How many times have we seen articles in the press and trade magazines that exhort us to "change passwords often, but make them difficult". Those of us in the IT industry typically take that to heart, and try and use difficult passwords.
The stumbling block is always Joe and Jane User, who don't understand that joe12345 is a secure password, and should be avoided.
This is a fine example, IMO, of basic cryptography techniques. After all, the first codes ever devised were ones of transformation.
another algorithm to try:
- Reverse the alphabet (a becomes z, b become y)
Don't forget to use special characters as well, such as $ _ ^ } ] and so on. E=3=#....use 'em all.
Good article.
Discussion on:
View:
Show:
I agree that this is a brilliant article. However, this means, even for a smallish firm with say 30 odd PC's that 30 different algorithm must be created for every user. One doesn't want the algorithm to be decoded, which will result in this methodto be useless???
The user had a poster of lyrics to a song (or
something like that) amongst a few near her
workstation. She had chosen one of them, and
decided to use the final letter of each line
from the bottom up - with the final letter being
changed to (25 - month number) MOD 10 every
month.
For example (assuming that the spacing in this post reflects how I typed it (with hard carriage returns rather than wrapping), the password for this month (Jan) would be (using the above paragraph): "hygedr1"
She also varied it by using the first letter of each line, every other line... etc...
All she needed to remember from month to month was what encryption she had used... but the actually letters were in front of her (along with all the other newspaper cuttings, posters, etc)!
something like that) amongst a few near her
workstation. She had chosen one of them, and
decided to use the final letter of each line
from the bottom up - with the final letter being
changed to (25 - month number) MOD 10 every
month.
For example (assuming that the spacing in this post reflects how I typed it (with hard carriage returns rather than wrapping), the password for this month (Jan) would be (using the above paragraph): "hygedr1"
She also varied it by using the first letter of each line, every other line... etc...
All she needed to remember from month to month was what encryption she had used... but the actually letters were in front of her (along with all the other newspaper cuttings, posters, etc)!
Another method of password creation I give to users is to use the first letter of each word in an easily remembered phrase. For instance, Sue has a son named Fred in grade 9. Sue chooses the phrase:
" My son Bob is in grade 9 this year."
which translates into "MsBiig9ty."
You could also go with using the second letter in each word, or the last, or any variation thereof.
Jordan
" My son Bob is in grade 9 this year."
which translates into "MsBiig9ty."
You could also go with using the second letter in each word, or the last, or any variation thereof.
Jordan
I have recommended to some of my users to use small phrase for the passwords. It makes it a lot easier for them to remember and it provides a much more difficult password to crack, Such as:
My Boss is an @@
Important Project Due 090102
Where is my Pay Raise?
I Need to Work Out More!
My Son is 16 with a Car:-(
Now this is good if the length of a password does not limit you.
My Boss is an @@
Important Project Due 090102
Where is my Pay Raise?
I Need to Work Out More!
My Son is 16 with a Car:-(
Now this is good if the length of a password does not limit you.
As yet another variation of the short phrase technique, I use first lines from songs. For example, "Summertime and the livin' is easy" becomes "satlie".
I've found that users, for some reason, seem to remember songs easier than phrases.
I've found that users, for some reason, seem to remember songs easier than phrases.
Many of employees in a company have specific specializations, particularly foreign languages. I encouraged people using this to create password. Those created passwords, which users can easily remember, made a very strange sequence of characters andnumbers that hard to guess universally.
Couldn't help but point out that Sue's son is named Fred.. Who's Bob?
.. I do Like that idea.
Thanks..
.. I do Like that idea.Thanks..
I teach the same method to my users. As my company deals with health care, and we are gearing up for HIPAA implementation, I am working towards enforcing a minimum of six characters, with at least one uppercase, one lowercase, one number and one symbol.
I taught my users this password: il2eC!
The sentence is "I love to eat chocolate!" It is very simple, uses some basic substitutions, and it satisfies all the rules.
Nevertheless, they all hate the upcoming federal requirement, and by extension, me! (Like I write the laws!) =:^\
Bob
I taught my users this password: il2eC!
The sentence is "I love to eat chocolate!" It is very simple, uses some basic substitutions, and it satisfies all the rules.
Nevertheless, they all hate the upcoming federal requirement, and by extension, me! (Like I write the laws!) =:^\
Bob
I couldn't agree more with this. Changing the password from one thing to the next can help from having people breaking into the computer. I think that one way to make sure that things like this don't happen is by putting nonsensable words in as a password. Crazy as it sounds but putting words that don't make sense seem like a useful technique for people who want to try and screw around with your computer.
My own variation on this is always well received, at least among the touch typists in our community. I also tell users to pick an easy to remember word, but when typing the password, shift their fingers one position to the right, or to the row above the home position. Touch typists tell me they have no difficulty in reproducing the password every time. In stronger security systems, I recommend users think of phrases like One4therode (deliberate misspelling), or I8mycake which contain the required upper case and numeric.
"If a user's single password is really secure, what does it matter whether it's used on multiple systems? One secure password is clearly better than many insecure ones."
There is no such thing as a "really secure" password. By it's very nature it is insecure once used. It is not something that you have or something that you are, it is something that you know. That makes it un-unique. Anyone can know it.
A single password for all resources is a TERRIBLE idea. If you use the same password for email & LAN access, I as an attacker or administrator would just look for the one with the weakest protective measures in place and set about cracking both passwords at once.
Better yet, if you use the same password to access websites, asa website administrator, I could get access to your passwords just by putting up a simple login routine! If you use the same username, and I log your IP address, then I have total instant access to the system.
