Hard passwords made easy

Hard passwords made easy


In the online world, security plays a role in all online activities. Passwords are the most commonly used method to limit access to specific people. In my previous article I discussed assessing the relative value of systems protected by passwords, and grouping passwords across locations with similar trustworthiness.

In a nutshell, don’t bother creating and remembering strong passwords for low value systems, and certainly don’t use the same passwords for low value systems that you use in high value systems.

In this article, I’ll discuss how to create a strong password, and how to keep track of all your strong passwords, if you have a definite need to keep more than a couple.

In a nutshell, don’t bother creating and remembering strong passwords for low value systems, and certainly don’t use the same passwords for low value systems that you use in high value systems

Creating memorable strong passwords

A strong password is made up of several different types of characters, and isn’t a name or word in a dictionary. Many systems that require strong passwords will check any password you try to create against a set of rules. These rules often specify a minimum length, and that your password includes characters from at least three of the following four groups:
Capital Letters ABCDEFGHIJKLMNOPQRSTUVWXYZ
Lowercase Letters abcdefghijklmnopqrstuvwxyz
Numbers 1234567890
Symbols `~!@#$%^&*()_+=-[]|}{‘;:”/.,<>?

Character Groups

The exact list of allowed symbols vary depending on the system. Some systems allow spaces in passwords, while others don’t. A particular system might also have an international character set that includes other letters or characters.

Time after time, people forced to use strong passwords come up with some gobbledygook thing like “v7GT%Xz2.” Leave a computer to generate a password for you, and you could well end up with something like that. And the next thing that happens is they’ve forgotten it and need to call the administrator for a new one. It’s certainly a strong password, but if you can’t remember it, and don’t store it in a safe place, it’s not an effective password.

I suggest using one of three strategies for creating strong passwords you can remember:

  1. Create a password using a mnemonic device
  2. Create a password using a word list with some variation
  3. Create completely random passwords and store them securely.

Use a mnemonic device

Remember learning about mnemonics? Not Ebonics, that’s something different. A mnemonic is a phrase or word to help you remember complicated or otherwise difficult to remember data. For example, ROY G BIV tells me the colors of the rainbow: Red, Orange, Yellow, Green, Blue, Indigo, and Violet—the letters in the name give you the sequence of the colors.

You can make up a phrase to remember a password, or make up a password based on a phrase that means something to you and nobody else

Jesus Christ Made Seattle Under Protest. No, not because there’s so many heathen folk running about—this is a local mnemonic for remembering the order of downtown Seattle’s streets, from south to north: Jefferson, James, Cherry, Columbia, Marion, Madison, Spring, Seneca, University, Union, Pike, Pine.

You can make up a phrase to remember a password, or make up a password based on a phrase that means something to you and nobody else. For example, our earlier “vhGT%Xz2” could become “Ve haven’t Gotten Ten percent Hex sleep, too!” or some similarly silly meaningless phrase. Our brains are capable of easily substituting one symbol for another. I wouldn’t trust this phrase for a password I only used occasionally, but for one you use several times a day, you’ll remember it in no time.

For less-commonly used passwords, use a phrase with meaning to you, because you’ll remember it easier: “Timmy and Tommy were my first dogs” could become “T&Twm1Dgs,” which isn’t a bad password at all. Remember your puppies and you’ve got your password.

Use a word list

A dictionary is a list of words. But I’ve already told you not to use dictionary words, right? Why is another word list okay?

Because you don’t use just a single word, and you don’t use a word that has personal meaning for you.

As a service provider, I often have to generate passwords for my customers. This is my favorite technique for doing that. You take a carefully generated list of words, and randomly pick two of them. Then you randomly pick a symbol or number to put between them. If it needs to be more secure, you then randomly make a few of the letters uppercase. Suddenly, you have a strong random password such as “rumpus!friar” or “fUngal)selMa.” These can sometimes be quite amusing...

You can also add an element of fun to the actual password generation. Diceware.com has two different word lists, and a method of randomly choosing words from them: by using regular dice. You scrounge through all those old board games in your closets to come up with 5 dice, roll them twice, and look up the word associated with the numbers you roll. Then you roll two of the dice to determine which number or symbol to put between them. Voila! You’ve got a reasonably strong password. I’ve found these passwords to be quite memorable.

