Creating 'good' Passwords

Choosing a good password is both difficult and very important. A badly chosen password can result in serious damage to your computer your company and even people and property.
Intruders have taken to using sophisticated methods to break passwords, including dictionary attacks. Some simple dictionary attacks on user passwords have resulted in succes rates as high as 25-30%. A 1000-fold increase in computer power since then has allowed attackers to use much more sophisticated techniques. Recently one group put together a 'dictionary' of the 50Million most likely 8 character (or less) passwords. Lookup time for one of those passwords? less than a second.

There is a quick note from one site which has made a database of all letter-only passwords 8 characters or less.. http://www.beginningtoseethelight.org/ntsecurity/index.php#0FEB224E21024B8C. A front end to the database can be found at:
Simply telnet to: beginningtoseethelight.no-ip.org on port 2501 and paste in a LM

The trick to designing a good password is to come up with something that an attacker would not guess: First I'll give you some BAD things to base a password on:
BAD: Dictionary Words
Your name
Names of family, friends, pets, etc
Social Insurance Number
Phone number
Postal code

One good method of creating passwords is to come up with a saying, then use the initials of the saying and mangle it to include special characters (digits, punctuation, etc). This should result in somthing that you can remember, but that most attackers would not guess without going into a brute force search.

These are some example passwords and the phrases I used to generate them. These are SAMPLES. they are meant to give you ideas. Because this list is sitting public on the web, these passwords are likely to be in somebody's dictionary by now.

PasswordGenerating Phrase
Tmt1w2cAf
th@res_morethan1way2cat@file
There's more than one way to cat a file
Hwg'rTds Here we go 'round the disk spindle
OAcdUcsf On a clear disk you can seek forever
TMSF1!Ab The MicroSoft Flu is not a bug
DwIw!wIs Do what I want not what I say
BTmbTc! Beware The man behind The curtains!
S&sbb-nh Sticks and stones break bones - names hurt
I2l2uwUdy It's too late to undo what you did yesterday
Mc8am&cmc My cat ate a mouse and crashed my computer
HwdwTmtD He who dies with the most toys Dies!
BTmbTc! Beware The man behind The curtains!
Rt:Utl2s Rule ten: You take life too seriously
Dt.Iw2kaou Don't Think. I want to kee ahead of yoU
Wcumg_@m What Comes up mus go down at midnight
S&sbb-nh Sticks and stones break bones -- names hurt
I2l2uwUdy It's too late to undo what you did yesterday
WntwBnt. Without now, there will be no tomorrow
Gmab-nma Give me a break -- not my arm!
mcaam&cmc My cat ate a mouse and crashed my computer
IAbmwUw^D Its a bad morning when you wake up dead
gdguw:hguE God didn't give us wings: he gave us Engineers
Tme:foags The middle east: fear on a genocidal scale
Uf#iomgf Unstoppable forces pounding immovable objects make great fireworks
@b%o*samo A big percentage of all statistics are made up
a#of(b!r) A pound of flesh ( but no responsibility )

For an example of how badly chosen passwords can open up the possibility of trouble: Read this slashdot postings.
(I'm guessing that somenoe figured 'Nobody will ever see the inside of our network, so I don't need a REAL password on the router.' Yeah, right!

A final note

Most of the passwords above are limited to 8 characters... I originally generated them for a bunch of solaris systems when Solaris was still limited to 8 characther passwords. This is no longer the case, Passwords on most OSs these days can now be much longer (up to 256 characters), and 8 character passwords are now considered breakable using current computer. technology. You are strongly encouraged to come up with longer pass phrases. In fact, I would now suggest that you just use a mangling of the full passphrase, as I did with the first example.

An actual example

Oh: And just in case you think that bad passwords won't get you in trouble, I present as exhibit #1 This excerpt from actual conversation I had with an unfortunate user (names have been changed to protect the unfortunate).

.....
(16:13:55) hackeduser25: omg i cant belive they did this to me
(16:14:35) stephen samuel: precisely what did they do?? All I saw was on the guest log page.
(16:14:53) hackeduser25: they put porn on it and changed everything around
(16:15:19) hackeduser25: im gonna havet to do it all over again it took me months and now i must re-type it all
(16:15:23) stephen samuel: Do you have a backup copy at home?
(16:15:29) hackeduser25: im gonna have a panic attack...no
(16:16:05) stephen samuel: It's possible that (most of) the original stuff is still there.
(16:16:18) hackeduser25: i know the site is frozen
(16:16:35) stephen samuel: How do you do updates??
(16:16:49) hackeduser25: easily but i cant access my account!!!!!
(16:16:52) hackeduser25: cuz they changed it all
(16:17:30) stephen samuel: You may want to get to the people who host the site and ask them to reset it back to what it was yesterday... (at least the password).
(16:19:26) stephen samuel: In the meantime, I'd suggest that you come up with a password that's not easily guessable.
(16:19:48) stephen samuel: Did you have an 'easily guessable' password?
(16:20:19) hackeduser25: well it was password.
(16:20:47) stephen samuel: That explains why you got slimed... It's the first password that a hacker would try.
(16:21:13) hackeduser25: omg great
(16:21:15) stephen samuel: Literaly -- it's the absolute MOST used password by newbies.
(16:21:27) hackeduser25: oh well great then
(16:21:49) stephen samuel: justasec.. I'm looking for my file on how to create relatively secure passwords....
(16:22:13) hackeduser25: k
(16:24:24) stephen samuel: http://www.bcgreen.com/solaris/passwords.html
.....


up   home