Easy to Remember, Difficult to Guess Passwords.
Alan Shimel has a link to a new blog, a co-worker of his, in his latest blog post. The blog is advertised by Alan as 'a little more technical than most, but if you are into the nuts and bolts of security and networking and general IT wizardry, The Village Elder may be just the ticket!'... my comparison would be lacking a little in that I'd say many of the posts remind me of the the Guides to (mostly) Harmless Hacking. That being said, I'm not trying to discredit the blog... however things such as "getting a website via telnet" and "sending mail via telnet" are a little 1995. The latest post, 'To sudo or not to sudo', also has me wondering. It seems to me that telling people how to essentially make sudo useless is something a security person shouldn't be doing... at this point you might as well just 'sudo su'.
That being said, it's a relatively new blog that may show some merit... It's interested me enough to make it into my blogline. There is also some saving grace in the 'realistic approach to creating passwords' post. The concept is interesting... sort of the reverse of creating a password from a phrase... You create a phrase from the complex password and use a substitution schema to handle numbers. There some issues that I have with it... The password used in the example is: i6y.iylB and the phrase used is: I got you didn't I you little sucker!. The problem here is that you have to have your schema down perfectly... For example based on the sentence and provided schema I could easily lock my account out.
Possible Passwords:
- igydiyls
- igydiylB
- igy.iyls
- igy.iylB
- i6ydiyls
- i6ydiylB
- i6y.iyls
- i6y.iylB
My preference for complex passwords has always been URLs. I try not to use my own websites because that may be too easy to guess. That being said, URLs make great passwords. Let's say you have two email accounts... one is gmail and one is yahoo. You could swap the URLs as passwords... So you visit gmail and enter your username (user@gmail.com) and your password (http://mail.yahoo.com). Now you visit yahoo and you enter your username (user@yahoo.com) and your password (http://www.gmail.com). Now if you're like me, you may capitalize certain websites (just because you're used to them capitalized)... so I type http://www.ComputerDefense.org... or I could take it a step further... http://www.ComputerDefense.org/index.php. That's a 40 character password using upper and lower case and special characters. I could add numbers by say appending the length of the string to the end of it. Even a short website is useful... CNN for example... 3 letters to remember suddenly becomes http://www.cnn.com, 18 characters and again special characters are used... Perhaps you read the US CNN page, so you use http://www.cnn.com/US/ as your password. As long as you don't use the website you're visiting as the password, you've got a rather complex password. You can have hyphens in domain names, so why not a website that uses a hypen... How about a website using SSL over a plain text website (https instead of http). If you watch people surf the net most people can type a website rather quickly... especially one they are familiar with... When people are typing off a phrase for their password they can sometimes be slowed down, making them more vulnerable to shoulder surfing... when they're typing quickly.. people are less likely to notice their password. So this is my recommendation for a difficult password that's easy to remember.
John's post is probably great method if you're given a password that is complex and cannot be changed, but as I pointed out be sure to have your schema down or you could lock yourself out. However, if you have the ability to choose your password, or change it after the fact... I highly recommend the website as a password method.
Hey HTRegs!
Thanks for the reference! I like your URL based password method. Especially since both URL’s and IP’s have burned permanent homes in my brain. It seems like a great method for longish passwords.
I’ll admit with my method you still need to ‘remember’ your password so you don’t lock yourself out. I think the possibility of multiple versions of the password is actually a help because you can keep a primary phrase and then iterate versions over time. It still take some diligence, but I think it’s more appealing than working the other way round. I mean starting from a password then trying to figure how the heck to remember it.
I have to say I have used this method most successfully for assigned passwords as you guessed. Especially for logins that must be given to a group and changed weekly.
In response to your comment on my other posts being right out of 1995! You are a virtual Kreskin! I mention in my about page that most of my posts will be derived from my personal ‘tech notes’ that I’ve been collecting over the last 10 years. I’m focusing on the entries I’ve been requested to send to friends and colleagues. In working with enterprise security professionals from different companies, I get asked these questions all the time. I couldn’t count how many times I tested a mail server or used telnet to verify a port or website is up, while associates stood by in awe. Not that I’m cool, it all seems like black magic until you know it. I just think folks need help in these basic areas.
All in all you are spot on! I’m publishing old news, that some people still haven’t read
Thanks for checking me out, and for the link!
-john
John,
Thanks for stopping by to comment…
I can understand the passing on of notes… I often consider doing that… I visited the page of Alan’s blog post and I just had that ‘buyer beware, not as advertised’ feeling
…
It is a nice blog though..
Tyler
Hey HTRegs!
Thanks for the reference! I like your URL based password method. Especially since both URL's and IP's have burned permanent homes in my brain. It seems like a great method for longish passwords.
I'll admit with my method you still need to 'remember' your password so you don't lock yourself out. I think the possibility of multiple versions of the password is actually a help because you can keep a primary phrase and then iterate versions over time. It still take some diligence, but I think it's more appealing than working the other way round. I mean starting from a password then trying to figure how the heck to remember it.
I have to say I have used this method most successfully for assigned passwords as you guessed. Especially for logins that must be given to a group and changed weekly.
In response to your comment on my other posts being right out of 1995! You are a virtual <a href='http://www.amazingkreskin.com/bio.htm' rel="nofollow">Kreskin!</a> I mention in my about page that most of my posts will be derived from my personal 'tech notes' that I've been collecting over the last 10 years. I'm focusing on the entries I've been requested to send to friends and colleagues. In working with enterprise security professionals from different companies, I get asked these questions all the time. I couldn't count how many times I tested a mail server or used telnet to verify a port or website is up, while associates stood by in awe. Not that I'm cool, it all seems like black magic until you know it. I just think folks need help in these basic areas.
All in all you are spot on! I'm publishing old news, that some people still haven't read
Thanks for checking me out, and for the link!
-john