Raj Shekhar's Homestead

This article was published on Newsforge on March 01, 2003. The motivation for writing this was when I came to know about the weak passwords my family and freinds-of-family used for their email accounts. I keep pointing them to this article, in the hopes they will realize good passwords are not hard to generate.

Passwords are the most common approach for identifying a user's identity. We use passwords to secure our computers, to send or receive emails or to access special resources. Password guessing has always been the favourite method of cracking into computers or circumventing security measures. Commonly two methods to guess a password are used:

• The cracker has some personal information about the user. Frequently people use the names of their cats, dogs or spouses as their passwords.
• A brute force attack is one in which all possible words of a certain length are attempted until a correct one is found. Crack dictionaries which contain a list of common words and phrases can easily be found on the Internet. Good crack dictionaries contain entire scripts to popular movies and entire sets of song lyrics.

There are a number of suggestions on what you should not choose as your password but very few suggestions for choosing good passwords. The best password is obtained when the characters of the password are chosen completely at random. This password can be a little difficult to remember. Here are a few guidelines which can help you in choosing strong, almost random, but easy to remember passwords.

Use Long Passwords

Choose passwords that are as long as allowed by the software. Make your passwords at least 10 or 12 characters long. Short passwords do not leave enough choices to prevent their being guessed by repeated trials. Ideally your password should contain at least one character from each of the following categories:

• upper case letters (ABC)
• lower case letters (abc)
• digits (123)
• punctuation and other symbols (!$%)

Use Shocking Nonsense

Q: How do I choose a good password or phrase?
A: Shocking nonsense makes the most sense

Shocking nonsense means to make up a short phrase or sentence that is both nonsensical and shocking; that is, it contains grossly obscene, racist, impossible or another extreme mix of ideas. This technique is permissible because the passwords is never (ideally) revealed to anyone with sensibilities to be offended.

A very weak example is `Bart Simpson beats up Einstein'. or with some mixing of upper and lower case characters, `bartSimpsonBeatsUpEinstein'. Making up many far more shocking or entertaining examples is left as an exercise for the reader.

Shocking nonsense passwords which are quite long cannot be easily cracked by use of brute force attack.

Use the First Letter of Each Word

Another technique for creating strong passowrds is to use the first letter of each word of an easily remembered phrase. For example `Mhall' is formed by taking the first characters of of each word in the sentence `Mary had a little lamb'.

This technique can be further strengthened by mixing the password with some digits and punctuation. For example, `M!hal%l'. An even stronger password can be obtained by typing one key to the left on a standard QWERTY keyboard. The above password after applying this technique becomes `N!gpk%k'.

Conclusions

Choosing a strong password is just a small step in securing your resources. Using the guidelines above will help you choose passwords that are easy to remember, and at the same time strong.