Diceware is actually for creating longer passphrases, instead of passwords. A passphrase is used for encryption purposes, whereas a password simply provides access. Passphrases and encryption are a topic for other articles, but the passphrase generation ideas at Diceware make for a great way to generate passwords.

Store passwords securely

If you need to keep track of a bunch of different strong passwords, you have no choice but to record them somewhere. The problem is, where? Certainly not post-it notes attached to your monitor, or the bottom of your keyboard. I need to generate and store different strong passwords for many different clients. I don’t want to remember them all, and I’m certainly not going to ask for them over e-mail, which has the security of a postcard.

I need to generate and store different strong passwords for many different clients. I don’t want to remember them all, and I’m certainly not going to ask for them over e-mail, which has the security of a postcard

If you’re in this situation, you need a password vault of some kind, an encyrpted system that lists all of your passwords and keeps them safe and secure. You still need to remember one password: the one that opens the vault.

I use a program on my Palm Pilot that stores all my passwords in an encrypted file. I can see all the accounts I’ve set up in the main screen, but to get the password, I have to enter the master passphrase first. After 5 minutes, the program automatically “forgets” the passphrase and re-encrypts everything.

There are similar programs available for Windows and Pocket PC. You can also use generic encryption technologies like Gnu Privacy Guard (GPG), part of the excellent Wt software and provided in every Linux distribution.

Don’t store your passwords in a plain text file, a Word document, an Outlook note, or a note in your PDA.

The important point is to think realistically about your risks. If your passwords are in a plain text file on your computer and it gets hijacked by a worm, virus, or attacker, your password file might get compromised without you ever realizing it. PDAs are incredibly easy to steal—you wouldn’t want a thief to have instant access to all your passwords.

Password vault software

For Palm: Keyring for Palm OS is a great little free program that encrypts the password database to a password. The encryption is weak, but sufficient to protect your password for a few hours—if you lose your Palm, get a new one, restore your database, and change your passwords. The stronger your password, the longer a brute force attack will take. Also check out Strip for better encryption, though its database is not viewable on your PC.

With these utilities and a better understanding of how to generate strong passwords you can keep your information safe from prying eyes

For Linux: A plug-in for Jpilot can natively read the database for Keyring for Palm OS. This makes a great harmony: you can view, synchronize, and update passwords on both Linux and the Palm. Again, note that the encryption is weak, meaning the database can be cracked in a matter of 5 hours or so with brute force. That means you should protect your Palm backups, as well as Jpilot.

For Windows: Try Oubliette or KeePass, both are free software password managers for Windows. And here’s another: Password Safe, developed by a well-known security expert, primarily written for Windows but with compatible versions for PocketPC and Linux available.

For PocketPC: There’s a KeePass version for PocketPC, too.

For Mac users, try Password Gorilla.

With these utilities and a better understanding of how to generate strong passwords you can keep your information safe from prying eyes.

Category: 
End users
Tagging: 
passwords
creating passwords
License: 
Verbatim only

Comments

Allen Moore's picture

If I understand this article, you're storing your clients' passwords on a PDA using a password vault with weak encryption. And in the event of a lost or stolen PDA, your recovery procedure is to "get a new one [PDA], restore your database, and change your passwords." Does this mean you have to go around to each client and change their password(s) as well? Perhaps I've misunderstood, but this doesn't seem like a very practical or safe solution.

John Locke's picture
Submitted by John Locke on

To respond to Allen (below):

That's a completely valid concern. The main point of keeping passwords on a PDA is because you can access them, and keep them relatively securely. The software I use and recommended encrypts the password database with 3DES, which, while not the latest and most secure protocol, is still strong enough encryption that it'll take an attacker a lot of computing resources, and many many hours to crack. It's still used by most SSL servers you visit on the Internet.

Losing a PDA is like losing a wallet--not something that happens often (hopefully), and involves some pain. Lose your wallet, and you need to go cancel all your credit cards immediately. Lose your PDA, and you have to go reset all the passwords. But by having it on a PDA, presumably you have a copy on your computer, as well, so you can quickly go down the list and do your damage control. And with an encrypted password store and a strong master password, you have at least several days or weeks to do this, if not years...

Besides, using SSH, I can "go around to each client and change their password(s)" from the comfort of my home office--one of the great things about Linux and FOSS software in general is how easy it is to remotely administer...

