Of Passwords and PINS (2)

6 10 2012

In the last posting I briefly referred to ‘strong’ passwords and said I’d come back to them a bit later on. So, what is a ‘strong’ password? As I said last time, the holy grail of password creation is to have something which is easy to remember AND hard to guess. Individually these are simple to achieve, putting them together is a much harder task.
Before getting into the mechanics of password creation, let’s take a couple of seconds thinking about how the ‘bad guys’, (and gals), will try and misuse them. At the most basic, they sit at a computer, enter your account name and then just try and guess your password by hitting characters on the keyboard. If the system allows infinite attempts then they can continue until they get bored or strike lucky. The more sophisticated attacks will use technology, i.e. software, which will perform the same activity but automatically. So called ‘dictionary’ attacks, do just that. The software has millions of words in their database and they just trawl through them until they get a match or run out of words. The more sophisticated also include character replacement checks as well (more on that in a moment) which provides millions of additional permutations. The final way is to obtain the password file from the system itself which is hopefully encrypted. If it’s not then it doesn’t matter how good your password is, they’ve got it! If it is, then the complexity you use will make it that much harder for ‘them’ to decode it.

So lets look at our two objectives separately to see how we can solve the problem.
Picking something really obvious would be daft of course and no-one would do that would they? Think again, surveys of the most common passwords are produced every other week such as this report in the Daily Mail, with ‘Password’ and ‘123456’ always being in the top 10, (quick pause here whilst you go off and change yours?).
It is generally easier to remember something which is personal to you rather than a completely abstract item, but make it too personal (pet’s name, your birthday, mother’s maiden name(!)) and far too many other people will already know it. Quick aside here, just because you are are asked to provide your mother’s maiden name at registration does not mean you actually have to provide the exact name. It’s a security control, not a test. Just make sure you remember what you tell them!
But there are things which are personal to you that you can use as long you mix it up a bit. Favourite places, favourite songs, recent events are all good sources for passwords, you can have those little triggers in the back of your mind to help you remember them BUT, as I’ve already said you need to mix it up a bit, which is where we apply the ‘hard to guess’ angle.
Let’s start with the basics. Say you wanted to use the name of a city where you had a great weekend, such as Norwich. It’s quite hard to guess, unless people knew you liked it, seven characters long so it’s not bad from that perspective, but it’s in every dictionary so would be a soft target from that angle. Simple character replacement and changing the case of the letters will immediately make it even harder to guess (e.g. N0rw1cH), and placing the first and last characters in the middle will defeat any dictionary attack however sophisticated (e.g. 0rwNH1c), simples (as the Meerkat says). But the root (Norwich) is still a valid word and potentially guessable, so another approach is to use a phrase as the root. Pick the first 8 words from a song and use the first letter from each word (e.g. gsogqllo – “God save our gracious queen…”), mix up the cases and do a bit of character replacement (G50gQll0), and bob is your mother’s brother as they say. You can try the same thing with first words from a favourite book, or just a favourite saying. Easy to remember and had to guess, just don’t hum the tune as you type it in!
Now for the really clever bit. Best practice says, have a different password for each account, common sense says you’re never going to remember all of those passwords. So how can you get the best of both worlds? If you take your common password, say G50gQ110, and then add two letters to signify the application you are using it for, e.g. FB for Facebook, HM for Hotmail, NW for your Nat West bank account etc., you have something you will always remember and something that will be extremely hard to guess.
So there you have it, strong passwords with minimal effort.

Till next time

d4v1D

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s




%d bloggers like this: