Our goal is to present information that will be useful to you as a website owner and as a user of the web. If these newsletters are useful, please forward this to a friend. To unsubscribe, follow the directions at the bottom of this email.

This Month's Topic
How to Create a Good Password

How to Create a Good Password

We have all seen articles in the press about identity theft and bank account fraud. Since many of the websites we use depend on passwords for security, we thought that some discussion of passwords and password security might be in order.

Some of you may remember that the advice for creating a password used to be limited to (1) choose something you can remember, and (2) don't use your spouse's, child's, or dog's name because those are the first things criminals try when attempting to break your password. Sadly, those days are gone. Here is a short list of what the experts now say should not be used for a password:

1. Any common name (and most uncommon names)
2. Any word that is in the dictionary
3. Any word in the dictionary with numbers added in front or behind
4. Any common word in elite-speak (You don't know what elite-speak is? Then you must be over 30. Look here for details)
5. Groups of words from common quotations (e.g., "tobeornotobe"), song lyrics, or popular phrases in movies

Why not quotes, lyrics or movie phrases? Many password cracking programs that use the dictionary-attack method have a full database of quotations, the entire script of Star Wars, and the lyrics of thousands of popular songs embedded in them, thanks to the wonders of data compression.

As a test of some of this, McMaster University in Canada obtained a commonly-available password cracking program and tried it on several passwords. Here are some of the passwords and the time it took the program to crack them:

• sublimate -- 2 seconds
• checkmate1 -- 3 seconds
• CheCkmate -- less than a second
• ChEcK12 -- 26 seconds
• CheCk123 -- 14 minutes 22 seconds
• 3x0n3rat3 (i.e., the word "exonerate" with each "e" replaced by a "3" and the "o" replaced by a zero) -- 4 hours 16 minutes 45 seconds

Clearly, letters and numbers are better than just letters, and longer is better (CheCk123 took much longer to break than ChEck12). But even using longer words and replacing some letters with numbers did not make the password unbreakable, just harder to break. Can we make it virtually unbreakable? Yes we can, and there are two recommended methods, one for the techies and one for real people.

1. We'll start with the one for real people first, because it's more fun. It's a method called "shocking nonsense." To create a password using the shocking nonsense method, think up a phrase that is both nonsensical and shocking in nature; that is, it contains grossly obscene, racist, or otherwise extreme content. The shocking nature of it makes it easier to remember and the combination of shocking and nonsensical content makes it much harder to crack because it's unlikely to be part of any expressions normally found in any database. And since you won't be revealing your password to anyone (that's the whole point of a password, remember?), nobody should be offended by the offensive nature of the content. A shocking nonsense password of five or six words should be quite secure, but if you are limited to fewer characters, make some number-for-letter substitutions such as was made above with the word "exonerate" or add a few numbers at the end.

   Here's a more detailed discussion of shocking nonsense passwords. They provide a rather mild example: "mollusks peck my galloping genitals," but note that you should be able to come up with far more shocking and entertaining examples.

   This is a good strategy if you work from a home or home office system but should be used very cautiously in corporate environments, where such phrases might be misconstrued, especially in today's litigious environment (remember that you can never assume that anything you do on a corporate computer is private).

2. Now the strategy for techies. This is much easier than shocking nonsense but not nearly as much fun. There are many utilities available that will store and resurrect passwords. Some will also generate random passwords, usually giving you a choice of types of characters to include (upper-case letters, lower-case letters, numbers, punctuation symbols) and password length. Most will encrypt the password information on your disk, so even if someone manages to break into your system and copy files, they wouldn't get your password information.

   Here are a couple of utilities that we are familiar with. More can be found using Google.

• Roboform (http://www.roboform.com) -- Has PC, PDA, and Flash drive versions. Also includes password generator. $30 for PC version, $10 additional for PDA and another $10 for the Flash drive version
• Ilium Software eWallet (http://www.iliumsoft.com/site/ew/ewallet.htm) -- Has PC and PDA versions. No password generator but free generators are available on the web (for example SecureSafePro.com has one at http://www.securesafepro.com/pasgen.php?source=pasgen126). $20 for either PC or PDA version, $30 for Pro edition that covers both and sets up synchronization between the two.

The main weakness of these utilities is that they all have a master password for gaining access to the stored password information. If someone captures the main password, they have access to all your passwords. Maybe shocking nonsense is needed here also.

If you are using a randomly-generated password, what's a reasonable password length? We believe 8 characters is an absolute minimum, but we have recently moved up to 10-character passwords. Just to give you an idea of the difference a couple of characters makes, a brute-force password cracker would take 16 years to break an 8-digit password and 138,533 years to break a 10-digit password.

Thanks for joining us this month. See you next month.

Want to see back issues of this newsletter? Go to http://www.cyberartisans.com/newsletter and select an issue.

Jonathan Spencer
CyberArtisans Web Developers
jspencer@cyberartisans.com
http://www.cyberartisans.com/
617-965-4110