMDq!Z@^s^7esu0Pjki9R8iroL6FlRghlaXP%c*l%0

    Randomly generated.

    Another one:

    Ya!yG$jEcblxbMJUU5liy9ILlCnqXEH52fvvQytd9lOhanIk#IUn
     
  3. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,115
    How do I use Norton Identity Safe (That fills my logins and automatically synchronize between my computers), KeePass (which generates and stores all the passwords) and KeySrambler (That leaves no keylogger to steal my passwords) I use strong passwords as well as: fFs3E@zDf$cl8f'!.$;,
     
  4. x942

    x942 Guest

    There are two forms of strong passwords:

    1) The completely random high entropy (and hard to remember ones):

    CnD9oxO80UiXiAr8E&xT



    2)The not-so random but still uncrackable kind (and easy to remember)

    W1lD3rS//S3cUr1Ty

    This password is still strong and would take 1.34 billion trillion centuries to crack.

    That said obviously don't use a simple trick like that. Basically remember that all you need to do is force an attacker to have to brute force your password. Once you do that all you need to do is make it impractical to do so. This example does that.

    If you are going to use a haystacks method I recommend no using easy substitutions like "1" for "i" and so on. Every brute forcer since... well ever.. does these substitutions so be sure to make your own pattern based off of each website.

    Check out the GRC's Haystack page Steve Gibson explains it alot better than I can.


    *Recommended length is 20+ characters these days as supper computers can crack 13-14 characters in a relatively fast amount of time (a few years). and personal computers are catching up fast.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    When I suggest someone uses a password I never tell them "use random numbers and letters" because it just frustrates them, they end up writing it down, and they often forget it and then have to rely on those recovery questions, which are horrible.

    Instead I usually have them take two unrelated words that they can remember ~6letters each and put them together.

    DonutAlgebra

    Then I tell them to pick 5 letters that aren't their birthday. Maybe their friends birthday or whatever.

    DonutAlgebra51972

    Then it's up to them. Question mark or exclamation point.

    DonutAlgebra51972?

    Could it be more secure? Absolutely. Is it fairly easy to remember? Yep.

    I think a password like DonutAlgebra51972? would take a significant time for a desktop computer to bruteforce. It uses two unrelated dictionary words, 5 random numbers, and a symbol.

    If someone wanted a harder password I might suggest (based on the above example) 519Don?utAlg!ebra72 to break the dictionary words apart. This is harder to type out and a bit more difficult to remember but would be harder to break with a dictionary attack.

    For something like a master password this might be more useful. It depends on the situation. If I wanted to protect my hard drive from a supercomputer I'd have to get trickier and I'd likely make it 4 words split by symbols.

    I don't like using random numbers and letters. If you write your password down:
    1) You can lose it! In the case of truecrypt this can be horrible.
    2) Someone else can see/find it! Again, horrible.

    I like a password that's easy to remember.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I also really hate super super long passwords. I want my GMail password to be secure but I really don't want to have to type in 50 characters on my phone to sync.
     
  7. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Despite all of the solid information supporting long, complex passwords, I'm afraid that more than a few major companies allow far fewer than 20 characters (and some do not even use case-sensitivity or punctuation marks).

    American Express, for example, allows a maximum of 14 characters in a password, is not case-sensitive, and you can't use punctuation marks. The saving grace is, I suppose, that they have a feature in place that locks the account after several (I forget how many) unsuccessful attempts, and the card holder must then call AE to get their account unlocked.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    They should really allow for more than that but if they lock the account after even 100 failed attempts a strong 14 character password will be fine.
     
  9. strongsword

    strongsword Registered Member

    Joined:
    Oct 16, 2011
    Posts:
    36
    voice, retina, palm, tongue passwords

    *thumbs up*
     
  10. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I've been locked out a time or two (before I started using a password manager and would periodically forget the password) and it was FAR fewer than 100 attempts... more like 4-6 unsuccessful attempts... that trigger the lock.

    Not long ago... like up until a year ago... their maximum password length was 8 characters. It never ceased to amaze me that a credit card company, that must lose millions of dollars per year to fraudulent activity, would allow only an 8-character account password.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Even if they had a 5 character password simply bruteforcing wouldn't let you in if they locked you out after a few tries.
     
  12. cozumel

    cozumel Registered Member

    Joined:
    May 23, 2009
    Posts:
    260
    Location:
    London, UK
    That's the system I use to create my passwords. However, according to Microsoft's Password Checker, both my password (13 char) and the example above are both strong but not the best :doubt: :(

    I may slightly modify the method to make it longer by using easily remembered short phrase such as:
    W1lD3rS//S3cUr1Ty1sc00L*

    Edit: The 00 in 'c00L' are both zeros btw
     
  13. Eagle Creek

    Eagle Creek Global Moderator

    Joined:
    Jul 27, 2004
    Posts:
    734
    Location:
    The Netherlands
    When you have a root/admin account, that isn't supposed to be accessed you can use a 20 char random password. Then you need to write down the password, and put it in a safe (or save it and put it in a digital save, which on it's own has the same level of security of the system you are trying to protect).

    Works fine for these limited amount of systems.

