by Tom Duffy
I have had a lot of experience trying to get clients to use secure passwords and the common problem that comes up is that secure passwords are often difficult to remember. So, I came up with a simple solution to this. Let’s get started:
First, we should pick our favorite song. For the sake of this tutorial, I will use Stairway To Heaven by Led Zeppelin. Now, pick a line from the song that is 7 or more words long. I will use the line “And she’s buying a stairway to heaven”.
Next, take the first letter of each word in that line of the song. Mine would be:
ASBASTH
Now, alternate between lower case and upper case:
aSbAsTh
Next we will choose a letter in this that can also be represented by a number. Some examples of this would be to use a 5 instead of an S or a 1 instead of an I. So, I will use a 5 instead of the capital S:
a5bAsTh
Next, we will add a character that is not alpha-numeric such as a $ or a # and add it to the beginning and end of the string. I will use a $:
$a5bAsTh$
“$a5bAsTh$” is a very secure password. A brute-force attack would take a LONG time to break this and a dictionary attack would simply fail. The best part is that even though this password is very secure, all I have to remember is that line from the song with a “$” on either side of it and a “5″ instead of an “S”. I recommend this to all of my clients now and it has convinced a lot of computer novices that they can have secure passwords without the worry of forgetting what they are! I sure hope that this helps some people!
hi my name is spongebob
You’re purdy
nice, i shall use this
I came up with a variation of this password generating algorithm over 10 years ago, and I still use it. I have yet to come across a better password generating algorithm. I guess great minds think alike.
@spongebob – thanks?
personally i find it easier to come up with one master password, such as FishStix and just add the first 2 and last 2 letters from the website, so for techremedy.net, it would be teFishStixdy, but if i used the password on yahoo, it would be yaFishStixoo.
This is why passwords are also referred to as ‘pass phrases’ (http://en.wikipedia.org/wiki/Pass_phrase).
You would think that if the person was using the password long enough that the password would be commonplace in their minds… Kind of like mine is just random pressings on my keyboard that I use so much it is stuck in my mind…
Just thought you’d like to know a windows password like that would be broken in around 5 minutes using rainbow tables
@Matt – 5 minutes seems like an extreme stretch…besides, if you use Windows, you have more to worry about than password security.
The method i used was to just make an acutal random set of letters and numbers and set it as a note in my phone so that i will have a place to look for it if i need to remember. The first few times i need to type it in i have to look at my phone, but after a while it gets stuck in your head and you dont forget it.
Passwords by association are usually great if complex enough, like this method is by taking the first letters and such. I think I’ll actually use it when I tell people that their name is not a good password.
One of my best passwords is 34 characters long and has several associations only known to me. Assuming I use only the 26 letters, upper and lower, and the 10 numbers and their symbols, there’s still 1 410 278 479 275 235 286 493 524 897 824 966 675 247 284 140 372 515 853 428 588 544 combinations a brute force program would have to check…
One of my favorite suggestions for people to make stronger passwords is to pick something very easy for you to remember, but then shift your fingers one key to the right while you type it.
Doesn’t produce as strong as more complicated methods, but it’s a good way to strengthen passwords for people who use their first name and still have to use the password recovery option regularly.
Bonder! What the hell man! Let the man enjoy his article. People, always with the story topping.
I think its a great idea,thank you.
I dont think its necesarry to go over board,and use 10-20 or 30 sign PW´s.If you use a little brain,it can be done very fast.Like this way.;)
Pingback: Password Complexity « The Realm of the Verbal Processor
Actually…Matt is correct. That password wouldn’t be that hard to crack via rainbow tables because it’s not very long. You get exponentially harder to crack passwords by simply making them longer…even if you don’t have complexity.
I’ve been meaning to blog about this for a while…I finally did so this morning.
http://verbalprocessor.com/2008/06/03/password-complexity/
RP:
I wasn’t so much trying to steal any thunder. I just think it’s neat when two people arrive at the same, or nearly the same thing, completely independently. This is just the first time I’ve come across anyone with a password algorithm that so closely resembles my own.
I prefer to use pass phrases, something like:
I live @ 123 Fake St., Calgary, Alberta, T3A 4A1!
It’s simple, almost impossible to forget yet much too long to brute force.
Jarvis:
The password, $a5bAsTh$, stored as an NTLM hash would be very difficult to break. The length is sufficient to virtually eliminate rainbow tables as the tables would be huge. Now, if stored in LM it would be very easy to crack. Of course we are talking about brute forcing the hash and not brute forcing across a network.
I find that most people, network admins included, know very little about how passwords are stored, hashed and transmitted. Making our jobs that much easier.
It is also very secure to simply use a long passphrase as password, even if no weird symbols is used. Because of the length of the passphrase they are just as safe but easier to remember.
For instance:
“This could be a secure password if used as a passphrase”
Thank you!
I did enjoy the article, and learn something!
Pingback: xx passwords
well, I have always used the phrase itself without spaces like: thatsthewayitis
and what if I forget the technique used to code the password?
I much prefer an actual pass phrase, they are longer and easier to remember. A simple passphrase in quotes can be much more difficult to crack such as: “99bottlesofbeeronthewall” or “Mysontimmyis9yearsoldmay11th” easy to remember and terribly difficult to crack
I think my password is very secure. I use it for everything. It is 11 characters with letters, capitals, numbers and punctuation.
Here it is, tell me what you think…
… on second thoughts maybe not.
Pingback: common passwords
Passwords suck so bad it’s not even funny. Here it is 2008, and we’re still forced to remember 25 strong passwords. One of the many failings of technology has been not finding a better way for every day people to authenticate. To me it’s just a verification that computer people never have, and never will understand UI. Maybe the unnecessary visual effects Vista and Compiz will make up for the fact that we’re still using a centuries old authentication method?
lol@centuries old authentication method.
..do this, if you have to make another password, think of it as a *PASS PHRASE*
ie: “jesus ate a corn dog today”.
that is one of the most secure passwords you can have. much more secure than “illbeback1″ or whatever crap people have these days.
Pingback: Mel The Geek, and more… » How To Create Very Secure Passwords That Are Easy To Remember
I ran $a5bAsTh$ through a password strength checker that I like to use (http://www.passwordmeter.com/) and it scored a 72% strong. Not very good. If the password is easy to remember, it’s not secure.
I use a combination of 0 and 0 that plays havoc with prying eyes. I tap out the beat to one of my favorite songs with these two keys. example 00O0OO0O00O0O0O0O0O00O00O0O0OOOO00O00OO0
Not to rain on anyone’s parade, but a complete Rainbow tables with a system capable of running it (8gb+ ram) can crack it in under 3 minutes.
Fact: If your password is under 15 characters in length, it’s not secure.
If it’s over 15 characters in length, with alpha-numeric and symbol characters, it’s fairly secure.
And honestly, as one poster pointed out – if you’re running windows, a weak password is the least of your worries.
Cheers,
Ghost