PSA: How to create a secure password

tlarkin · 03-31-2009, 06:27 PM

This is something that most users don't know about and even power users or advanced users or even IT people use ridiculously weak passwords.

A secure password should be at least 8 characters long and include letters, numbers and symbols. Almost all passwords are encrypted while being sent and received to their destination with a few exceptions. I will get into the exceptions later on.

Passwords SHOULD NOT contain any of the following:

Real words

Personal information (DOB, last name, etc)

Name of pet, friend, wife, husband, etc

Now, let me give you an example. Let's say your password is monday which is not secure, will easily be hacked by what is called a Dictionary Attack. Now a still non secure modification of that would be MoNdaY. A slightly more secure (but still not secure) version would be m0nD@y. Dictionary attacks are basically brute force attacks that try to guess your password or passkey. They can come in any language, including the ever so popular l33t language, which is why m0nD@y is not a secure password.

I can tell you right now, anyone who can write simple looping for programs can write a dictionary attack, it is not hard to do at all.

So how does one create and use a strong password? There are many different methods you can use. You can use a random number string, plus a word, plus a symbol and then mix it up. However, I like to suggest to people to use a phrase and then condense it to a password. For example, the phrase:

I love to eat pizza, for every meal if possible!

Now you can take that and turn it into a password

il2ep4emip!

Still, not quite secure, so now we can add on to that.

I love to eat pizza, for every meal if possible!

Il23p4eMip!

I used a 3 as an E and tossed in a few capitals in there. Now you can add a symbol or a space.

Il23p 4emip!

Spaces count as characters in passwords. Now just add a symbol at the beginning, like a @ or # or % or whatever and your password is pretty secure. Most bot attacks or hackers using such dictionary attacks will fail to crack your password over and over again, and then quit and move along to a greener pasture. Over to where people use their pet's name as a password and can be more easily exploited.

Do be aware that things like WEP, TKIP encryption, and FTP are security risks. If you must use FTP, use SFTP, since FTP sends passwords in plain text.

gamerman4 · 03-31-2009, 06:45 PM

so the best password is abbreviated 1337 speek. woot

My password is pretty weak but it is in German so a normal english dictionary attack wouldn't work.

I say this should be stickied since it is good information.

tlarkin · 03-31-2009, 08:03 PM

Quote:

Originally Posted by gamerman4

so the best password is abbreviated 1337 speek. woot

My password is pretty week but it is in German so a normal english dictionary attack wouldn't work.

I say this should be stickied since it is good information.

OK, but I can add a German dictionary to my attacks. Also, l33t speak words are not secure since there is actually, and sadly at the same time, l33t speak dictionaries.

You should have letters, numbers, and symbols. I was just trying use a phrase as a mnemonic device so you can keep track of your password and keep it secure.

Zatharus · 03-31-2009, 09:08 PM

Thank you for the excellent post tlarkin. Very good information here.

Well said!

Edit: For the lazy folks out there - I have used this site many times in the past for certain applications. It also has a good bit of information for those curious about random number generators.

tlarkin · 04-01-2009, 07:26 PM

You can use RNGs but this is more about helping users create and remember strong passwords. This thread should be sticky I think, so everyone can see it.

**Cromewell** · 04-01-2009, 07:30 PM

Yeah, a completely random password is great except when it comes to having to remember and type it in. So it ends up written down somewhere and becomes completely insecure.

tlarkin · 04-01-2009, 07:34 PM

Quote:

Originally Posted by Cromewell

Yeah, a completely random password is great except when it comes to having to remember and type it in. So it ends up written down somewhere and becomes completely insecure.

RNGs are great when you have it change itself all under the hood. If you have an account that is used for authentication say over SSH and want it to perform a task. You can have it randomly change and sync ever 30 days, but you would never know the password.

Zatharus · 04-01-2009, 07:36 PM

I concur with the memorization factor. They are a pain. I have enough trouble with my users writing down even simple passwords and not destroying the note...

I would be glad to remove that post/link if you deem it detracting from the intent of your original point.

ScOuT · 04-01-2009, 08:22 PM

Great read...The Army has a system and the passwords have to be 15 characters long with 4 symbols, 4 numbers and 2 capitol letters. Talk about hard to remember

Zatharus · 04-01-2009, 08:35 PM

Quote:

Originally Posted by ScOuT

Great read...The Army has a system and the passwords have to be 15 characters long with 4 symbols, 4 numbers and 2 capitol letters. Talk about hard to remember

My systems are similar. Though, using the methods suggested by Tlarkin, the memorization can become easier. I just turn the gobbledygook into a phrase.

Second on the sticky request too, if that is the way to proceed around here.