    Consider daily life. The average user has maybe at least 20 passwords to remember. That is: there are passwords from the business environment (and every tool has it's own code), there are passwords for personal websites and there are passwords for appliances (mobile phone, voicemail, locker maybe?). Obviously you don't want to re-use a password ever again, and you want to change them every X days (let's be generous and say every 90 days).

    Using 20+ unique &65dgBhjGyt4r6146!%$^@ - like passwords is absolutely impossible for any person who still is considered a human, and not some kind of superhuman.

    Hence, using the method of combining unrelated words sounds very good to me. You could use a "basic" word or combination, and then change a part of the password for several websites/systems. (this would create a small weakness because when someone actually knows one of your passwords, he could crack the system behind it. But I think you can be clever enough to solve this problem).

    Well: that's what I try to find out here. Using the previous theory, donutalgebratreehousedog would be a GREAT password. However, when checking this using the many password strength checkers that are out there on the web, most of them will consider this a weak or moderate password, due to the lack of numbers, uppercase, etc.

    So how do we know for sure this would be a good password? These strength checkers don't really seem to be checking for password strength, but only if your password matches the preset variables.
     
  14. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    Good post Eagle Creek!

    I wonder how many minds that comic has helped change; certainly mine when I saw it.

    I've noticed a lot of the password strength checkers tend to arbitrarily rate the password in the comic poorly simply because it has no numbers or capitals.

    This is a password strength checker that appears to rate things more realistically, if it helps anyone:
    http://rumkin.com/tools/password/passchk.php
     
  15. AaLF

    AaLF Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    986
    Location:
    Sydney
    Name & D.O.B. Eagle born 01/05/1980 = Eagle01051980

    Eagle)!)%!(*)

    replace numbers with the symbols above numbers. Never forget 'em that way.
     
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    WPsGaLanjfeotBBIwyiydtmttmw

    from

    "Well, Prince, so Genoa and Lucca are now just family estates of the Buonapartes. But I warn you, if you don't tell me that this means war"

    -http://www.online-literature.com/tolstoy/war_and_peace/1/
     
  17. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Had an idea for this some time ago that would enable a user to have long, random appearing passwords but not have to remember them. It works like this. Start with a good sized text file, then encrypt it. The result will look like this.
    source.gif
    When you need a password, copy and paste from it, starting and ending at odd points in the lines. You don't have to remember what you copied, just where you started and ended. For instance, you start the copy on the 5th line, 3rd character and ended on the 7th line, 10th character. All you have to remember is 5,3,7,10, which gets you this password:

    nL8sxTudep8h1jN4QQoXu/mhFoFkHeSS7VA6j74bzTmo+thFuWeSXqZ1PtrV+S
    B6fdOJIIiy1yy+QDu2TIEosqlduaevLE041a//B78Or4uKBbB/42ygrO9SNxRo4W
    /fSTHZiJZZ

    Even if an attacker has the source text, without knowing the length of the password, the number of possibilities is ridiculous, especially if your source text has a few hundred lines. Just don't use line and character numbers that match up to any personal info.
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Don't go by the MS checker. I just put in "aaaaaaaaaaaaaaaaaaaaaaaaaaa" and it called it "best"
     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    I'm guessing that rainbow tables may include "a*", "b*" etc for strings much longer than nominal length.
     
  20. x942

    x942 Guest

    The first password you posted would take:



    This is a raw brute force attack. No dictionary's nothing. chances are you are safe against online attacks (they are the slowest) but an off line dictionary attack it can be cracked. It would still take time though. I got it in about two hours. My attack went through a 900MB dictionary file and the software combines words after going through the list and FINALLY adds numbers to the end of each one on the third pass.

    An Online attack would take forever so I didn't even try it. I did it against a password protected Zip file.

    So online you are fine with this password, Offline (the attacker has the hash(s) or the protected file) not so much.

    As for GMail you do have the option to enable 2 factor authentication. This would allow you to use a weaker password and still be secure.

    EDIT:

    Just to add I made sure my dictionary had the words in it but in a alphabetical order. So I was guaranteed to get it eventually.
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Good to know. I realize that a dictionary attack is where my method would fall short, but online it wouldn't matter.

    If I were doing truecrypt I would use my later method:
    519Don?utAlg!ebra72

    I would be very surprised if any attack could bruteforce is in a feasible amount of time.
     
  22. culla

    culla Registered Member

    Joined:
    Aug 15, 2005
    Posts:
    504
    start with a space random letters and numbers spce in between at end add a few spaces = strong
     
  23. x942

    x942 Guest

    Exactly. The second one I couldn't get using the same attack. :thumb: Online attackers are always slower as the attacker has to send the username + password and than wait for a yes or no (essentially). And of course places like google force captcha after a certain # of failed logins and will even block logins after a while too. :thumb:
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yeah, simply stopping them after a few incorrect passwords will work well for offline attacks. If it's account wide it'll even work for online attacks, if it's specific to the computer it'll unfortunately be easily worked around via botnet or even proxy.

    For something like my GMail I use a similar method to the 1.2 million billion trillion or whatever it was =p
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    The topic actually inspired me to take the time and beef up my gmail password. It is now quite a bit longer.
     
Loading...
Thread Status:
Not open for further replies.