0

Password Security

Posted by Josh on July 12, 2012 in Security |

With the recent password leaks from both LinkedIn.com and Yahoo.com, the topic of passwords has been at the forefront of many citizens and specifically IT departments.  It is not uncommon to walk in to an office environment and see things like passwords taped to monitors or hidden on sticky notes under mouse pads, keyboards, and in desk drawers.

The first element of a good password is complexity.   Complexity is a method to make your password more difficult to “crack”.  The first step of creating a complex password is not to use any dictionary words.  Unfortunately, when coupled with the requirement for special characters and numbers and upper and lowercase.  These kinds of requirements often leads people do as one FBI agent did in the exposed Yahoo hack and create a password like PA$$w0rd01.  This is only marginally better than simply using “password” since hackers using any dictionary-based attack will account for these kinds of simple letter substitutions.

A good password should have at least two uppercase, two lowercase, two special characters and two numbers, not contain any dictionary words or simple substitutions, and be at least 15 characters long.  These requirements also have evolved to not include things like keyboard patterns or progressions like QWer12#$ or 13qeadzc!#QEADZC.   The final requirement is not use personal information like names, birthdays, anniversaries, pet’s names, and the like as the basis or in your passwords.   Combining all of these greatly increases the complexity of your password which makes it harder to “crack” using brute force attacks.

Because of these all these requirements, people often have a hard time thinking of passwords that are “secure” but easy enough to remember not to have to write them down.

An easy way to create a secure password that is EASY to remember is to take a phrase that you know well and use that as the base for a cipher.

I will use the two most famous lines from “A Few Good Men” to illustrate now to do this.

“I want the truth! You can’t handle the truth!”

“1VV@n+DaTruF!,U(@n’+H&nLDat(r)^+h!”

Another method is to develop a passphrase and a cipher box that contains the 26 letters of the alphabet and a mix of number and special characters. Below I will use a line from the movie “The Boondock Saints” to show now this can be done.

 

“And shepherds we shall be!” when used with the below cipher box becomes “H7Vg-qm-qsVgFqg-h$$We6”

Ah BW Ch DV Eq F1 G% H- ID Jy
Kz L$ M4 N7 OU Pm Q? Rs Sg TL
U2 VR WF X7 Y8 Ze 15 2! 3i 4T
5@ 6Z 7c 8# 9^ 0K !6 @9 #o $B
%& ^N &3 *j (* )P _( =a +1 ?x

 

This primer doesn’t cover all the possible good password creation methods, nor does it begin to touch on some of the cool things being done in biometric and  two-factor authentication.

Tags: , ,

Leave a Reply

Copyright © 2012-2018 All rights reserved.

SiteLock