Safe Passwords

Suggestions to creating a safe passphrase

STRUCTURE OF A SECURE PASSWORD

Includes Upper and Lower Case letters

ABCabc can be used in a phrase in ways that are easy for you to remember, but hard for others to guess.

For example; if the passphrase was:Normal

The quick brown fox jumped over the lazy dogs.

Could be converted to:Every second letter capped.

tHe qUick bRown fOx jUmped oVer tHe lAzy dOgs.

Includes Numbers

Including numbers in a passphrase, is not the same as using leet (1337). Hackers often check for common leet versions of their target guesses. For example:LEET CHECK:

7h3 qu1ck br0wn f0x jump3d 0v3r 7h3 l42y do95.

The above leet version of the typing phrase would be a normal check in a dictionary attack. A safer use of number in a passphrase:

NON LEET (Count the words)

tHe1 qUick2 bRown3 fOx4 jUmped5 oVer6 tHe7 lAzy8 dOgs9.

Longer then 8 digits

Any alphanumeric passphrase less then 8 digits would take less then x computions to crack under a brute force attack. Not very high.

Not a quote

(Or a leet version of a quote)

A Brute Force Attack will include amoung it's attempts of using a Dictionary Attack common quotes.

One Password, Multiple Sites

We are forced to register a multitude of different accounts to join many different web services. Most people use the same password for all their accounts. The problem with this is that anyone with adminstrator access (official or hacked) to any of the services where you have an account can use the password for one service to rule them all.

The compromise of any of your passwords constitutes the compromise of all the services you use that the attacker knows or guesses. If you do have one password for multiple sites and you think one of your passwords has been compromised, change all the others immediately.

Not Personal

Never use personal information in a passphrase. Niether should you use personal information as a means to secure anything. Birthdays, anniversaries, and other significant numbers are easy guesses.

Using your birthday as the code to your PIN bank card is insecure, the same could be said for using it for / or in part of a password or passphrase.

There are many resources to gaining personal information on the internet, such as a crisscross directory which allows a person to gain a phone number from and address, or visa versa. Most, if not all, information required to aquire a persons birth certificate can be gained by reading the birth announcements from the local newspaper, even old newspapers using microfish.

Resources such as these, can be used to guess passphrases and passwords.

Password Management

If you have a lot of passwords, you may find it useful to employ a keychain application like the Keychain Manager built into Mac OS X. 

Programs that help create secure passphrases

Mac OS

On Mac OS 10.4 Tiger

Use the Password Assistant built into the System Preferences/Accounts/Change Password... dialog box. It can generate passwords of varying levels of memorability and strength.

External Links:

• Passphrase FAQ
• Passphrase FAQ2
• Diceware