I ran across this in my travels and can’t not show it to you. Bruce Schneier, one of our cyber-security gurus, tackles the question of Internet passwords, hacking them, and choosing safe ones.
Password hacking is a science.
Here’s what that looks like:
The best way to explain how to choose a good password is to explain how they’re broken. The general attack model is what’s known as an offline password-guessing attack. In this scenario, the attacker gets a file of encrypted passwords from somewhere people want to authenticate to. His goal is to turn that encrypted file into unencrypted passwords he can use to authenticate himself. He does this by guessing passwords, and then seeing if they’re correct. He can try guesses as fast as his computer will process them — and he can parallelize the attack — and gets immediate confirmation if he guesses correctly. Yes, there are ways to foil this attack, and that’s why we can still have four-digit PINs on ATM cards, but it’s the correct model for breaking passwords.
Part of the problem with choosing a password is that most passwords follow predictable patterns, which makes almost all passwords hackable or guessable:
A typical password consists of a root plus an appendage. The root isn’t necessarily a dictionary word, but it’s usually something pronounceable. An appendage is either a suffix (90% of the time) or a prefix (10% of the time). One cracking program I saw started with a dictionary of about 1,000 common passwords, things like “letmein,” “temp,” “123456,” and so on. Then it tested them each with about 100 common suffix appendages: “1,” “4u,” “69,” “abc,” “!,” and so on. It recovered about a quarter of all passwords with just these 100,000 combinations.
He has more to say on just this idea, but pause a moment. Are your passwords a root plus an appendage, either a prefix or suffix? If so, you’ll probably be interested in what he has to say about how that kind of password is hacked.
His best recommendation for a strong password?
Pretty much anything that can be remembered can be cracked.
There’s still one scheme that works. Back in 2008, I described the “Schneier scheme”:
So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.
Here are some examples:
▪ WIw7,mstmsritt… = When I was seven, my sister threw my stuffed rabbit in the toilet.
▪ Wow…doestcst = Wow, does that couch smell terrible.
▪ [email protected]~faaa! = Long time ago in a galaxy not far away at all.
▪ uTVM,TPw55:utvm,tpwstillsecure = Until this very moment, these passwords were still secure.
And be sure to check the four rules following this sentence: “There’s more to passwords than simply choosing a good one.” Good info to have, right? It will only take a moment to read it though, and I think you’ll be glad you did.
To follow or send links: @Gaius_Publius
(Facebook note: To get the most from a Facebook recommendation, be sure to Share what you also Like. Thanks.)