PSA: How to create a strong password.

[yellow]

I searched and didn't find a thread dedicated to passwords. So consider this a Public Service Announcement.

How to create a strong password.

A password is your final line of defense in computer security. I hear complaints a lot about how hard it is to remember passwords. Especially when you have to change them often. So typically people choose bad passwords because they are easy to remember. Here are the basics on making a memorable, strong password.

As an example, it's nearly October, so Halloween is right around the corner for us in the U.S. Users will be tempted (if forced to change their passwords around this time of year) to use something like "Halloween", which is a very bad password. "halloween31" is also a bad password. "H@110w33n" is a slightly less-bad password.

Any words that appear in a dictionary make cracking a password that much easier. This includes "foreign" dictionaries. These dictionaries are all readily accessible and can be used as proofs in cracking programs and applied against your password. Adding numbers to dictionary words doesn't increase the password's strength worth a wit. Even with trivial character replacements like capital letters and non-alphanumeric symbols, you're not getting a strong password.

Trust me, if you've thought of it, so have "they".


A true strong password should consist of 8 or more characters and be part of a "passphrase". A passphrase consists of a phrase that has special meaning to you, therefore making it easier to remember. For this example, I will choose:

Homer Simpson for President. I am serious!

One simple approach to create a better password is to take the first letter of each word in your passphrase, giving you:

hsfpias

That looks seemingly random, and it's a fairly hard password to crack, but it's too short. Only 7 characters. Why not make it harder by using the punctuation from the sentence?

hsfp.ias!

Now that is a much harder password to crack. Why stop there? Let's step it up a bit more by capitalizing some letters and adding some numbers, say, the year we need to vote Homer in:

HSfp.ias!04

Voila, a truly difficult password to crack, but is still pretty easy to remember. Feel free to liberally salt it with non-alphanumeric character replacements for greater difficulty (but a bit of "unwieldiness"). For example, replacing an "a" with a "@", and/or a "s" with a "$", leaving us with:

HSfp.i@$!04

A password cracker will give up and move onto greener pastures (read: more easily broken passwords) long before this one is cracked.



I hope this helps you choose a better password for yourself.

[CAlvarez]

Consider it stolen and sent to all my users.

Next up: DON'T SHARE PASSWORDS. I was walking down the hallway the other day, and heard someone say she wanted to log into someone else's computer. The someone else yelled back her password from the lunch room. Argh.

Oh yeah, it was simply her son's name.

[derekhed]

Thanks for starting this Yellow.

Here is a good link to read with oodles (technical term) of stuff for the inquisitive.

Perhaps this should be a thread under a general security PSA? That could include firewalls, using SSH, hardening servers, ports and services, as well as real-world experiences.

[yellow]

Good link, thanks derekhed.

[AHunter3]

Wasn't there a little utility awhile back that would while away it's time trying to suss out your password? If you left it whirring overnight and it hadn't come up all pompously full of itself for having hacked you by the time you checked it next morning, you had an adequately good pw.

Named after some fictional character, IIRC.

[yellow]

John the Ripper

A util I've used many time to check my user's passwords, per Enterprise policy. In my estimation, if I couldn't crack their passwords in 2-3 weeks, it was more then good enough to meet policy.

[sao]

In Panther you can try:
Lepton's Crack

[Las_Vegas]

I've also been recommending pretty much the same technique. I add to replace words like 'for' 'a' and 'and' with numbers or symbols like '4', '@' and '&'

[macmath]

Is there anything less secure about using or adapting the passphrase itself (instead of just the first letters)? For instance:

HomerSimpsonforPresidentIamserious
or
h0m3r$1mp$0nf0rpr3$1d3nt1@m$3r10u$

Can a potential intruder figure out how many characters are in your password?

If it is something like my computer where I have to type the password in again and again, then it is annoying to have to use/remember the first letter combinations (although it can be done). I use an 18 character passphrase, built like the second one above, from something my younger son said (no one would think of that choice of words or word order). I can type it in very easily and quickly.

