Choosing Passwords


There’s an old joke about two hunters who come face-to-face with a bear.  The bear charges them, at which point they start running for their lives.  While running, one of the hunters says, “Why are we running?  We’re never going to outrun this bear!”  And the other says, “I don’t have to outrun the bear.  I only have to outrun you.”

When it comes to security issues, it’s all too easy for Mac users to adopt the attitude of our second hunter.  We don’t have to adopt best practices with respect to security, right?  After all, Windows is the platform that has all the security problems, right?

Wrong.  Whatever security issues users of other systems might run into, they are irrelevant to our experience.  If all you do is keep running from that bear without looking at where you’re running, there’s a non-zero chance that you’ll run into a pack of wolves.  Indeed, at the Chaos Communciation Congress, have shown how you can hack File Vault passwords.

That’s why I tell every Mac user I’ve encountered to always follow best practices when it comes to security.  Install the latest security updates when they become available, and that holds for applications as well as operating systems.  That’s one of the reasons we did auto update with Mac Office 2004.

Among the best security practices that everyone should adopt, choosing strong passwords is at the top of the list.  If you’re reading this, then you have access to the Internet.  You likely have accounts on various web sites.  You might even be doing some on-line banking.  All of these systems, systems not under your control, store your password somewhere.  Should someone get their hands on that password file, it’s not at all difficult to crack some of the passwords in that file.

If you search for “strong passwords” on the Internet, you’ll find a lot of information about them.  The definitions and advice at UT Austin are both sound and typical of what you’ll find.  But, you can take it one step further.  The primary difficulty with strong passwords is coming up with something that’s both easy to remember and very hard to crack.

One of the best ways I’ve discovered is to learn about 10 or 15 words in a language that doesn’t use the Roman alphabet.  I use Arabic, but you can use Hebrew, Hindi, Chinese or any other such language.  Just choose a language that doesn’t use the Roman alphabet.

Now, you don’t really need to learn how to spell those words in the native alphabet.  For most languages that don’t use the Roman alphabet, there is at least one way of transliterating words from that language into the Roman alphabet.  In fact, for most cases, there are multiple ways of transliterating from the native alphabet to the Roman alphabet.  The Wikipedia page on Arabic transliteration lists 10 different systems, and I know there is at least one not listed in that table.

So, what you really want to learn is a Roman alphabet transliteration of those 10 or 15 words.  For example, I couldn’t spell the Arabic word for mosque using the Arabic alphabet if you put a gun to my head.  On the other hand, I know a couple of ways people might transliterate that same word into the Roman alphabet.

Once you’ve learned those 10 or 15 words, then you can construct a strong password following a simple rule.  First, choose some uncommon punctuation mark, say one of the shifted characters of numbers 1-8 on a standard US keyboard for example.  Second, concatenate parts of two of those transliterated words together with that punctuation mark between them.  Third, choose a consistent scheme for capitalization–the second and fifth characters, for example.

The reason you’ll want 10 or 15 words, is that some systems require you to change your password every 60 days or so, and they have an additional restriction in that you can’t base any new password choice on any of the previous 20-30 passwords.  Knowing 10 or 15 words allows enough room to combine a couple different words with different punctuation marks in order to fulfill that requirement.

Using strong passwords is an important part of any security strategy, and using this scheme for generating your own passwords will leave you as invulnerable as possible to any kind of password guessing attack.

 

Rick

Currently playing in iTunes: I’d Rather Be Blind, Crippled and Crazy, by The Derek Trucks Band

Comments (22)

  1. Simon Raboczi says:

    A simpler trick for easy-to-remember passwords is to remember a phrase instead, and use the first letter of each word in the phrase.  Song lyrics or nursery rhymes are good for this.  Choosing a phrase that includes a number or capitalized proper name allows a leavening of digits and caps.

  2. brotherStefan says:

    and I suppose that password advice to computer users in the Arabic world is to use Arabic transliterations of a few Western words they’ve memorized?  Yeah, that’ll work.  I don’t suppose that it matters whatever the mechanism used to generate the password, it is still nothing more than a hexadecimal string once it’s been entered.

    Maybe we should use an ancient language that was only spoken, and never written down — that would be hard to crack.

  3. John M says:

    "After all, Windows is the platform that has all the security problems, right?"

