I promised myself that I’d write a post on this topic since God knows when, just never got to do it.

But there was a recent incident in the messageboard where we think a couple of users’ passwords were compromised. Of course we won’t discount the possibilty of a security exploit, but since the accounts were isolated, I’m inclined to think the former. So no better time than now to make good on that promise.

There’s a lot one can say about what you should NOT use as a password (e.g. common words, birth-dates, personal identification information, etc.), but instead of restating the obvious, I thought I’d talk about what you could do with your current weak (but memorable) password and beef it up.

Ultimately, it is accepted that randomness is the key to password strength. So the natural goal is to make one’s password as random as possible.

Unfortunately, not everyone has perfect memory, hence it’s a sad reality that people will choose passwords that they can remember; and that usually means choosing really simple ones at that.

But there is a way to create [somewhat] secure passwords which are also memorable.

Don’t believe me? Read on.

Since utter randomness is out of the question (ideal, but out of the question), the next best thing is to make it LOOK as random as possible.

Lets take the word “apples” for example. It’s a very common word and obviously, a very weak password. Now how can we turn this into a cipher which is stronger but still will allow even old people to remember.

A few exmples:

1. If the password system you’re using supports mixed cases, then you have an added layer of security when you write it as ApPleS
   Not random looking at all, but a bit stronger than plain apples
2. Manipulate letter positions. One way is to simply reverse the word to spell selppa - still relatively weak, but at least it’s not a common word (or a word at all).
3. Substitute letters with numbers and symbols: apples can be 4ppl35 - and that’s just numerical substitution, the more symbols you can put in aside from regular letters the stronger your password becomes.
4. Do letter offsets. Say like shift 3 letters left so you get xmmiap

There are so much more ways, some people do tricks with memorable phrases/sentences, etc. but you get the point. You can try your best to make your password look random, while knowing that it’s derived from a word you can remember (apples)

However, since we’re ultimately working with a common word which should be memorable, any of the methods above alone will improve your password strength, but will still be weak by nature.

To make the best of what we have is to come up with different methods of “simple encryption” and use them in combination (it’s also preferable you improvise on each). These collection of “steps” must also be memorable, and will form your own personal “algorithm.” This algorithm should obviously be unique to you; so that you can take any simple word, and apply this algorithm of yours and strengthen your password while ultimately still using that same memorable word you’ve grown so fond of.

For #1, you can decide how exactly to mix up the cases; maybe skip here and there (e.g. aPPleS). For #2, you could probably have a more complex way of mixing the order of the letters, perhaps start with the middle and distribute to the left and right (epapls), stuff like that.

One must remember that normally, malicious people will rely on dictionary attacks, and ultimately resort to brute-force attacks. A dictionary attack is an attack wherein the hacker has a file of prepared words OR ciphers, which they use sequentially with the hopes of getting lucky. It is important for people to remember that dictionary attacks are not limited to common words, or words for that matter. As stated earlier, they can already be ciphers. An example is the popular use of l33t sp33k (leet speak) which normally uses numerical or symbol substitution. Hackers may very well have dictionary files full of words in l33t sp33k - and its different permutations.

So the trick is to decrease, as much as humanly possible, the probability that your word/cipher of choice would be included in the “aforementioned” dictionaries - hence the suggestion of employing your personal algorithm. Once you achieve that (assuming you did it properly), the hackers will have no choice but to do it via brute-force. And once they’re at that point, you’ve already won half the battle.

I say half because there’s nothing we can really do to prevent a brute force attack. A brute-force attack is when the malicious person tries every possible combination. So what you’re really up against now is time; how long would it take the attack to guess the right combination of letters/numbers/symbols? This is the reason why numbers, cases, and symbols are a big help. If you’re password is short and just made of numbers, and the hacker knew you were only using numbers, you’d be in serious trouble.

Take 1234 for example. If you do a brute-force attack on that, getting to 1234 is as simple as counting from 0-1,234. And since we’re dealing with computers, counting to 1,234 would take much less than a second. Even if you bring that to 6 digits, it would take longer, but it’ll still get there. So the goal is to use a permutation that will take too long to guess, or at least long enough to make the hacker give up.

So increasing your character set (having small letters, captial letters, symbols), would definitely give any brute force hacker more trouble.

Sometimes the simple fact of using TWO words instead of one could increase the strength of your password considerably. Let’s now use “apples” and “oranges.” Again even these two together by nature are extremely weak, but if you merely employ the different possible combinations above, you can end up with something like:

1. oarpapnlgeess - which is the two words interspersed into each other.
2. OarPApnLGeeSS - which is #1, but with mixed caps applied; alternating relative to the words, e.g. (basically OrAnGeS, and aPpLeS)
3. 04rP4pnL63e5S - which is #2, only now mixed with numerical substitution to any applicable character, but NOT applying it to double letters (eeSS is 3e5s instead of 3355, get it?)

Now 04rP4pnL63e5S is pretty long and strong, and anyone looking at it would never have thought it was just apples and oranges. Plus you can readily reconstruct the password anytime with the simple knowledge of those memorable words and your personal algorithm ;)

Naturally, this is not my “algorithm” of choice. The point I’m trying to make is to create an method of simple encryption which is unique and memorable to you, then apply that to a word (or words) you can readily remember… then you can easily get passwords which look as random as what we’ve just demonstrated.

Things to consider

While one can be extremely savvy in using symbols and such, you have to remember the limitation of the systems you’re using. Some systems have a certain set of characters it can work with. So one has to be prudent to choose a password that is complex enough, but not impossible to use (or remember) - or would take too long to construct.

As far as length goes, longer is always stronger, but it can have it’s drawbacks. An example would be passwords generated in this site.

https://www.grc.com/passwords.htm

They provide three types of passwords precisely because of different scenarios. All passwords are extremely strong and you’d probably be very secure using any one of them, but if you want to split hairs about it, in order of strength, the strongest would be the second, followed by the third, then the first.

However the second, while strongest, can be problematic with legacy systems which do not recognize special characters. The first is the safest to use, but you’re only working with the character set of A-Z (all caps) and 0-9… a 36 character set all in all, as against the third’s 62 (including small caps) character set.

The reason why these passwords are extremely secure is because no matter what the character set is, the sheer length and randomness of the characters would take more than a lifetime to crack.

The drawback of course is that it goes against the point of this post, which is to help people create their own algorithm to make secure yet MEMORABLE passwords.

So overall, to reiterate, one has to be prudent to choose a password that is complex enough, but not impossible to use (or remember), or would take too long to construct.

Hope you found this post useful, cheers ;)

post updated on May 10, 2008 @ 05:17PM