[derekhed]

The password integrity checker I use (john the ripper) has lots of regular expressions that look for exactly what you are doing, replacing certain letters with symbols that look alike. Basically, if you start with a word that can be found in a dictionary in any language, most variations using this kind of replacement will be found. Same thing with tagging numbers on the ends. That is why the previous posts did not use words, but strings built up from phrases.

[yellow]

Quote: Originally Posted by macmath Is there anything less secure about using or adapting the passphrase itself (instead of just the first letters)?

I think any security reduction (because then you are using words that (mostly) appear in a dictionary) would probably be mitigated by the sheer length of the password. Provided the password was 15+ characters. I'll have to do some testing with our boy John.

[CAlvarez]

I ran John against a client's network and discovered three easy holes. One with admin privilege. I quickly earned my billables for security work this week...

[derekhed]

Quote: Originally Posted by yellow I think any security reduction (because then you are using words that (mostly) appear in a dictionary) would probably be mitigated by the sheer length of the password. Provided the password was 15+ characters. I'll have to do some testing with our boy John.

Keep in mind the previous post that mentions that only the first 8 characters of your password matter. Longer doesn't always mean better.

[hayne]

Quote: Originally Posted by derekhed Keep in mind the previous post that mentions that only the first 8 characters of your password matter. Longer doesn't always mean better.

That was a limitation that applied in Jaguar and earlier. If you create a new user account in Panther or even change your password in Panther, all characters of the new password will be significant. Okay, there must be a limit, but I think it is 256 characters or something now.

[yellow]

What hayne said..

[derekhed]

schweet.

Thanks!

[AHunter3]

OK, John the Ripper is the one I remembered, but I find that I don't recall how to use it!

I understand how to aim it at a file but what kind of file is it expecting? I tried saving a text file with a ridiculously easy password as that file's contents (in plain text) and pointed John at it and it exited w/o finding any password.

[yellow]

It's expecting a hashed password file, much like that you would find at /etc/passwd (except with hashed passwords). The gecos fields would look more like this:

yellow:U89tG3dl0V22q:501:20::0:0:Yellow Fellow:/Users/yellow:/bin/tcsh

[ThePeterFiles]

Quote: Originally Posted by yellow A true strong password should consist of 8 or more characters and be part of a "passphrase". A passphrase consists of a phrase that has special meaning to you, therefore making it easier to remember. For this example, I will choose: Homer Simpson for President. I am serious! One simple approach to create a better password is to take the first letter of each word in your passphrase, giving you: hsfpias That looks seemingly random, and it's a fairly hard password to crack, but it's too short. Only 7 characters. Why not make it harder by using the punctuation from the sentence? hsfp.ias! Now that is a much harder password to crack. Why stop there? Let's step it up a bit more by capitalizing some letters and adding some numbers, say, the year we need to vote Homer in: HSfp.ias!04 Voila, a truly difficult password to crack, but is still pretty easy to remember. Feel free to liberally salt it with non-alphanumeric character replacements for greater difficulty (but a bit of "unwieldiness"). For example, replacing an "a" with a "@", and/or a "s" with a "$", leaving us with: HSfp.i@$!04 A password cracker will give up and move onto greener pastures (read: more easily broken passwords) long before this one is cracked. I hope this helps you choose a better password for yourself.

Most of this I had seen before, but I found the passphrase concept very useful. Random Character Generation is very hard to crack but gets harder and harder to remember as the number of sites you register for goes up.

Thanks!

Peter
"Founder, and Chief Satirist", The International School of Blog Repair Technicians

http://thepeterfiles.blogspot.com/20...-internet.html

[nkuvu]

There's an old thread on John the Ripper over at Macfora (specifically, the thread is here) that shows how to get John up and running.

Some of the info is a little dated -- notably the character limitation of Jaguar.

But one thing that's very handy is the command to generate your own password hash using the openssl command. I did this to make a pseudo-password file, with a bunch of different passwords. Which means that I can test a bunch of passwords in one run.

The only problem with this is that the openssl command truncates to eight characters*, like Jaguar. So my chosen passwords are not as secure in the password file as they are in reality. Anyone have a good way around this?


* On the plus side, it does warn you:
Aliens:~ nkuvu$ openssl passwd 'topsecret'
Warning: truncating password to 8 characters
T.sBTqYI6aTm6