Choosing a Pretty Good Password Myth: if it is encrypted, it is secure Truth: if it is not encrypted, it is not secure A good password is one that's hard to guess, yet easy to remember. So here are the top 10 ways to choose a password, in roughly increasing difficulty. If you don't use any of the first 5, you're well on your way. The stats are very rough estimates (for comparison purposes, an 8-character password are used for most calculations): 1. Default (same as none): o Many programs and services assign a default password . Change this to a new password immediately. o examples: password, superuser 2. 10 Common passwords: o
god, love, lust, money, private, qwerty, secret, sex, snoopy, & (surprise!) password
3. Personal info: o your name, initials, location (zip code), birthday, pets, license plate family/friend's names (including maiden), locations, birthdays, pets word/number combinations of any of the above o Ego-related; examples: guru, master, wizard o Favorite: Music (group names, albums), Fiction/Nonfiction/Comic books/characters, Movie/TV/Cartoon characters & titles o
Dumb Hollywood movie-people think all passwords are of this variety
4. Categories: o Double-words; examples: kittykitty, johnjohn o Funny/nonsense/jargon words; examples: wassup, bzzzzz, foobar o Insults; examples: biteme, eatdirt o Keyboard sequences; examples: asdfg, qweasd, poiqwe o Obscene words; examples: (use your imagination) o Passwords based on host name (for people with lots of passwords) for example, if the system is named 'cat' an obvious password is catpass
o Reversals; examples: terces, wordpass, nhojnhoj 5. Dictionary & Foreign Language words: o If you can find your word here, it's not a very good password. o Common Passwords - Various Languages
o
Dan Klein - Browsable and categorized lists of English words DEC Collection - compressed lists of common English words stats: There's 200,000+ words in the English language (most people use around 10,00040,000). As a guesstimate, there's some 32,000 8-letter words/phrases. For some word lists, see The Electronic Alveary
6. Mixed-Case Dictionary Words (alternating UPPER-lower case letters) o examples: paSSworD, PLaceBO o
stats: If a word has 2 letters, there's 4 (22) ways to capitalize it (at, At, aT, AT). If a word has 8 letters, there's 256 ways. Similar combinations (2letters) apply to each word in the
dictionary. Guesstimate: There's around 32,000 8-letter words, which gives 8 million (32,000 x 256) mixed-case 8-letter passwords
7. Mixed-case Word with Number(s) o examples: 9fiNgeRS, loVELy68 o
stats: Tacking on a number from 0-9 before or after a word gives 20 more variations to the password. Using 00-99 before or after the word, gives 200 variations. Guesstimate: there's some 19,000 6-letter words, and 243 million variations (19,000 x 64 x 200) of 6letter-word 2-number passwords.
8. Mixed-case Word(s)/Letter(s) o Combining words and/or extra letters o examples: GUessTHis, BiKeFisH o
stats: We're talking pretty big numbers here. Around 53 trillion (528) 8-letter mixed-case passwords (i.e. aaaaaaaa, aaaaaaaA, aaaaaaAa, ..., ZZZZZZZZ)
9. Mixed-case Words/Numbers/Letters o examples: No50WaY2, puT863MoX o variant: Hacker/IRC/License-plate jargon examples: H4x0rD00dZ, UR2good4Me, FXR1stR8 o
stats: OK, my mind's swimming, there's somewhere around 218 trillion (628) 8letter/number passwords
It takes an average of 5 seconds to crack this kind of password on a Windows machine; considerably longer on BSD or Linux. 10. Random characters o examples: qs3UIs82, k38#0J$dA o
o o
note: some programs and services only allow letters and numbers, some include dashes ('-'); the best allow any character stats: Assuming 94 'type-able' characters, there's 6 gazillion (948 = 6.1 quadrillion [US]) different 8-character passwords. There's not as many 7-character passwords, but there's some 9-character ones still available, if you hurry.
In general: •
No password is uncrackable. o o
•
Whatever method you choose, it's a good idea to change your password often. o o
•
The more important the password, the more often it should be changed. Why? If someone is attempting a brute-force attack on your password, the hope is that you're changing it to something they've already tried and found to be wrong.
The longer the password, the harder it is to 'guess.' o
•
The best you can do is make it difficult and non-trivial to determine your password. What's the worst password? The one you've forgotten.
note: many systems limit passwords to 8 characters.
Some clever people are foregoing brute-force hacks (e.g. dictionary attacks), in favor of 'social engineering' to obtain passwords. o If somebody calls or emails, requesting your password, it's a dumb idea to give it to them. o Of course nobody would sticky-note a password to their monitor, or under a keyboard.