In this part, I’ll comment on some of the past articles I’ve posted about passwords and align them all with the new paradigm (See “The New Password Paradigm – Part 1” and “The New Password Paradigm – Part 2“).

Feb 17 2008: How to Write Down Your Passwords and Not Worry About Someone Stealing Them – This article, one of my earliest on the subject, is a neat little system for creating unguessable passwords and writing them down. It’s a bit too complex and is now obsolete as is this Aug 24 2009 post: Un-guessable Passwords—How to Make Them.

Feb 24 2008: Can a Criminal Hacker Guess Your Password? – This article talks about the dangers of using common words, keyboard patterns and other easily guessable passwords. It is just as valid today as it ever was with the exception that under the new paradigm, you can use such things in combination with your personal password padding policy.

Apr 27 2008: Your Wallet is the Best Password Manager – Says to write your passwords down and keep them in your wallet. Still applicable. You should not write down your padding pattern with those passwords, however. Say you use “…” as your padding and choose the word “fireplace” as your password, padding it like this …fire…place… Simply write the word fireplace on your list, not the whole padded thing.

Aug 20 2009: Peter Piper Picked a Perfect Password Pattern – I suggested using patterns to pad passwords almost two years ago, a major component of the new paradigm.

Apr 22 2010: Passwords Are Too Complicated – I was right: passwords are too complicated! Passphrases are easier to remember and under the new paradigm, you don’t even have to get very creative to come up with them.

Apr 26 2010: Jabberwocky – Password – This nifty little post about using Lewis Carroll’s poem, “Jabberwocky,” to create stong passwords is pretty brilliant if I do say so myself. Couple that with a good padding pattern and you have a real winner.

May 13 2010: Secure Computing: Password Card is a Winner – The password card is a nifty little tool and is still a valid way to create and remember complex passwords; however, it’s obsolete under the new paradigm unless you want to use it to create padding patterns.

Sep 14 2010: Is Your Password on the List of Worst Ones Ever? – Valid information, but hardly dangerous if you use one of them with a padding pattern.

Dec 27 2010: Use Strong, Unique Passwords! Use Strong, Unique Passwords! Use Strong, Unique Passwords! – Valid information that once again suggests using a personal pattern.

Jan 18 2011: Password Voodoo – A nifty trick using your keyboard FCC ID to create a password, but it still requires that you remember a pattern.

Mar 26 2011: Create Perfect Passwords on Paper – Steve Gibson’s Perfect Paper Passwords is still relevant and also can be used to create your password padding pattern.

May 22 2011: How Long Should a Strong Password Be These Days? – Definitely valid information and the new paradigm makes it even easier to make 15-character long (or longer) passwords.

Probably the most important concept of the new password paradigm is the idea of forcing the hacker to resort to brute force techniques by creating passwords that are not on known password lists or in the dictionary.  The first things hackers try when attacking passwords is various lists of common passwords such as  Top 500 Worst Passwords of All Time, Top 10 Most Common Passwords, and information gleaned from studies such as A Large-Scale Study of Web Password Habits published by Microsoft. The next thing they will try is names and dictionary words. If you use your name, a pet’s name or a dictionary word as your password, it will be discovered virtually instantly. Even an obscure dictionary word like “ratiocination” won’t work; however, simple changes to any common password, name or dictionary word cause the hacker to resort to brute force techniques.

I am not talking about merely capitalizing the first letter or changing some letters to their leet speak equivalents, such as 3 for “e.” The hackers know all these tricks, too and will likely incorporate them into their dictionaries, so taking my example of “ratiocination” and turning it into Rati0cin@tion might not work very well. Yes, a brute force attack would take a long time on such a combination, but the hacker is likely to try the common patterns that most people would choose. The list might look like this:

• ratiocination
• Ratiocination
• r@tiocination
• Rati0cin@tion
• rAtIoCiNaTiOn

and so forth. Each different combination that the hacker incorporates into the dictionary tables increases the chance of a successful match without having to resort to brute force. However, add something to the word, and you’re golden: the hacker is now doomed to using brute force. Steve Gibson explains on his Password Haystacks page:

… the attacker is totally blind to the way your passwords look. The old expression “Close only counts in horseshoes and hand grenades” applies here. The only thing an attacker can know is whether a password guess was an exact match . . . or not. The attacker doesn’t know how long the password is, nor anything about what it might look like. So after exhausting all of the standard password cracking lists, databases and dictionaries, the attacker has no option other than to either give up and move on to someone else, or start guessing every possible password.

It’s such a simple concept, it’s beautiful! Just pad the password with a known pattern of your own invention.

In Part 3, I’ll list my previous articles on passwords and comment on them.

