Nothings really safe: yet what kind of password

Quote:

---

*Not* writing down the password ANYWHERE, whether encrypted or not, is better protection than any password keeper program.

---

Very true. But security is always a compromise and you can store the password in an acceptably secure manner; a bank safety deposit box being an extreme example. For most uses, just keeping it in a separate room from the computer is good enough. Unless you expect a hacker to break into your house or office and have time to search every room. The exception being if the threat is a business associate or relative (eg, teenager).

Keep in mind that a good password is (for practical purposes) unbreakable. If you forget it, you lose your data. And you are a thousand times more likely to forget it than for a hacker to steal it.

Quick recap ...

Easy-to-crack passwords:

• Words in a dictionary, as well as common, and not-so-common names
  
  
• Passwords based on a common quotations, phrases or poems
  
  
• Using l33t (elite) speak (the 'rules' are now to well-known)
  
  
• Shifting your fingers, (up, down, left or right), and then typing
  
  
• Random capitalization within any password created using the above techniques
  
  
• Prepending/Appending one or more numbers to any password

For example, the password "ChEcK12" was cracked in a mere 26 seconds with a downloaded trial version of @Stake's LC4 (formerly known as L0phcrack) running on a lowly 500 Megahertz Pentium III. And "3x0n3rat3" ("exonerate" with "e"'s replaced by "3" and "o"'s replaced by "0") took 4 hours 16 minutes and 45 seconds.

Quote:

---

A good password will be a truly unique combination of characters, and that means that the password should not appear in any form in any dictionary, book of quotations, and so on. The password also should not be based on simple substitutions or transpositions of common words or phrases: If any underlying pattern remains -- the less truly random a password is -- the easier it is to be cracked.

Complexity also is easy to understand. For example, if you limit yourself to the lower-case letters of the English alphabet, each character in your password will have only 26 possible values. Simply allowing uppercase and lowercase letters means that each character in the password can have 52 different values. Add in numbers (0-9) and you have 62 possible values; add the punctuation and symbol characters commonly found on a US-English computer keyboard, and you have a total of about 92 unique (non-repeating) possible values. Clearly, using all the kinds of characters available to you significantly increases the complexity of a password.

Length also is hugely important: A two-character password, where each character could be any of 92 possible values, affords just 8464 unique combinations. Three characters allow 778,688 possibilities; four yields 71,639,296, and so on. So clearly, longer passwords are better because the number of possible character combinations increases exponentially with length.

But note that while something like "71,639,296" password possibilities would be daunting in human terms, it's nothing to the brute strength of a PC.

---

From the LC4 help file

Quote:

---

Because the brute force crack tries every combination of characters it's configured to use, your choice of character sets determines how long the brute force crack will take. Common passwords, based on letters and numbers can typically be recovered in about a day using the default character set A-Z and 0-9. Complex passwords, on the other hand, that use characters such as #_}* may take up to hundreds of days to crack on the same machine, using a comprehensive character set.

---

use your car licence number - it's everything you want from a password (mixture of letters and numbers) and you've always got it written down!

Great idea, except:

Here in Texas (and all US states?) plates use only 6 characters. A modern desk top computer can try all the possible combinations of 6 letters and numbers in a few minutes at most. Repeating the license number for a total of 12 characters would probably be secure enough for most purposes.

BTW - a password storage program is available for free from:

http://www.schneier.com/passsafe.html

It was written by Bruce Schneier, probably the most respected name in computer security. A problem with security programs is that its impossible for most of us to know how secure they actually are. The author's reputation is one thing we can evaluate and Mr. Schneier's is the best.

I too like the license idea. :) To make it a bit more jumbled, add your boss's initials (NOT family) and mix the cases of the letters involved...

Personal opinion - Some password algorithms convert to upper case for storage so I don't depend on mixed case to improve security. I also don't use special characters because they may not translate properly if the system is moved between, for example, Unix and Windows. (And some people reconfigure their keyboards for special purposes).

You can trade length for complexity. I stick to letters and numbers and use longer passwords.

Forgive me for beating a dead horse but this is a subject I feel strongly about. This is from the latest newsletter from Bruce Schneier:

Write Down Your Password



Last month, Microsoft's Jesper Johansson made the news when he urged people
to write down their passwords. This is good advice, and I've been saying
it for years.

Simply, people can no longer remember passwords good enough to reliably
defend against dictionary attacks, and are much more secure if they choose
a password too complicated to remember and then write it down. We're all
good at securing small pieces of paper. I recommend that people write
their valuable passwords down on a small piece of paper, and keep it with
their other valuable small pieces of paper: in their wallet. Obscure it
somehow if you want added security: write "bank" instead of the URL of your
bank, transpose some of the characters, leave off your userid. This will
give you a little bit of time if you lose your wallet and have to change
your passwords. But even if you don't do any of this, writing down your
impossible-to-memorize password is more secure than making your password
easy to memorize.

Quote:

---

Forgive me for beating a dead horse but this is a subject I feel strongly about.

---

No need to forgive you because I'm sure you, me and many others feel just as strongly about computer safety. The differences between us are how we choose to go about it.

I do agree that writing down passwords and keeping them on your person is a great way to go. In my case, it's just not practical. My billfold just won't hold any more than it already has in it. :)

I thought about what to do for quite some time...and I finally went the PC password manager method. Arguably not as completely safe as the old tried and true method paper method (which of course can be mislaid or stolen) but safer than using the same password for everything (and the password database is encrypted against all but the most sophisticated hacker.) The key, IMO, is not using a simple password for the program...

I thought a long time about using a PW manager and actually tried some a few years back, but then went back to the old "mind+memory" method.
However, the ever-increasingly amount of logins for work, home, school etc. has exceeded my brain capacity ;) , particularly because I have different PW's and complex one EVERYWHERE.
Current count is 70+ - so my KeePass is very handy these days.