By Tuan Nguyen
Posting in Technology
Password padding and symbols may be the key to securing your online information.
It's a perpetual dilemma. We all instinctively know that passwords comprised of simple numerical patterns or familiar words like our name tend to be the easiest ones to remember. The drawback is it makes them easy to hack, too. But make them too complicated and you'll have a hard time committing the password to memory.
Proposed solutions to this problem aren't hard to find. Do a little research on Google and you'll find a wealth of ideas on how to create a secure password that's can also be easily recalled, the so-called holy grail of internet security. However, I've recently came across a post on the blog Tecca entitled "5 ways to make an easy-to-remember, ultra-secure password" that, in my opinion, provides one of the best approaches on the topic.
- Related: Dramatic video: hacker vs. computer
While the author Taylor Hatmaker echoes much of the well-worn advice that's already out there, she advocates a special method that, oddly enough, allows for simple words and even character patterns -- but only within certain parameters.
Before we get into that let's review some of the basic best practices for creating secure passwords by going over what you shouldn't do.
- Avoid using parts of your name or email address since criminals can easily figure this out
- Don't include personal information like your birth date, names of family members or street addresses.
- Consecutive numbers are a bad idea. You can basically nix "123456" or any other pervasively common combinations.
- Steer clear of familiar sequences, phrases and slang terms.
What users are left with is the conventional thinking is that the best approach is to use a jumbled-up mixture of numbers, symbols and upper and lower case letters. Hence, a good password would look something like this: T^n3k28$P!eV*AfJ9
Sounds like life on the internet is getting pretty complicated, right? So then you're probably wondering how it can be possible that using patterns, even simple ones, can bolster the strength of your password. The technique Hatmaker recommends involves a technique called "password padding," which suggests incorporating more symbols along with making passwords longer as a way of fortifying them against an attack.
The strategy, proposed by renowned security expert Steve Gibson, is based on the rationale that incorporating those two factors gives users the best chance at thwarting malicious programs that rapidly runs several password combinations to uncover the right one, otherwise known as brute force simulators. For instance, there are more than 1500 symbols a hacking program needs to run through to correctly lock down one character of your password while each character added to a pass-code makes it several times more difficult to crack, Hatmaker writes.
Here's an example from Gibson's website in which he explains the counter-intuitive logic behind it:
The main concept can be understood by answering this question:
Which of the following two passwords is stronger,
more secure, and more difficult to crack?
You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two! In fact, since it is one character longer and contains uppercase, lowercase, a number and special characters, that first password would take an attacker approximately 95 times longer to find by searching than the second impossible-to-remember-or-type password!
But wouldn't something like “D0g” be in a dictionary, even with the 'o' being a zero?
Sure, it might be. But that doesn't matter, because the attacker is totally blind to the way your passwords look. The old expression “Close only counts in horseshoes and hand grenades” applies here. The only thing an attacker can know is whether a password guess was an exact match . . . or not. The attacker doesn't know how long the password is, nor anything about what it might look like. So after exhausting all of the standard password cracking lists, databases and dictionaries, the attacker has no option other than to either give up and move on to someone else, or start guessing every possible password.
Don't believe it? You can test out Gibson's tactic using the password strength tester by going to his website.
Learn more about internet security on SmartPlanet:
- Infographic: How Stuxnet supervirus works
- Virus attacks military drones, exposes vulnerabilities
- Four easy-to-remember passwords that will protect you for life
- New software may end internet censorship once and for all
- How to avoid the “500 worst passwords of all time”
- Anonymous hacktivists add Stuxnet code to their arsenal
Sep 6, 2011
As the number of possible characters used in a password increases its potential security, why is it that some passwods explicitly forbid the use of any character other than numbers and letters? It's just plain stupid. I've also come across restrictions such as no more than 2 identical characters together - which D0g...................... would certainly fail. I'm not going to divulge my password strategy (I'm over 55!) but I have a suggestion: Pick an irrational number such as Pi, the square root of 2, etc., as such numbers go on forever. Then pick a start digit position and a substitution system such as 1=A, 2=B etc. Finally pick a substitution pattern such as letter-letter-number and, although your password may not be easy to remember, it will be easy to recalculate. Example. I use Pi as my base number: 3.1415926535897932384626433832795 My password starts at the 6th digit (9). Using the substitution system and pattern as above, and choosing, say 9 characters, my password would be: ib6ec5hi7 By using digit pairs and more sophisticated substitution, this approach can make passwords that are very difficult to crack.
I had the password thing nailed a few years ago. Until some jokers stipluated that it's got to be 6 characters/7 characters with such and such a configuration. Now I've got 8 full pages of passwords and it's a major hassle.
Constructed languages can be very good for passwords, since most hackers only have dicts for natural languages. Especially Na???vi language with its complex *in*fix based tenses. For example, *yiveiom*, ???would happily eat???, is *yom* with two infixes stuck inside it, and will not appear in any dict, not even a Na???vi one, since it is just a form.
XKCD already covered this: http://www.xkcd.com/936/ It's a lot easier to remember a simple phrase of four random words than a bunch of symbols and remembering which letters you capitalized or not. And I'm not sure how a dictionary attack is going to work against a cluster of words, you'd have to guess all four words at the same time, you either get the whole password or nothing at all, that's how encryption works.
When I cut and paste the sample D0g (etc) I count only 10 characters yet the article states that it contains more characters than the other. Is there some rule that says an elipsis counts as more characters than one?
@tuancnguyen. It appears that Facebook ignores the case of the first character in a password. Thus, Dog and dog are equivalent ... and so the example password is slightly less secure than might be expected. Of course, if it began with a period the security is as expected: .Dog... and .dog... are not equivalent
Um. Can servers not tell that someone attempting 1000 log ins per second is probably not the registered user? I've heard of some sites using an exponential time limit like 2 seconds for the second attempt, 4 for the next, etc. Why is this uncommon?