There has been a sea change in the password paradigm, thanks to Steve Gibson of GRC.com who uses the needle-in-the-haystack analogy for passwords. It is an approach that results in even greater security while letting you create easily-remembered passwords. Gone are the days where you had to use such cryptic and impossible-to-remember passwords like PrXyc.N(n4k77#L!eVdAfp9. Steve gives an elegant explanation including an excerpt from the June 1st Security Now! podcast on is Password Haystacks page. The site also has what he calls a “Search Space Calculator” that will give you some real insight into what the hackers are up against.

The new password paradigm is to invent your own personal padding policy. “What the heck is that,” you say? It’s extremely simple: 1. Invent a pattern of characters that you will easily remember; 2. Pad your memorable words, phrases, dates, etc. with that pattern. The easiest way is to put the pattern before and after your chosen phrase, but you can do it any way you like as long as it is memorable for you. The beauty of this system is that you can even use any of the Top 500 Worst Passwords of All Time as long as you pad them. You can use any dictionary word, name, date, phrase–whatever you wish–and you’ll be OK.

I’ll expand on this concept in Part 2.

Nothing I’ve ever said about passwords is right. I mean, nothing everyone – anyone thinks. I have got some news. I know it sounds like I’ve lost my mind. But I think I can – I’m working on a new page now which is going to lay it all out and explain it and give people something to play with so they can test passwords using this new scheme. And when you hear it, you’re going to go, oh, my god. Why didn’t anyone ever think about this before?

If nothing anyone thinks about passwords is right, then I must be wrong, too, right?

Steve has been playing with a passcode designer under the premise “Maximal Entroypy, Minimal Length, Maximal Strength.” He says that in the process of working on this, he realized that our concepts of passwords are wrong and he has stamped the page with “obsolete.” He promises to reveal all in Security Now! Episode 303 this week. At the bottom of his passcode designer page, he posts a “post mortem.” Here’s an excerpt:

The Passcode Designer is based upon the concept of generating maximal-entropy, maximal-strength, and minimal-length passcodes by encouraging a high number of “transitions” between the four character “classes” where the classes were the uppercase alphabetic (A-Z), lowercase alphabetic (a-z), the ten digits (0-9) and the 33 printable special symbol characters (!\”#$%&’()*+,-./:;<=>?@[\\]^_`{|}~). The interactive graphical JavaScript-driven state machine at the top of this page was the beginning of the development of that concept. (It is fully functional, finished, and works as intended.)

But after reaching this point, by creating what I thought was right, I realized what was wrong with that approach. What I never expected was what happened next: Unlikely as this sounds, I realized that we (the entire computer industry) have always been thinking about maximum-strength attack-resistant passwords in the wrong way. I realized that the creation of high-entropy passwords was not only often the wrong goal, but was typically counter-productive.

I can’t wait to see what he has come up with.

So, here in all it’s glory is my original article entitled, “Perfect Passwords…On Paper:”

Steve Gibson, creator of Spinrite and winner of the Third Annual People’s Choice Podcast Awards in the Technology/Science category for his Security Now! podcast with Leo Laporte of Twit.tv, has just come up with a super-secure multifactor authentication system. Steve calls it “Perfect Paper Passwords” and you can read all about it on his web site. Be sure to read all of the pages, but beware — it’s pretty geeky stuff. Here’s a simple excerpt:

GRC’s “Perfect Paper Passwords” (PPP) system is a straightforward, simple and secure implementation of a paper-based One Time Password (OTP) system. When used in conjunction with an account name & password, the individual “passcodes” contained on PPP’s “passcards” serve as the second factor (“something you have”) of a secure multi-factor authentication system.

I feel like a kid turned loose in Toys-R-Us with a thousand-dollar budget. This is truly an amazing system and I’m just now starting to figure out how to implement it in my own environment. But using it as Steve designed it isn’t the subject of this post. Most network environments are still based on the username/password model, not a multi-factor authentication model. Until the PPP system becomes a standard (and it should!), why not use the passcards to create super-strong passwords?

I know, I know, he already has the Ultra-high Security Password Generator and I’ve been using that, but the idea of breaking long strings of characters into simple, four-character snippets makes things a bit simpler and it also allows you to take some control over generating your passwords. It adds another random factor into the mix by letting you choose the order of combination, something no computer or person anywhere can possibly know. Putting them into a seven columns by ten rows grid in a format that you can fold and stick in your wallet makes it even easier.

Using the web site, you print out three passcards, each containing 70 four-character passcodes for a total of 210. Now, if you randomly combine three passcodes to make virtually unbreakable 12-character passwords, you’ll have a resource of 70 passwords right at your fingertips. Circle the ones you’re using for your current password and cross them out when you change it. Better yet, write down the columns/rows and keep that separate from your passcards. No one’s going to know that A1F4D10 translates into Cai?DCGX@xBt, but you do.

Tell your clients about it. I do.