What's a strong password .. really ?

  • I'm often struck by the advice as to what a strong password is.

    Apparently a random mix of upper and lower case letters sprinkled with a few numbers is a strong password. Oh, well of course apart from the fact that humans can't remember these kinds of random passwords so they write them down!

    I remember consulting at a company that had exactly this policy. It was a major UK corporate and 20% of passwords were written on post-it stickers and stuck on the users screen.

    For me:

    Weak Password

    tim

    Useless Password that has to be written down

    D4H6kly^rvcbn&nm<89n^65J67

    Genuinely strong password that can be remembered

    i23LOVE9dogs

    i love dogs, dog was born on 23/9

    Any comments for or against the received wisdom? Microsoft seem to buy into it...

    Tim Walker

    .

  • The stronger a password is, the more resistant it is to being hacked.

    A good mix of numbers, lowercase letters, uppercase letters and special characters would make it extremely difficult for password hacking programs to guess the password. I've heard that most of these use dictionaries for variations of words.

    An example that passes almost all strong password checks is M@st3rP@$$w0rd

    Here, I've replaced the "a" with a "@". The "3" is a backwards "E". The "$" is for the "S". Finally, a zero substitutes for a "o".

    So, I've taken the phrase "masterpassword", Capatized some of the letters, substituted some characters and numbers for vowels, and I've made a strong password.

    Wayne
    Microsoft Certified Master: SQL Server 2008
    Author - SQL Server T-SQL Recipes


    If you can't explain to another person how the code that you're copying from the internet works, then DON'T USE IT on a production system! After all, you will be the one supporting it!
    Links:
    For better assistance in answering your questions
    Performance Problems
    Common date/time routines
    Understanding and Using APPLY Part 1 & Part 2

  • A strong password is one that cannot be brute forced in a reasonable amount of time and is not vulnerable to a dictionary attack.

    Bad password: P@$$w0rd

    Reason: Those substitutions are common, dictionary attacks could easily include words where letters have been substituted.

    What I've been doing the last few years is using pass phrases, not pass words. So, say I'm a fan of Sting. I take a line from one of his songs.

    "I dream of gardens in the desert sand"

    Do a couple subs and remove the spaces

    "IDream0fGardens1ntheDesertSand"

    Easy to remember, to long to brute force, unlikely to fall to a dictionary hack because it's not a single word.

    If it's too long to type, leave the filler words out and make different subs

    "IDr3amGard3nsD3s3rtSand"

    All that you need to remember for that is what line of what some you're using and what your particular encoding scheme is.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • Gail, you are never short of a decent tip, and that's an excellent one!

    Passes the test of not having to write it down and almost impossible to guess or crack electronically.

    I shall pass this idea on to others!

    Thanks.

    Tim

    .

  • Gail has great advice.

    Longer passwords are better, but if they are in the dictionary, with any easy to remember substitution (such as zero for oh) then that's being built into crackers.

    Hotmail has a strength checker, go through the beginning of the signup and it will test your password. Probably others as well.

    I'd pick a phrase, something in the 15-30 character range, and use that, removing spaces, adding a capital here or there, and some substitution.

    I used to use at one company

    Ilik3NikeB@asktb@ll (I like Nike Basketball)

    When we'd come up with admin passwords, we'd let someone pick a theme for that month, and then we'd use a couple phrases like this and substitute and use those as our passwords.

    It can work for users. I'd suggest you come up with 2-3 example phrases (dogs, events, something) and use them to help people pick their own. Be sure you let them know NOT to use your examples.

  • If you need something that looks like a random password, but is easier to remember (not easy, just easier, there's a big difference), pick semi-complex molecular formulae and subtitute in some of the shift characters for some of the numbers.

    Simple example: sufuric acid is H2SO4, so it could be H2SO$, or H@SO4. If you want mixed case, pick some of the elements that have 2-letter symbols. Who's going to guess that Tb3N@C84 isn't random? It's not likely to come in a dictionary search, especially if you obscure a few of the characters with substitutions, and it's going to be tough to brute-force, but if you study the subject, it's memorable. (It's a bucky ball with an "impossible" molecule in it.)

    Personally, I use random mixtures of numbers, letters and symbols. I can memorize a few of those, and a few is all I find I really need. I create mnemonics for them out of their pieces. If I can't, I don't use that combo.

    - Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
    Property of The Thread

    "Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon

  • The thread below has a stored procedure with my attempt at generating random passwords that can be remembered by a human but still meet complexity rules, along with some general discussion and methods that other people used. The idea behind my method is to generate 3 character syllables separated by special characters or numbers.

    Generate Password Procedure

    http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=78859

    Stored procedure P_GENERATE_PASSWORDS returns a list of randomly generated passwords designed to meet typical password complexity requirements of a minimum of 8 characters, with at least one each of uppercase letters, lowercase letters, numbers, and special characters. It can generate from 1 to 10,000 passwords as a result set.