03-31-2009, 06:27 PM	#1 (permalink)
tlarkin VIP Member Join Date: Apr 2006 Location: Kansas City, MO Posts: 9,931	PSA: How to create a secure password This is something that most users don't know about and even power users or advanced users or even IT people use ridiculously weak passwords. A secure password should be at least 8 characters long and include letters, numbers and symbols. Almost all passwords are encrypted while being sent and received to their destination with a few exceptions. I will get into the exceptions later on. Passwords SHOULD NOT contain any of the following: Real words Personal information (DOB, last name, etc) Name of pet, friend, wife, husband, etc Now, let me give you an example. Let's say your password is monday which is not secure, will easily be hacked by what is called a Dictionary Attack. Now a still non secure modification of that would be MoNdaY. A slightly more secure (but still not secure) version would be m0nD@y. Dictionary attacks are basically brute force attacks that try to guess your password or passkey. They can come in any language, including the ever so popular l33t language, which is why m0nD@y is not a secure password. I can tell you right now, anyone who can write simple looping for programs can write a dictionary attack, it is not hard to do at all. So how does one create and use a strong password? There are many different methods you can use. You can use a random number string, plus a word, plus a symbol and then mix it up. However, I like to suggest to people to use a phrase and then condense it to a password. For example, the phrase: I love to eat pizza, for every meal if possible! Now you can take that and turn it into a password il2ep4emip! Still, not quite secure, so now we can add on to that. I love to eat pizza, for every meal if possible! Il23p4eMip! I used a 3 as an E and tossed in a few capitals in there. Now you can add a symbol or a space. Il23p 4emip! Spaces count as characters in passwords. Now just add a symbol at the beginning, like a @ or # or % or whatever and your password is pretty secure. Most bot attacks or hackers using such dictionary attacks will fail to crack your password over and over again, and then quit and move along to a greener pasture. Over to where people use their pet's name as a password and can be more easily exploited. Do be aware that things like WEP, TKIP encryption, and FTP are security risks. If you must use FTP, use SFTP, since FTP sends passwords in plain text. __________________ Typical Signature: <Computer Specs> -numbers I read off a box -parts I assembled in a case all by myself -benchmark score "Will the man with telekenesis please raise my hand?" - Vonnegut chown -R us /.base Get a grep!

03-31-2009, 06:45 PM	#2 (permalink)
gamerman4 Diamond Member Join Date: Aug 2005 Location: Arkansas Age: 19 Posts: 2,806	so the best password is abbreviated 1337 speek. woot My password is pretty weak but it is in German so a normal english dictionary attack wouldn't work. I say this should be stickied since it is good information. __________________ Intel Q6600 @ 3.00 Ghz Xigmatek HDT-S1283 ASUS P5Q SE PLUS HDDs:1 x 500GB 1x 750GB 1x 1000GB 2 x 2GB OCZ DDR2 1066 ATi Radeon HD 4870 1024MB PC Power & Cooling S61EPS 610W Logitech Z-5500 there shouldn't be a capital punishment for stupidity, but why don't we just take the safety labels off of everything and let the problem solve itself? Last edited by gamerman4; 03-31-2009 at 08:30 PM.

03-31-2009, 09:08 PM	#4 (permalink)
Zatharus VIP Member Join Date: Mar 2009 Posts: 1,603	Thank you for the excellent post tlarkin. Very good information here. Well said! Edit: For the lazy folks out there - I have used this site many times in the past for certain applications. It also has a good bit of information for those curious about random number generators. Last edited by Zatharus; 03-31-2009 at 09:14 PM.

04-01-2009, 07:26 PM	#5 (permalink)
tlarkin VIP Member Join Date: Apr 2006 Location: Kansas City, MO Posts: 9,931	You can use RNGs but this is more about helping users create and remember strong passwords. This thread should be sticky I think, so everyone can see it. __________________ Typical Signature: <Computer Specs> -numbers I read off a box -parts I assembled in a case all by myself -benchmark score "Will the man with telekenesis please raise my hand?" - Vonnegut chown -R us /.base Get a grep!

04-01-2009, 07:30 PM	#6 (permalink)
Cromewell Moderator Join Date: Dec 2004 Location: Canada Age: 26 Posts: 11,802	Yeah, a completely random password is great except when it comes to having to remember and type it in. So it ends up written down somewhere and becomes completely insecure. __________________ You know what the chain of command is? It's the chain I go get and beat you with 'til ya understand who's in command here. www.userfriendly.org

04-01-2009, 07:36 PM	#8 (permalink)
Zatharus VIP Member Join Date: Mar 2009 Posts: 1,603	I concur with the memorization factor. They are a pain. I have enough trouble with my users writing down even simple passwords and not destroying the note... I would be glad to remove that post/link if you deem it detracting from the intent of your original point.

04-01-2009, 08:22 PM	#9 (permalink)
ScOuT VIP Member Join Date: May 2008 Location: Germany Age: 29 Posts: 2,184	Great read...The Army has a system and the passwords have to be 15 characters long with 4 symbols, 4 numbers and 2 capitol letters. Talk about hard to remember __________________ My Rig Coolermaster 690 / Nvidia Edition Seen Here Antec Neo Power 650w eVGA 780i 2 x 2 GB Dominators Intel Q9300 eVGA GTX260 Vista Home Premium 64bit Team Stats FOLDING FOR THE GOOD OF MANKIND :F@H Team 44358

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
how to create login password	kittysacattack	Operating Systems	4	02-22-2008 10:40 AM
How to create password for individual folder?	liverp007	Computer Security	5	10-13-2006 10:32 PM
how can i create password for computer in one network places?	poca	Computer Networking and Servers	10	10-12-2006 02:00 AM
BIOS password and System Disabled	errepi-	Laptop and Smartphones	3	08-23-2006 08:06 AM
Trouble creating wireless password for WRT54G router	cdkirgis	Computer Networking and Servers	2	03-14-2006 08:10 AM