    Even though you dispute it and so does any sane computer user using a platform implemented by human beings, it’s a right old sign of the times a line like that should be thinkable at Microsoft.

    I actually invent my own words for passwords, something of a hobby.  Keep ’em arcane and not only are your passwords strong but typing them feels like some uttering forgotten mantras in black magic itself!

    As for updates, sorry to go poking at sore points by the way, yup they’re a good idea to get on fast.  But I like to read evidence from other users to the affirmative first, and upgrade machines in order of reverse precedence … just in case.

  4. Donny Darko says:

    Come on guys, stop ranting and do some good like translating Visual Basic for the new Office.

    You do realize that almost any company out there have made specialized macros for their work in visual basic – and by excluding support for visual basic you actually make Mac:Office usless when it comes to real work.

    Excluding Visual Basic is the beginning of the end for Mac:Office. And while am at it: what’s so hard about making a feature equal Messenger? Everyone loves the stuff!

  5. required says:

    Great topic but the advice could use some work. Anyone who wants to read up on secure passwords should check out

    http://fiatlux.zeitform.info/en/instructions/passwords.html

    Where you can read:

    " Every word listed in dictionaries are insecure, no matter which language you choose. …In the internet you may find dictionaries most qualified to feed an application for brute-forceing passwords by testing one word after the other.

    Despite there might be more security by varying the cases (where applicable) it is not really a handicap. In the end even "umBreLlA" can be disclosed in an appropriate amount of time."

    It’s a BAD idea to use real words that can be found in any dictionary whether it’s a romanized foreign language dictionary for students of 2nd languages or a native language.

    Also, what’s this auto update with Mac Office 2004? I don’t let applications  "phone home".

    Does this blog allow html like blockquote? Don’t see the tags anywhere.

  6. Schwieb says:

    required — AutoUpdate doesn’t ‘phone home’ to report anything to Microsoft.  Instead, at a time determined by the preference you set (daily, weekly, etc) it asks a Microsoft server for the current complete list of available updates.  AutoUpdate, while running on your local computer, then compares that list in local memory to the version of Office you have locally, and shows you a list of any updates that apply to your version.  Afterwards, it discards the list of updates.  At no time does Microsoft receive any information about what version of Office you have, or your name, or any other piece of information someone might want to keep private.

  7. millenomi says:

    A better way to choose a strong password is to choose a strong pass_phrase_ — a small sentence rather than a word, maybe with a simple substitution algorithm (ie all ‘e’s changed with ‘3’s).

    Like "th3quickbr0wnf0xjump3d0verthelazyd0g".

    Try cracking that by brute force, I dare you :)

  8. Walafrid says:

    Thanks Rick for the heads-up on the importance of choosing good, unhackable (as much as possible) passwords. There was a spate of laptops with sensitive information being stolen in Britain recently, which brought into focus the importance of protecting information adequately.

    Anyway, thank you for the tips – I hadn’t thought of the method you suggested. I wanted, though, to bring to everyone’s attention the password helper feature already built-in to OS X (which I assume most here will be using). It can be got at by clicking on the key symbol next to the new password box (when changing password in the accounts preference pane). It gives a whole range of options and gives a string of password suggestions, with case variation, random strings and punctuation. I would recommend it most strongly, and it’s right there when you go to choose a new password.

    Thanks again Rick,

    W.

  9. Jerry Monti says:

    Corporations should require use of filevault (and keep the master password in a secure physical location) for all laptops. Unless the information is *really* valuable, file vault is excellent security. If information is that valuable, it shouldn’t be roaming around on a laptop.

  10. Araemo says:

    "it is still nothing more than a hexadecimal string once it’s been entered."

    That’s true, but.. Since the strings of hexadecimal that represent english words are MUCH more common in passwords of people who speak english as a first language, than truly random strings are, taking a list of english words and concatenating them every which way you can think of is going to find the majority of passwords, and does it faster than a brute force search in most instances.

    This is just advice that is fine until the word lists get bigger.  At some point it will be faster to brute force than to use the ever-expanding dictionaries, but when will that be?

  11. -UBX6w[8XwPs says:

    If the password isn’t your system password, and you only need the password when you’re at your computer, you should consider getting Keychain Access to generate a 12+ character random password (not ‘memorable’, just ‘random’), and store the password in your keychain, where you can retrieve it whenever necessary.  You can even just drag and drop it into the place you need to use it.

