Security Corner

Aug 30 2014   6:48PM GMT

A novel approach to creating secure pass phrases (that no one will use)

Ken Harthun Ken Harthun Profile: Ken Harthun

Tags:
Security

top500passwordsgraphicWe security wonks constantly entreat our users not to use common words or phrases for their passwords, and certainly to never re-use passwords on more than one site. Another no-no is using keyboard patterns. The reason people do such things is that they are easy to remember. The problem is that the bad guys have all of these common poor password practices figured out and set up in their password cracking algorithms right alongside of their dictionary files and lists of hacked common passwords. With this exercise, I’m trying to get you to think randomly, not in patterns, though there is a pattern and symmetry here. Of course, no one will use this, but coming up with this stuff is just my way of having fun.

This novel approach that will give you a minimum of 10,000 secure pass phrases at your fingertips (or in your wallet or purse) using only the words. If you choose the modify it with numeric/special character options, you can get many more. If you do the math, the number of combinations of a group of characters is N^R, or the number of choices to the power of how many of those you use. In the basic method below, you have 10 choices and will use 4 of them, so you have 10,000 possible combinations. You can use this to securely write down your pass phrases (well, the aliases for your pass phrases) anywhere you want in the form of 4-digit numbers. Since no one will know what words are on your list, they can know your aliases but they won’t know your pass phrases. If you add secret complications (more about that in a minute), the number of guesses required gets astronomical (or should I say geometrical?)

First, take a piece of paper and write the numerals 0 through 9 on the left side. Then, pick 10 words that are familiar to you. You can use any common words or names that you will remember. Rules about not using pet names, kids’ names, your name, your spouse’s name, etc., don’t apply here because they will be used in a long and random combination. We all have at least ten of those. Here is my example (not to be used, of course–create your own):

0 The
1 Quick
2 Brown
3 Fox
4 Jumps
5 Over
6 The
7 Lazy
8 Red
9 Dog

Those of you who have ever taken a typing class will recognize those words and my slight alteration of it to fill the 10 slots.

Now, what’s the model year of your main ride? Mine is 2005. So, I write down 2005 as my alias and my pass phrase is BrownTheTheOver. Need another pass phrase for something? My birth year is 1953, so I use QuickDogOverFox as my pass phrase.

This method won’t win you any awards for password strength, but they’re sufficiently strong for most purposes. If you want to ramp them up, choose a numeral or special character that you insert between each word. It’s still easy to remember, but it adds 3 more characters to your phrase. I choose @, so I now have Brown@The@The@Over and Quick@Dog@Over@Fox. Visit Steve Gibson’s Password Haystacks site and check those out. My alias for those is 2005@ and 1953@.

The only thing missing here is a numeral to make the character domain consist of upper and lower case letters, numerals and special characters, so let’s add a numeral. Just put it at the beginning or the end and make your alias reflect that. Let’s use the numeral 7 and put it in front. I now have 7Brown@The@The@Over and 7Quick@Dog@Over@Fox. Your alias becomes 72005@ or 71953@ and the strength of the pass phrases goes geometrical, astronomical or what-have-you, into the hundreds of thousands of trillions of centuries to run a brute force crack.

Of course, this is entirely too much work for the average computer user, so I’ll still try “password” as my first guess, followed by “12345678,” “letmein,” and a few others.

Have a happy and safe Labor Day weekend!


Follow Ken Harthun on Twitter
Follow me on Twitter

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: