So, you think that your password is secure? Let’s see: does it contain a mixture of uppercase/lowercase letters, punctuation marks and digits? Yes? Well, even in this case, your password might be still completely insecure. Read ahead why…
To understand the problem, we need first a little rehash of the basic password cracking techniques. The simplest algorithm would be to simply (1) enumerate all English words and names from a given dictionary and (2) check to see if this word matches as your password.
You might say – but in this context we are talking about other characters like punctuation marks and digits that are part of the password. What would an attacker do in this case? Simple – use a little psychology.
The problem is that most people feel that adding digits and other characters is just a burden. When the “password will expire today” dialog comes, they will be in a hurry to get a new password, maybe an easy-to-remember word, and then alter it in a few ways:
1) First, the password needs to have a capital letter. Most people will naturally choose the first letter from our English word to be capitalized. So, a word like “flowers” becomes “Flowers”.
2) Second, the password needs to contain some digits. The password would look nicer (and easier to remember) when these digits are appended to the word. Even more, people are usually unimaginative here, and just append one digit, or in more complex cases, digit sequences like “123” or “01” or eventually their birthdate.
3) Third, we need some non-alphanumeric characters. Well, let’s see. If we replace an “s” with “$”, “a” with “@” or “o” with zero, then we get what we want, right? It is hard to resist the tentation to replace “s” with “$” at least (and not an “a” with “$”), and therefore getting a false sense of security. In some cases also using delimiter characters like “!” or “#” to separate the word from the digit sequence.
So, with the example above, the altered forms of the word “flowers” might be: “Fl0wer$” or “Flower$01” or “Fl0wers#123” and so on and so forth.
The problem with these alteration rules is that they are so predictable. All the attacker has to do is to take the same list of English words, and apply the rules above. He will probably get a longer list by, say a factor of 10-100 which is not that much.
In conclusion, it’s not that hard to enter into the minds of regular people, and neither in the minds of attackers. So, if you used any of these rules above, then stop using them. Instead, here are some rules to create strong passwords.
P.S. As for me? I just uuidgen.exe to create a random sequence of digits.