Linked by Howard Fosdick on Sat 10th Nov 2012 07:28 UTC
Bugs & Viruses If you want to ensure you have adequate passwords but don't have the time or interest to study the topic, there's a useful basic article on how to devise strong passwords over at the NY Times. It summarizes key points in 9 simple rules of thumb. Also see the follow-up article for useful reader feedback. Stay safe!
Permalink for comment 541955
To read all comments associated with this story, please click here.
RE: make 'm long
by Laurence on Sun 11th Nov 2012 11:32 UTC in reply to "make 'm long"
Laurence
Member since:
2007-03-26

Pick a couple of words, at least one of them in your local dialect (to avoid dictionary attacks) and stick them together with numbers like this:

Coca300ColaInEmpireStrikesBack (imagine Luke drinking 300 cans of Coke)

Or make a phrase that you can easily remember:

IWant14XtraVacationDaysAfterEaster
YesINEED3cupsofcoffeeEVERYsingleday

..don't forget to insert at least one word in your local dialect.

Os use http://xkcd.com/936/

Unfortunately all of those things are easily crackable by current attack algorithms.


Common misconceptions with password security:

* concatenating words together is more secure == false. Modern attacks use a dictionary of words and tries combinations of such words concatenated.

* using txt spk / l33t style words are harder to crack than common words == false. Modern dictionaries have every imaginable combination of number and non-alpha/numeric substitutions of letters as well as plain English words.

* using non-English words are more secure == false. Dictionaries include words from most languages, proper-nouns and even slang that isn't technically part of any language.


Password cracking has come a long way in the last few years and current security advice hasn't kept up with development. In my opinion there's only 3 things you can do to have a truly secure password:

1/ use a password hash. This will be a mixture of alpha, numerics and symbols. Generate this hash from any site like this: http://www.insidepro.com/hashes.php?lang=eng and have the website / application name as the salt and the same password as the password. This way you get a unique, non-guessable password for each service and an easy way for you to "keep" your passwords without having to write them down nor store them in any digital keychains.

2/ use a unique password for each service. I'd already mentioned that above, but it's so important it needs repeating.

3/ at all times possible, use key based systems (eg SSH keys instead of login passwords). Even just 2048bit RSA keys are significantly more difficult to crack than 99% of passwords. Sadly though, key based systems are rarely available for most systems.



Password security isn't difficult, however there's a lot of outdated advice that people still hold tight to.

Edited 2012-11-11 11:36 UTC

Reply Parent Score: 2