Passwords, passphrases, and practical use.

Thursday 21 August 2008 at 18:18.
Tags: , ,

One of the most annoying things about the modern world is that pretty much everything you're likely to use these days, from your network login at work to your webmail account to your bank's website requires a username and password before you can actually do anything. Way back when this functionally didn't used to be such a big deal - people chose easy to guess passwords for their accounts and left it at that. Later on, admins discovered that crackers probably wouldn't spend hours on end guessing passwords, they'd spend a few hours writing software to do it for them (which you can find on the Net with a couple of clever web searches) and accounts would fall. They finally got with the times and required users to choose more and more complex passwords with capital as well as lowercase letters, numbers, and the odd punctuation mark, combinations which are guaranteed to not show up in the dictionary (and are probably not likely to be guessed by password crackers that can mutate dictionary words with the same odd characters). The problem is that passwords start looking more and more like line noise, and because people tend not to remember them, they wind up written down on sticky notes and left in desks and under keyboards. When they do remember their passwords, people often use the same one everywhere so they don't have to remember another string of line noisee. Many people think that their passwords need to look like line noise, when in fact they actually don't. Passwords need to be non-logical and not in the dictionary, but they also need to be easy to remember. The obvious answer to this is to use passphrases - groups of words, numbers, and symbols that are close enough to English to be easy to memorize but extremely difficult to stumble upon. It isn't terribly difficult for someone to remember a two word phrase, is it?

"diagramme delicatessen"

There. Could use some work, though. Let's say that the service this password is for doesn't accept spaces in usernames or passwords (and you can't visit the devteam to whip them with a wet noodle), so we'll replace the space with something else.

"diagramme999delicatessen"

Better. We've got two types of characters represented now, but three is really better.

"DIAgramme999delicatesSEN"

It's a bit trickier to remember, but if you remember the pattern (word, numbers, word, first three and last three letters are capitalized), you can associate it more readily with the service and username in your long term memory. You can just as easily come up with another general pattern for your passphrases:

"diagramme621delicatessen"
"^^diagramme621delicatessen$$"
"diagramme====621DELICATESSEN"

(For pity's sake, don't use these passphrases anywhere!)

Feel free to riff off of this and come up with your own schemes. The more there are, the more difficult it'll be to guess any one passphrase in the
future. Try three words. Or four. Hell, try an entire sentence in your native language... you can remember a sentence with eight words in it, right?

Now that you know how to generate a good passphrase you need to apply it to more than just your Hotmail account and the network at work. Or your home computer. Or your laptop, which you carry around everywhere you go. Or any of your cryptographic software.... but I'll get to that in a later post.

Okay, so this isn't the most glamorous post I've made in a while, but it's something that a lot of people still don't pay any attention to. Passwords are what you use to authenticate who you are to a computer or a service - they're a secret that proves that you are the person who's really supposed to use that account and not someone looking to go through your mail, or worse, send mail while pretending to be you.


Creative Commons License
This work by The Doctor [412/724/301/703] is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License.

AddThis Social Bookmark Button
Fight Spam! Click Here!

eight comments.

`Lex

Another easy to remember but complicated password scheme is to just use a sentence.

“I love my wife, Marlise!”

It’s got lots to confound a cracker, special characters and changes in case, and is long.

`Lex () (URL) - 21-08-’08 19:57
The Doctor

[`Lex:1] Exactly! They’re sufficiently complex insofar as character sequences go, and decently memorable if some thought is put into them.

The Doctor () (URL) - 22-08-’08 19:38
Hummingwolf

The first few passwords I ever used began with a number, followed by the first line of text on the page with that number in one of my favorite books. I actually still use a couple passwords with that scheme now. Never had to write down the password to remember it—if I forgot it, I’d just look it up in the book. All you really have to do is remember the page number and which book you were using..

Hummingwolf () - 22-08-’08 22:29
Adept

That last one was me – sorry, it’s still early.

Adept () - 23-08-’08 08:02
The Doctor

[Hummingwolf:3] That’s a pretty good passphrase scheme you’ve got there. The one caveat I have is that you have to keep the books that you use for this a secret because it could be figured out by a patient attacker. Using a large number of books would mitigate that.

The Doctor () (URL) - 23-08-’08 14:14
The Doctor

[Adept:4] Of the 2012 post?

My server logs show a hashcash violation – did you have Javascript turned off in your browser?

The Doctor () (URL) - 23-08-’08 14:15
Hasufin

I can’t share my current passphrase generation algorithm, as that would be one hell of a security breach, though I think you know a bit about it.

When I was in college, I used passwords based on grammatically incorrect German, with appropriate number and character substitution.

Of course, after a certain point it doesn’t matter how clever and easy to remember your passphrases are – if you’ve got 50 or so, you’re going to forget a few.

Hasufin - 28-08-’08 10:47
The Doctor

[Hasufin:7] [Hasufin:7] I vaguely remember some stuff about it. To be honest, the body of knowledge you draw from to generate your passwords is a bit outside of my area of expertise.

Unfortunately, yes. I find it’s best to remember the top dozen or so passwords but store all of them securely (say, with Password Safe).

The Doctor (URL) - 29-08-’08 23:33


Remember personal info?
Hide email
Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.