    The passwords are meant to be somewhat mnemonic by generating syllables consisting of an uppercase consonant, followed by a lower case vowel, and a lowercase consonant. A single number or special character separates syllables, except in the case of 2 syllables. If there are only 2 syllables, they will be separated by a number and a special character.

    PASSWORD

    --------------

    2 Syllable Passwords

    Tis|2Fun

    Miy5]Fib

    Bay1|Puz

    Tel3.Pus

    Duq0@Roy

    3 Syllable Passwords

    Qab@Kaz0Lan

    Sav1Tig]Hat

    Pah6Fic|Cic

    Buz7Viz=Mec

    Vig^Wah9Xuf

    Qew2Mif^Mix

    5 Syllable Passwords

    Mux4Zor_Jog{Vec,Bih

    Ker1Qem[Gat,Hut|Zif

    Red}Ciq5Ber%Son:Qej

    Cov@Doz8Zow\Fic>Pos

  • Thanks for the feedback.

    Michael, you've clearly put a lot of effort into password generation but it comes to close to 'I can't remember it without post it stickers' for me.

    The weakest link is the human, not the technology!

    .

  • Tim Walker (5/19/2009)


    Thanks for the feedback.

    Michael, you've clearly put a lot of effort into password generation but it comes to close to 'I can't remember it without post it stickers' for me.

    The weakest link is the human, not the technology!

    This only thing I can suggest about using my procedure is you can have it generate a long list of passwords, and then pick one that you think would be easy to remember.

    As I said, it only generates passwords that meet typical complexity requirements, so it is working within that constraint. They may not always be that easy to remember, but it's not easy to come up with a better automatic password generator that meets those requirements, and makes them easy to remember. If you find something, let me know, because I would be interested.

  • What's a strong password .. really ?

    "Rumpelstiltskin". Definitely. 😀

    [font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
    Proactive Performance Solutions, Inc.
    [/font]
    [font="Verdana"] "Performance is our middle name."[/font]

  • Here's the method that I have used for the last 25 years:

    1) Flip the dictionary open and pick a word at random.

    2) Repeat (1), picking a completely unrelated word.

    3) throw in a couple of digits and a couple of capital letters.

    Done.

    For instance: peliCan4biStable3

    [font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
    Proactive Performance Solutions, Inc.
    [/font]
    [font="Verdana"] "Performance is our middle name."[/font]

  • I follow the same as Gail mentioned except that I take out the first letter from each word from the song name + artist name from a list of my favorite songs and then replace the look-alike alpha characters with numerals & capitalize every alternate letter starting from position 2.

    For e.g., Say I choose "Another brick in the wall" by Pink Floyd, after applying the encoding scheme the password I get is @B1Tw:pF

    --Ramesh


  • RBarryYoung (5/19/2009)


    What's a strong password .. really ?

    "Rumpelstiltskin". Definitely. 😀

    That made me chortle, we clearly have similar senses of humour (or some might say lack of it!) 😛

    Tim

    .

  • In a recent radio program about hacking, the presenter's laptop Windows password was not a dictionary word, but was (ethically!) hacked in a few minutes. The hacker's principle advice was to use a Windows password of more than 14 characters - I'm not sure whether that was something technical about Windows internals, or simply that you get enough characters for it to become heavy duty to crunch all the permutations. He also said that at conferences - even at IT security conferences - people often leave their laptops unattended long enough for their login passwords to be hacked by this method (and we didn't get more details - probably just as well).

    There are websites and utilities for generating one-off secure passwords, if you need them for sending data. We use them when we zip + 256-bit encrypt databases we are sending offsite. Just try "random password generator" or "secure password generator" in the FWSE*.

    [* "Famous Web Search Engine" - need I say more?]

  • Ewan, that's interesting, and I entirely agree about password length.

    MATHS:

    My example at the top of the thread was word-number-WORD-number-word.

    Now if I tell a hacker I use three words from the Oxford English Dictionary and two numbers, that I only use numbers between 00 and 99 and the case of the words I'm using, AND do no character substitutions at all, I still get this number of options (there are about 500,000 words in the OED)

    500,000 x 100 x 500,000 x 100 x 500,000

    = 1,250,000,000,000,000,000,000 combinations .. and I told him/her exactly what my system is.

    On the other hand if you choose an 8 character completely random and unmemorable password that you have to write down (assuming you use upper and lower case letters and a choice from 20 special characters) you get:

    82 to the power 8

    = 2,044,140,858,654,976 combinations

    The first way is more than 611,000 times more secure, without even mixing cases or substituting characters. And I can remember it!

    There is a serious point to all this and it's that the human element is the most likely point of failure. Making things difficult / impossible for most humans to do is counter productive and results in mistakes, lots of support calls and compromised passwords. Whereas pragmatism gives you a fighting chance.

    I have a current client with the random password policy. He set me up an account to login remotely. Because the password was difficult to remember, he thought he'd be helpful and email it to me.

    You don't need to be Sherlock Holmes ...

    Tim

    .

Viewing 15 posts - 1 through 15 (of 37 total)

You must be logged in to reply to this topic. Login to reply