  12. Virek says:

    Rick,

    Don’t mean to bitch but I and much of the IT world feel that Microsoft is about the _last_ place to get security advice for Windows let alone the Mac.  It may be an unfair assessment these days, but you’ve made your bed and have to lie in it for a while!

    For password advice, this doc seems to be pretty good advice and easy to implement:

    http://images.apple.com/server/pdfs/Tiger_Security_Config.pdf

    See Password Guidelines

  13. Goose says:

    Of course, the best way of choosing a password is to have a 20-character long password full of numbers, letters, punctuation all messed up into some unrecognizable garble. Remembering it might be a problem, but at least you have a secure password!

  14. Tom Olzak says:

    Whether for Apple or Microsoft-based systems, I believe the use of strong passwords introduces additional cost and risk.  

    We support 60,000 healthcare workers.  For the most part, these nurses, CNAs, doctors, etc. are far from technical.  Anything beyond a 6 character password that’s easy for them to remember results in a Help Desk call or a post-it note displaying the password that can’t be guessed by an attacker or remembered by the user.  

    I don’t subscribe to the idea that passwords are out of date.  However, the use of reasonable passwords with an additional authentication factor for identity verification seems like the best approach.

  15. Jonathan Swift says:

    Try hashing two things together.

    secret + pass = speacsrset

    or

    pass + 1234 = p1a2s3s4

    It only takes a little imagination to make something complex that you can easily reconstruct.

  16. ColinA says:

    I often use a hash method similar to the one mentioned by Jonathan, but a little different and with number sequences of obscure mathematical significance.  Alternate decimal representation with base 25 (0 = a, 25 = z) and a rule for capitalization… All you have to remember the first number in the sequence and it’s pretty easy to calculate the rest of the password if needed.

    When you need to change your password as rick mentions, you just pick a different starting number in the sequence and you have a completely different password.

  17. Andy Lee says:

    I use the method in the first comment — choose a phrase and take the first letters.  I throw in an occasional number (like 4 for "for") or punctuation (like @ for "at").  The process is fun and the result is easy to remember.  Plus, I can make up hints that will remind me of the phrase without giving it away.  I make it personal, but not so personal that someone who knows me might guess it.

    I learned this years ago from a Linux alpha geek I where I used to work.  It’s the best method I’ve heard of yet.

  18. nadyne says:

    All of these comments about choosing a phrase for your password remind me of my freshman year in university.  Back in those dark days, you had to take a class given by the computing services folks to get an account on their VMS server, wherein they walked you through the basics of VMS: using mail, telnet, ftp, etc.  This password advice is the same password advice that they gave in those classes.  The example used was ILROMO: I Like Raisins On My Oatmeal.

    I can tell you what ILROMO means immediately, but I have to think before I can tell you what my phone number is.  Sigh.

  19. Clipperz says:

    White Hackers – How to sniff plain-text passwords in 13 steps

    An instructional tutorial that shows how easy it is to sniff people’s passwords in plain-text form on virtually any wired network.

    O’Reilly Radar – OpenID on the Upswing I expec

  20. Morad Rayyan says:

    Nice post, had to blog it..

    But anyway, having at least 13 characters with using non roman letters…that should do it!

  21. Lisa Ann says:

    Hello, all! : )

    I started adding a number that increased by 1 to the end of my password when my work established the "no repeating password within x times" mandate. Maybe I’m just kidding myself, but the numbers may add one more level of security to the password.

    I’m also partial to using non-English words as a password base. I like using Latin, given its relative lack of daily use.

    Another trick I’ve taken to lately is using molecules as my passwords. You can make them case-sensitive just by writing them correctly; most compounds are long enough to meet a password length minimum; and if you choose some commercial product (instead of something common and naturally occuring, like water), you’re most likely *not* going to find it in the dictionary. I had a difficult time finding the molecular make-up of the common substance that I’m currently using as one of my passwords. Plus, you can write it on a piece of paper with a few other molecules (preferably ones with which it might react), and it just looks like you’re trying to remember your college chemistry.

    woo!

    —Lisa Ann

  22. goodtime says:

    Nice Blog

    Goodtime

    http://bbs.art5dog.com

    forum for Mac Enthusiasts