With the amount of hacking and other shenanigans going on around the Web, the practice of using “strong passwords” is getting a lot of coverage. A strong password can be loosely defined as a random string of at least 14 characters, using no words found in any dictionary, and a combination of upper- and lower-case letters, numerals and special characters (such as &, @, *, +, = and so forth.
We need these strong passwords because it’s easy to download programs from the Web (no, I won’t tell you the sites) that use so-called “brute force” techniques to crack passwords. This kind of attack simply tries out a lot of possible combinations of letters, numbers, words and so forth, continuing until it finds a combination that works.
You might think that’s ridiculous. “Heck,” you might say, “There are trillions of possible combinations of the alphabet alone, and that’s without upper- and lower-case, numbers and special characters. Having a program that could run all those combinations on a regular computer would be impossible.”
Wrong, Sunshine. Dead wrong. A character on a computer is made up of 8 “bits,” or 1 “byte.” The little netbook I’m writing this on has a 1.5 GHz dual-core processor. Theoretically, it can process three billion characters a second in various combinations. (In fact, it’s limited by how well the program is written and several other factors, but it would still be plenty quick.) Let’s say it could really check only half a billion combinations per second — probably low. That means it could check a trillion combinations in about 33 minutes. And this is a little netbook, folks. Think what an 8-core water-cooled monster running at about 3 GHz, with maybe 64 gigs of RAM, could do with a really efficient program. Or several of them running together. That’s why we need strong passwords.
Hell, the Air Force builds supercomputers by stringing a bunch of PlayStations together! You can buy a lot of computing power for the low five figures nowadays, and the people who steal information have plenty bucks, or rubles, or zlotneys, to throw around.
The bad guys’ job is also made immeasurably easier by our own laziness. How long do you think it would take to run through a few thousand common pet names, or dates of birth, or… Well, you get the idea. Use Fluffy’s name and the day you got her if you like, but don’t think that password will inconvenience anyone but you. In fact, don’t ever, ever use anything that can be linked to you personally. If the bad guys come to call — or call on any of the folks on the Web who have your information (probably several hundred by now, if you’ve been online for a few years) — then your data is toast for their marmalade, baby.
Scared yet? You’d better be.
So, back to strong passwords. I’m going to show you how to create strong passwords that, while not easy to remember, won’t cause you to blow any aneurysms, especially if you use a password storage system like RoboLocker or LastPass. With them you only need to remember one strong password. They remember all the others, and will even populate the fields for you automatically, if you like. In any case, however, you want to store them, here’s a way to create sp’s that are not only strong, but easy to remember if you have to.
You need two things: the URL of the site for which you’re creating the SW, and a phrase of about seven or eight words that you can’t possibly forget. I’m going to use the URL of this site, “crackerboy.us,” and the phrase “everywhere that Mary went, the lamb was sure to go.”
First, we write down the first letters of our phrase, keeping capitalization and punctuation. Be sure that you remember the caps and punctuation, especially if it’s poetry. They can get sort of strange, and you don’t want confusion:
e t M w , t l w s t g .
The spaces are for convenience. Don’t use spaces in your passwords; some sites don’t like that.
Then we plug the first word of the URL, “crackerboy” in this case, into that line of letters:
e c t r M a W c , k t e l r w b s o t y g .
That gives us ectrMaWc,ktelrwbsotyg.
There you go: a 22-digit password, not random but about the best next thing to it, one that you can recreate any time you might need to and that you don’t need to write down, the third Stupid Password Trick.
So, if I were using that combo as the password on this site (I don’t), I’d just type it in when prompted, my password manager (I use LastPass) would remember it for me along with my username, and log me in automatically.
Obviously, you don’t have to get this carried away if you don’t want to; I just did it to show you how you can create a long, kickass password with very little effort. You can go even farther if you want, substituting 3’s for e’s, @’s for a’s, 0’s for o, and so forth. The only thing you need is be consistent about how you do it. Don’t get fancy with one site, then lazy with another, or you’ll spend a lot of time plugging in substitutions if you ever have to recreate it.
You can easily modify this basic idea to fit your own preferences. For example, you can plug your phrase into the URL instead of the other way around, do half and half, or switch it around to suit yourself.
There are other ways to create passwords. All the password managers (and you can see why you might want to consider one) have random password generators. Trouble is, there is no way to recreate them if you need to, unless you’re a guy with a funny accent and a supercomputer. This way will work, because those guys aren’t going to spend a lot of processing time on one name from one site. They’ll have their machines programmed to spend x microseconds on each one, then move on to easier prey. (If the NSA, FBI or CIA decides to check you out, you’re on your own.)
For more information about computer and Internet security, go here: http://www.cert.org/homeusers/HomeComputerSecurity/#intro