It works similar to CodeCurmudgeon's suggestion. Take a relatively short sentence that you can easily remember, remove the spaces and use that as your password. Select a sentence with punctuation to add symbols if you like. Make is kinda long and maybe mix the case a bit. Like this: ILoveMyLittleBrownDog! or BestFriends4Ever! In answer to kwabinalars's concern about not using symbols I have to ask: How would the hacker know you didn't use symbols? He'd have to check all of them anyway and this would make his search take just as long. Because he doesn't know each character of your password he has to test every POSSIBLE character whether you used it or not. If it ever caught on that nobody ever used symbols he could guess that you didn't so he could skip testing them.
What is the human brain better at than a computer? Pattern recognition. Using the human brain for memorization is a waste of brain power. Why not use something that the human brain is designed to do? There are patterns all around you and you probably recognize them without even knowing it. For instance, take a look at your keyboard. See any patterns there? I have one of those natural keyboards and I see plenty of patterns. Using these patterns, we can generate highly complex passwords that require *NO* memorization! Take, for example, this password: 1670tybn!^&)TYBN That looks pretty complicated, right? Well, it isn't. It's just the pattern of my split keyboard. It splits at the 6-7 t-y b-n so this makes it a natural pattern to use. How about 1q2w3e4r5t^T%R$E#W@Q! How would you like a 21 character of seemingly random characters for a password? Just go up the keyboard, then back down with the shift key! 1qzxsw2!QAZXSW@ Again, notice this pattern? a 16 character random password that is easy to remember because it's a patttern! But most of you are saying, "what about when you are required to change your password?" Well, move over one key, So the above password becomes: 2wsxcde3@WSXCDE#
There's NO need to use numbers, lower/upper case or punctuation marks Tuan. You are completely safe using just a few words as your password.
For many years I've been using poems and song lyrics which have been stuck in my head for decades as the key to my passwords, some of 'em since well before I started school, and throw in a bit of punctuation and a number or three. One of the first was: Btdatd,Wtnibtl93. How on Earth is that a memorable password? Well I've known the key to it since I was three: "Between the dark and the daylight, When the night is beginning to lower" Now I did have to remember that 93 was the number to finish it off, but other than that It was stuff kicking around in my head anyway. What gives me fits are systems which insist on ridiculously short passwords: EIGHT characters? Really! That may have been reasonable back in the days when memory speeds were measured in microseconds, but nowadays? Ridiculous!
I was going to post the exact thing. I use a "base" that remains the same and an "extension" that changes each time I'm required to select a new password. Unfortunately since I can't remember all the little details of which password goes with which system, I have to have a paper with all my "extensions" written on it at my desk. Heaven help us if someone figures out my "base". Or, they could just let me make up a new password like CorrectBatteryStapleHorse that would be memorable and virtually unbreakable.
Hackers download password files, crack them, and then login using the passwords they've gained from working through the file. Roger Demuth https://piedex.com
I agree that this would be the best possible security. My bank locks me out of my account if I enter more than 3 incorrect attempts over a 12 month period. To unlock, I have to ring the bank, and convince them who I am to have the account unlocked. The only way that logon-attempt limits can be circumvented is if the database itself is stolen (which has happened), as then the hacker has unlimited attempts.
Suppose I want to hack your Bank of America account. First I open an account of my own with Bank of America and then I discover that they only allow letters and numbers. This makes it much easier to hack anyone's Bank of America account - and I hope some IT guy at Bank of America who restricted passwords in this stupid way (and so made hacking easier) is reading this - or, even better, some senior official who can get this stupid policy changed.
Don't use common words (anything in any dictionary) as hackers use a dictionary attack as first port of call often (depending on what they might already know about their target) Running through dictionary combos first is quicker than brute-force AFAIK. I tell my clients: If you have to use a phrase or combo of words/names then put a delimiter in between eg theQuickbrown can become: the$quick$brown or maybe: thequickbr@wn or tHeQuIcKbRoWn, anyways, u get the idea.. Not that passwords do much to stop hackers in this day and age, having a password you can remember is more important than one that can withstand brute-forcing ;-)
tech_ed's suggestion is just what hackers love. Keyboard patterns are commonly used as passwords and are among the least secure so avoid them!
Now that you have helped us, are we sure that the hackers did not get educated just now as well? I wonder about the fingerprint thing. At least it works on the computer, and an app should be on the way soon - if it is not there already.
That's not true. Simple brute force attacks can kill passwords that use alphanumeric characters and they can do it quickly with passwords under 16 characters. Adding symbols and case increases the complexity exponentially. Current computer systems could take decades to brute force through passwords that contain letters (both cases), numbers and symbols at 12-16 characters. Adding characters increases the difficulty, again exponentially. It's fairly simple math. If you only use alphanumeric (lets say only lower case) your password equals X^36 where X=password length. If you add both cases then it becomes X^62. Add symbols and it becomes X^94 on my keyboard. So with 1 character you have 94 possible answers where one answer is your password. With 4 - 3.92318858 ?? 10^56. With 12 - 2.77355721 ?? 10^101. You get the idea. The complexity goes up really fast. Ultimately it comes down to how fast the computer performing the brute force attack can make posits. Most pros use graphics cards tethered together because they can affordable create systems that will run through a few million possibilities per second. But even with these machines some 16 character passwords can take over 100 years to break.
For a password length of x characters with a choice of c possible characters the number of combinations is c^x, not x^c. So the numbers for a 16 character password using any of 94 characters is 94^16, not 16^94