Do you have a better solution?
--
John Locke
Freelock Computing, http://www.freelock.com
The Open Source for Business Solutions

Most forwarded

Interview with Dave Mohyla, of DTIDATA

Dave Mohyla is the president and founder of dtidata.com, a hard drive recovery facility based in Tampa, Florida.

TM: Where are you based? What does your company do?
DTI Data recovery is based in South Pasadena, Florida which is a suburb of Tampa. We have been here for over 10 years. We operate a bio-metrically secured class 100 clean room where we perform hard drive recovery on all types of hard disks, from laptop hard drives to multi drive RAID systems.

Anybody up to writing good directory software?

Since the very beginning, directories (of any kind) have had a very central role in the internet. (I have recently grown fond of Free Web Directory. Even Slashdot can be considered a directory: a collection of great news and invaluable user-generated comments. As far as software is concerned, doing a quick search on Google about software directories will return the free (as in freedom) software directories like Savannah, SourceForge, Freshmeat and so on, followed by shareware and freeware sites such as FileBuzz, PCWin Download Center and All Freeware (great if you're looking for shareware and freeware, but definitely less comprehensive than their free-as-in-freedom counterparts).

Interview with Mark Shuttleworth

Mark Shuttleworth is the founder of Thawte, the first Certification Authority to sell public SSL certificates. After selling Thawte to Verisign, Mark moved on to training as an astronaut in Russia and visiting space. Once he got back he founded Ubuntu, the leading GNU/Linux distribution. He agreed on releasing a quick interview to Free Software Magazine.

Is better education the key to finding better software?

I read David Jonathon's article Anybody Up To Writing Good Directory Software? the other day, which got me thinking about software directories in general. As David mentioned, many of the software directories one finds when doing a quick google search are free as in beer, not as in freedom. But what interests me is the software directories that already exist, providing a combination of both free as in beer software, and open source software. Sites such as Freeware Downloads and Shareware Download don't advertise themselves as providing free as in liberty software, but each of them have a good selection of open source software available... if you know where to look.

Most emailed

Free Open Document label templates

If you’ve ever spent hours at work doing mailings, cursed your printer for printing outside the lines on your labels, or moaned “There has got to be a better way to do this,” here’s the solution you’ve been looking for. Working smarter, not harder! Worldlabel.com, a manufacture of labels offers Open Office / Libre Office labels templates for downloading in ODF format which will save you time, effort, and (if you want) make really cool-looking labels

Creating a user-centric site in Drupal

A little while ago, while talking in the #drupal mailing list, I showed my latest creation to one of the core developers there. His reaction was "Wow, I am always surprised what people use Drupal for". His surprise is somehow justified: I did create a site for a bunch of entertainers in Perth, a company set to use Drupal to take over the world with Entertainers.Biz.

Update: since writing this article, I have updated the system so that the whole booking process happens online. I will update the article accordingly!

So, why, why do people and companies develop free software?

More and more people are discovering free software. Many people only do so after weeks, or even months, of using it. I wonder, for example, how many Firefox users actually know how free Firefox really is—many of them realise that you can get it for free, but find it hard to believe that anybody can modify it and even redistribute it legally.

When the discovery is made, the first instinct is to ask: why do they do it? Programming is hard work. Even though most (if not all) programmers are driven by their higher-than-normal IQs and their amazing passion for solving problems, it’s still hard to understand why so many of them would donate so much of their time to creating something that they can’t really show off to anybody but their colleagues or geek friends.

Sure, anybody can buy laptops, and just program. No need to get a full-on lab or spend thousands of dollars in equipment. But... is that the full story?

Fun articles

Santa Claus - the most successful open source project

It dawned on me the other day, as I was shopping for the dozens of gifts it seems I have to buy every December, that Santa Claus is the most successful open source project in history. (Bridget @ Illiterarty would agree with that). Santa Claus is essentially a marketing development that is embodied by everyone who stuffs a sock, gives a gift, hosts a dinner or wishes Merry Christmas over the holiday season.

Most emailed

Editorial

When I first started thinking about Free Software Magazine, I was feeling enthusiastic about the dream. I had Dave, Gianluca, and Alan willing to help me, I had established members of the free software community willing to help me out, I had writers volunteering their time and energy for free, and I had a generous offer from OpenHosting for servers, all before I'd proved myself. There was a sense of excitement in the air, and I thought maybe, just maybe, I could make this work.

Free Software Magazine uses Apollo project management software and CRM for its everyday activities!