Posted by: Ken Harthun
insecure, Password, password manager, Security
You heard me. How many posts and articles are out there about passwords? Put “password” into Google and you’ll get 772,000,00 (isn’t it nice how Google always reports round numbers?) How many “password systems” are out there? Google says 329,000,000. Let’s try “unguessable password”; in that case, we get 2,520 results (in which I have two articles on page one). Now we’re getting somewhere.
But passwords are too complicated a concept for most. After all, Q2@*rr55iN9}, while being an unguessable and virtually uncrackable password, is not very practical unless you use a password manager like LastPass or RoboForm (which I do). How are you going to remember something like that?
Enter the passphrase: Something that is easily remembered, but hard to guess (yes, this has been covered ad nauseam, too). Believe it or not, you can use almost any personal information you want and yet create a virtually unguessable, uncrackable password.
Let’s create an identity for illustrative purposes:
Idaho Driver’s License: B89-345-5555
Dog’s name: Rex
Wife’s name: Wilma
Assuming I’m a social engineer who knows all of this information, am I going to be able to guess this passphrase?
Nope. And neither will any modern Computer using any brute force algorithm in the lifetime of any entity in this universe. And you can write down a mnemonic for that password easily. Here’s a mnemonic for one of my passwords: Ken and Peggy got married in 1980! You’ll never guess the associated passphrase in a quintillion years, but I know exactly what it is.
As I said, passwords are too complicated. If you want to hide something, hide it in plain view. It’s all about trickery and misdirection.
Want to steal all of my money? Here’s my mnemonic for my main account password: Google Ken’s phone with a nickname.
Passwords are too complicated.
What do you think?