Tuesday, March 11, 2008

How to create a Strong(er) password

Generating a strong password is critical in today's highly networked societies. Yet, I often find that people don't use good passwords. They use a plain name of a person or a series of numbers, apparently thinking "it doesn't matter much." Having just spend 2 days looking at a friends computer because of problems related to a "break in" and untold information theft, I can tell you that security definitely matters.

Microsoft was it's own ideas about how to create strong passwords of course and so does Wikipedia. You can even find password strength checkers online like this one here.

Another problem is that most people "think predictably". I mean, its hard to "think randomly." In truth, I have the same problem. And it was impacting my ability to create a truly random and strong(ish) password without letting a machine create one for me. Following is a common technique I use for creating a "random and strong password".


The Problems

First, what are the top problems I encountered with creating new passwords, especially strong passwords? Here's my list:
  1. hard to remember and so they usually end up short in length
  2. based on words I could remember and so they could be broken easier
  3. need of multiple passwords and so I tended to reuse the same password and write them down on the computer I was sitting in front of.

The Risks

Each one of these is in fact a security risk:
  1. Short passwords take very little time to determine
  2. Passwords based on words are very easy to determine
  3. Once a system is compromised, that password can be tested at other target-related sights
These were the problems I wanted to solve and the best way to solve them is to avoid them all together.


The Key

The hardest thing for me was to not write my passwords down and referring to them often. Human memory isn't always perfect. So, my initial challenge was how to associate a strong password with something I would remember and, later, make it scale up for both small passwords and longer passwords. The key was "context".

The Process

By establish a context for password use, I was able to a "play ground" for creating stronger passwords. So what is a context? It's the name of the situation or object that best describes a group of elements which are relate to each other.

Example: chairs, table, plates, forks, spoons, stove, refrigerator = a context called "kitchen"


So, here is the basic process:

Note: this process is more easily done with a simple text editor on the computer than with pen and paper.

The Steps
With the context in mind:
  1. Create a list of that are related to the context. Proper nouns are best, followed by obscure verbs.
    • Note: Each entry should be on it's own line. This is important.
  2. Between every word, insert a blank line.
  3. Between every other word, add a number related to the context. I there are no numbers associated with the context, apply 3 or 4 digit "random numbers."
  4. Between every other word that has a blank line, add a number (as before) while holding the SHIFT key down. This will result in non-number characters of course.
  5. Somewhere in the middle of the list, insert one or more words about how you feel about this context or other descriptive words. You might even use a random and unrelated word, number or series of characters.
  6. Now, take the first character of each line and type them on a line. This is your random password.
    • If you run out of characters on a line, just skip that line from now on and continue with the next line.
    • Also skip spaces too as they can accumulate too quickly. One space in a password is OK but not recommended.
    • When you get to the bottom of the list, start again at the top with the next character.
  7. Once you have more than 8 characters, you should have a medium strong password and 10 or more should be a stronger password. The longer the password word, the better.
Example:

As I said, context is the key. Let's pick a silly context for this example. Let's say we need a password for the refrigerator in the kitchen (apparently there is a midnight bandit eating the extra pieces of pie!) So, kitchen refrigerator is the context and I want a very strong password, 10 or more characters strong.

Note: Below, I have used an exaggerated list to show the idea behind using a context for strong and memorable password generation. A shorter list will work just as well or better.

  1. list of words related to the context
    1. house
    2. Franklin
    3. refrigerator
    4. Whirlpool
    5. kitchen
    6. last piece of mom's apple pie
    7. Midnight Invader
  2. add blank lines
    1. house

    2. Franklin

    3. refrigerator

    4. Whirlpool

    5. kitchen

    6. last piece of mom's apple pie

    7. Midnight Invader
  3. add numbers between every second word
    1. house
    2. 3391
    3. Franklin

    4. refrigerator
    5. 19
    6. Whirlpool

    7. kitchen
    8. 4
    9. last piece of mom's apple pie

    10. Midnight Invader
    11. 2
  4. add more numbers with the SHIFT key held down
    1. house
    2. 3391
    3. Franklin
    4. ##(!
    5. refrigerator
    6. 19
    7. Whirlpool
    8. $
    9. kitchen
    10. 4
    11. last piece of mom's apple pie
    12. ^%&-)
    13. Midnight Invader
    14. 2
  5. Insert a random word
    1. house
    2. 3391
    3. Franklin
    4. ##(!
    5. refrigerator
    6. 19
    7. Whirlpool
    8. $
    9. kitchen
    10. 4
    11. last piece of mom's apple pie
    12. ^%&-)
    13. Rotten Bastard
    14. Midnight Invader
    15. 2
  6. Create your strong passwords:
    1. 8 character, short and strong password: h2F#r1W$
    2. 11 character, medium and strong password: h2F#r1W$k4l
    3. 14 character, longer and stronger password: h2F#r1W$k4l^RM
Now, how is h3Fs#r1W more memorable? Well, no and yes. I found the more efforts I made into constructing the password, based on a context, the more likely I was to remember it.

The Variations

You can also add your own steps to the process: maybe you take two characters from line instead one each time; maybe you add a character from another language (Greek, Russian?)


Summary

Password security is becoming increasingly important and should be treated as important as what you do with your computer (or other mechanisms.) Because if you choose to ignore good password policies and "make it simple", chances are that whatever you are weakly protecting will be used by others with or without your permission and knowledge.