I would suggest an edit to this document, NOT to use the same password for every resource, especially external resources. I have several passwords that I use on webistes. These passwords all differ from my LAN password. If I have difficulty remembering the passwords, I can always use a password vault to store a hash or encrypt them. Then I have only one password to remember that stores all of my other passwords. Getting to it would require physical access as it is stored offline. I make the vault's password unique and complex, and STILL change it from time to time.
Just my 2?...
There is no such thing as a "really secure" password. By it's very nature it is insecure once used. It is not something that you have or something that you are, it is something that you know. That makes it un-unique. Anyone can know it.
A single password for all resources is a TERRIBLE idea. If you use the same password for email & LAN access, I as an attacker or administrator would just look for the one with the weakest protective measures in place and set about cracking both passwords at once.
Better yet, if you use the same password to access websites, asa website administrator, I could get access to your passwords just by putting up a simple login routine! If you use the same username, and I log your IP address, then I have total instant access to the system.
I would suggest an edit to this document, NOT to use the same password for every resource, especially external resources. I have several passwords that I use on webistes. These passwords all differ from my LAN password. If I have difficulty remembering the passwords, I can always use a password vault to store a hash or encrypt them. Then I have only one password to remember that stores all of my other passwords. Getting to it would require physical access as it is stored offline. I make the vault's password unique and complex, and STILL change it from time to time.
Just my 2?...
Although my logon password is different to the passwords I use at websites, ftp, etc, I often use a variation on 2 passwords (using the same "word", but varying when I use "1" for L, "0" for O, etc) - and the same "word" has been used for the last 20 years.... mind you, it helps that I use an obscure word which I have only ever read in one book... using an old-fashioned word, or a scientific/specialist word for you industry (or both, if possible) means that it would be hard to guess (I think about 95%+ of the population would ask what the hell it means!) but easy for me to remember....
Lots of suggested methods to make secure passwords are surely flawed:
* Shift your fingers up a row etc.: surely this 'algorithm' only makes it 4 times harder to crack your password? (4 ways to shift your fingers on a regular qwerty keyboard before falling off the edge)
* Use digits: everyone just adds '1' to the end (e.g. 'alice' becomes 'alice1'). If you try a bit harder and choose 'al6ice', then next time there's no way you'll remember where the digit went or what the digit was.
* Use a mix of uppercase and lowercase: you're really just adding 1 bit of information to each letter. So e.g. 'barBARa6' gets an additional 7 bits of information over 'barbara6'. You're better off adding an extra letter or two - it will be easier to remember but just as hard to crack.
* Reverse all the letters of the alphabet: 'a' becomes 'z' etc.: really, this is a bit obvious. It's easy for a hacker to apply this rule but hard for you to mentally apply it!
* Use '1' for 'l', '0' for 'O' and so on: this is also too obvious.
* Think of a phrase, take the first 3 letters of each word, reverse the order and replace 'l' with '1' and '0' with 'O', etc.: I wouldn't want to have to learn one of these every month.
Tim's counter-proposal:
-----------------------
Always use 2 or more words with a space between. Don't try anything tricky. Make it a phrase which is meaningful to you personally, such as the name of a girl(guy) you had a crush on in High School (unless their name was Smith). Examples:
Alison Yarad
glorious Finland
it ain't over
karelian pie
crocodile country
beers in Lapland
It will be quick to type these for touch-typists. The use of 2 words will make it 45,000 times harder to crack. Just as important, it will be easy to remember.
(Some systems don't allow space in passwords, for no good reason - just use a '1' or something else instead).
(The assumption here is that passwords are not limited to 8 characters, I hope such systems are not commonplace any more).
* Shift your fingers up a row etc.: surely this 'algorithm' only makes it 4 times harder to crack your password? (4 ways to shift your fingers on a regular qwerty keyboard before falling off the edge)
* Use digits: everyone just adds '1' to the end (e.g. 'alice' becomes 'alice1'). If you try a bit harder and choose 'al6ice', then next time there's no way you'll remember where the digit went or what the digit was.
* Use a mix of uppercase and lowercase: you're really just adding 1 bit of information to each letter. So e.g. 'barBARa6' gets an additional 7 bits of information over 'barbara6'. You're better off adding an extra letter or two - it will be easier to remember but just as hard to crack.
* Reverse all the letters of the alphabet: 'a' becomes 'z' etc.: really, this is a bit obvious. It's easy for a hacker to apply this rule but hard for you to mentally apply it!
* Use '1' for 'l', '0' for 'O' and so on: this is also too obvious.
* Think of a phrase, take the first 3 letters of each word, reverse the order and replace 'l' with '1' and '0' with 'O', etc.: I wouldn't want to have to learn one of these every month.
Tim's counter-proposal:
-----------------------
Always use 2 or more words with a space between. Don't try anything tricky. Make it a phrase which is meaningful to you personally, such as the name of a girl(guy) you had a crush on in High School (unless their name was Smith). Examples:
Alison Yarad
glorious Finland
it ain't over
karelian pie
crocodile country
beers in Lapland
It will be quick to type these for touch-typists. The use of 2 words will make it 45,000 times harder to crack. Just as important, it will be easy to remember.
(Some systems don't allow space in passwords, for no good reason - just use a '1' or something else instead).
(The assumption here is that passwords are not limited to 8 characters, I hope such systems are not commonplace any more).
to a dictionary attack?
I mean, you're using plain old words. A good wordlist and some automation to run through the permutations could crack it.
Plain words, with no randomness added, would be unwise.
I mean, you're using plain old words. A good wordlist and some automation to run through the permutations could crack it.
Plain words, with no randomness added, would be unwise.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
