Is your password strong? How to make it stronger

  • 11 June 2012
  • 7 replies

Userlevel 3
The above article shows you how to make even stronger passwords and provides a link to test the strength of your secure passwords.

7 replies

Userlevel 7
Badge +4
I've heard that creating a long sentence can sometimes be both a helpful reminder and a strong password characteristic.
Userlevel 7
Excellent advice!
In MOST cases, when a website's password list is "hacked" (Somebody got a list of passwords from the site), it is really a list of password hashes.  In simple terms, a hash is like taking a piece of data and putting it through a meat grinder, thus making a sausage out of it.  It's a kind of cryptography that cannot be reversed.  Just like you can't put the sausage through the grinder backwards to get the original meat back out, you also can't get the original data out of the hash. 
Of course, there needs to be a way to determine whether what you typed as your password is the right one, but how can you do that if you can't get the password back?  That's the beauty of it:  You don't have to get the password back.  You just need to compare the hashes that result and see if they match. 
So that means that if you send the word "password" through, for example, an MD5 hash, you get (drum roll please):
So when you have a list of stuff like:
b5c0b187fe309af0f4d35982fd961d7e  Someguy
5f4dcc3b5aa765d61d8327deb882cf99  Thatgirl
b764b9d4a8a22b27a389261b63e0ec85  Maybesecure
1b8a241d1b45ea95eed99b78cd84f6bf   Securedude
all of a sudden, it's not too extremely easy to figure out what the passwords are.
...  or is it?
This is where brute force attacks come in.  The more complex start with a list of common dictionary words.  So they hash "dog" and get "06d80eb0c50b49a509b49f2424e8c805", then look at the list.  Nope, that is not on the list.  So go to the next word, and the next, and so on.  When they get to "password", oops, look!  The hash for "password" is on the list.  Now we know the login for "Thatgirl".  When the list hits the word "love", ding!  Another hit!  Now we can log into Someguy's account.
But that's all you get for using common words against that list.  So now it's time for true Brute Force.  Forget words.  Just start at "One character" and go from there.  "a", "b", "c"...  "aa", "ab", "ac"... "ba", "bb", "bc", and so on, until you get a match.  Remember, there are 26 letters in the alphabet, but you can have them be CAPITAL, or lowercase, and that counts differently.  Then there are numbers, and lots of symbols like !@#$[]: and so on.  So there's actually a LOT of different things to test.
Start it up on a $400 worth of computer hardware...  and in under seven minutes, the login for Maybesecure is revealed: dy#7sF
That's got to be a pain to remember.
Right!  We need to be like Securedude, whose password is Ty3#yI92LlI!2.97OmFgTIALP and will take apparently 89 thousand, trillion, trillion centuries to guess!  ...  And he'll be darned if he can remember it either.  Especially since he really should have a different password for every site.
Different password for every site?  Yes!
Consider what happens if Securedude uses the same password everywhere because he can't remember a bunch that long. Bank, email, games, everything.  It's secure, right?  Well....  what if that game site stores it like this:
Securedude  Ty3#yI92LlI!2.97OmFgTIALP
So now anybody who can find out any other sites that Securedude uses can try the same password.  Hey, look!  It works to get into his bank account also.  Not so secure anymore, is it?
So how do you create a secure password for every site?
Make your password by a rule.  You know the rule, nobody else does, so it's still secure because it's a secret.  All that a password is is a secret that only you and the site know, after all.  If they match, you get access.
What kind of rule?  Make a base, a site part sub-rule, and a combining sub-rule.
Your base should be something easy for you to remember that still uses secure aspects.  Leverage your pattern memory to improve your base.  Take 12#Edcvbnm as a base for example.  It looks... complicated...  But look at the letters on a US keyboard.  It's just a bunch of keys in a row, and push the shift key down while typing two of them.  Yet from that part alone, you're looking at nearly 20 years to crack it, and you'll have changed your password by then, or gotten something better.
Site part sub-rule means that you have something related to WHERE you are logging into that goes into your password.  Whether you are logging into "Google" or "AOL" or "PayPal", you will almost always have at least two letters available.  So, let's, for example, take the last two.  Thus, your parts for "Google" are "l" and "e", and for "PalPal" are "a" and "l"
The combining sub-rule just says where you will put that part into the base.  So, I decide that I'll put one in at the very start, and the other in after the "c".  Then, when I'm logging into PayPal, the password would be a12#Edclvbnm.  Easy to remember, easy to figure out from the site, yet over 174,000 years to crack by brute force.  Not bad, eh?
So go make your own simple pattern for your base and a rule you can remember easily, and you're set. Have fun!
Userlevel 5
Badge +5
Let's not forget that the hardest target to hit is a moving target.  If you change passwords on a fairly frequent time scale it doesn't matter if the bad guys get an old hash or not; however, most people that rotate passwords follow a pattern or only change one or two characters...these can be easily guessed if there is a history involved...
Userlevel 7
Badge +4
Good call! Changing them often is KEY.  
In fact, I believe there's even now a "National Change Your Password Day."
Whatever it takes, I guess!
It could be helping, great stuff i must say.
Mod Edit: Removed links.
Userlevel 7
Speaking of creating strong passwords, the July issue of our newsletter, "The Secure Scoop," contains some great tips on the best ways to do it!
If you like The Secure Scoop, you can sign up for it here, via our Facebook page.  It's a free, monthly newsletter from Webroot that contains some great security news, tips, and a few things that are admittedly more interesting than internet security.
Userlevel 5
Badge +23
Or, in the case of the great Bruce Schneier:
"Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes."