Tell me if this sounds like a familiar scenario. You’ve come up with a brilliant password – it’s strong, easy to remember, and you’ve finally mastered the finger gymnastics required to type it in quickly – only to find that the usage window, mandated by IT password policy, is up. So you come up with a new one, double it, add 32, and then subtract the letters from your mother’s maiden name. Only now IT requires you to include at least two punctuation characters, but that just throws the logic of your method right off.
Password creation is a constant dance between security and convenience, where good passwords that bridge the gap are hard to come by. On the one hand, strong passwords, changed on a regular basis, do reduce the likelihood of success for a wide range of attacks. On the other hand, if you make something too complex, you run the risk of forgetting it–somewhat ironic evidence of its security.
So, the ultimate question is, how do you come up with passwords that are both strong and straightforward? It’s something I’ve thought about on more than one occasion while staring at those twin text boxes, “New Password” and “Confirm New Password”. So I put this question to a variety of folks within Security Response. What follows are methods used by people within the security industry to make passwords with a good balance of security and easy-of-use.
I want to preface this by stating that a strong password isn’t the golden ticket to Internet security. There’s been plenty of debate about the usefulness of passwords in today’s world of exploits and social engineering tricks. Plus, if your password is picked off by a keylogger or spoof Web site, it’s DOA no matter how complex. But passwords aren’t going anywhere any time soon and strong ones do help keep your information safer.
Straight out of the Password 101 book, substitute numbers and special characters for letters that are similar in shape or sound: 3 for E, + for t, 8 for “ate”. Vary capitalization as well. I’m mentioning these up front not because they’re original, but to provide a word of caution. Most dictionary attacks these days take such substitution into account, and will often run these variations against common words. Simply put, something like “password” is not much more secure if spelled out as “P@55w0rD”. Still, it’s good practice, but should be coupled with other techniques.
A pinch of salt
A concept borrowed from cryptography, you can salt your passwords by adding a few pseudo-random characters. It could be anything from the year you got your first car to the number of claws your three-legged cat has. (Easily identifiable personal info, such as birthdates, is best avoided.) For example, I could take “cr4ck3rs”, salt it with my weight in kilograms on Jupiter, and come up with “cr41ck36rs5”. This technique makes dictionary attacks much more difficult, and significantly slows down brute force attempts.
Phrases from movies/songs
The world of movies and music provide a rich lexicon of phrases, ripe for password picking. There are the ones we all know, like “D0Uf33l|uckyPunk?” or “WH0|3L0++aLuv”. Better yet, use lesser-known references (“Ch|03d0n’tKn0wB3++3r”) or maybe play upon a plot thread instead (“0MG,Sh3W45aH3?!”). Of course, there’s no limit to sources for such password phrases. Grab a sentence out of random book, try a quote from a comedian, or use a cheesy line from a newspaper advertising insert.
First letter sentences
Another twist on password phrases is to use the first letter of each word in a longer sentence. “Another world, another time, in the age of wonder” becomes “Aw,At,i+40W”. This one also takes the teeth out of dictionary attacks, since it contains no words.
Do you speak a second language? Do you want to? Try writing a sentence in another language, or simply incorporating a word or two into your password. Assuming your Italian is as “brutto” as mine, it’s all the less likely it’ll be figured out. (Still, be sure to include character substitution to avoid non-English dictionary attacks.) You could even mix it up with constructed languages, txt spk/lolcats grammar, or one of any number of language games.
Passwords as affirmations
Think of it as the Stuart Smalley approach. Need to watch the budget? (“S4v3S0m3$$”) Spending too much time playing video games? (“L3t’sG0Ou+51d3”) Tired of pining over the girl who lives in your building? (“A5kS4||y0ut”) I’m not a psychologist, but typing in such a password on an average of eight times a day is bound to stick somewhere in the subconscious. Affirmations are more likely to be the types of things you wouldn’t share with others as well, being more personal thoughts kept close to the chest. Just remember to keep them positive. “N0D0nut,ChuBBy” doesn’t really help anyone.
Elements in page
Here’s a clever one for Web-based accounts: create the password out of a combination of elements in the page. For example, if you were creating a password for the Symantec Technology Network, you could combine the first few letters of the dominant color on the page (“yellow”), the logo (“sphere”), and the last words on the page (“Contact Us”). To separate the different elements, insert a marker between each element (“Y3l!Sph!tUs”). There are two things to remember with this method. First, be sure to choose elements that are unlikely to change when the page is updated. Secondly, if you plan to use this for more than one site, establish a method you’ll remember across various sites.
One final thing worth mentioning is that out all the responses I received, not one person used any of the above exclusively. In each case, most folks used a combination of the methods to shore up more secure passwords.
So there you have it. Hopefully there are enough interesting tips to finally retire that four-letter password you’ve used on multiple online forums for years. Still there’s no need to go overboard, churning out the typing equivalent of a tongue twister. The key is to find a good balance between strength and ease-of-use.