PSA: How to create a strong password.

[Twelve Motion]

Using the same password in everything you sign up for is a pretty good way I found to remember them all. I mean, it should be safe to do that if you have a good password no?

However... now if someone hacks my gamefaqs.com account... THEY GOT EVERYTHING!? O_o

What about passwords that are all numbers? I suppose a computer could run a scan of all possible combinations pretty easily nowadays huh? I am not sure how these crackers work but it seems that it could run a list of all possible 8 bit letter combonations just as easily... So whats the value of a password like 46539103?

[yellow]

Quote: Originally Posted by Twelve Motion So whats the value of a password like 46539103?

About the same as a nickel. It's worth almost nothing.


nkuvu,

Not sure. However, Panther passwords are doubley secure over Jaguar passwords because Panther uses shadow hashing in addition to the initial hashing. I don't think the Mac command line version of JtR will deal with shadow hashed files well (at all?).

[pink]

There's an old hint on keychain's password analyzer. It can give you an idea about the quality of your passwords.

cheers, pink

[macmath]

Quote: Originally Posted by Twelve Motion about passwords that are all numbers? I suppose a computer could run a scan of all possible combinations pretty easily nowadays huh? I am not sure how these crackers work but it seems that it could run a list of all possible 8 bit letter combonations just as easily... So whats the value of a password like 46539103?

I don't know how they select passwords to try either (beyond ones that are similar to your username [or birthdate and spouse's or children's names if they know you]), however probabilitically speaking you are much better off using other characters as well. There are only 10^8 or one hundred million possible 8 digit passwords of only numbers. However, if you thrown in 26 letters of the alphabet, and and their capitals, and these 8 {!, @, #< $, %, ^, &, *} that makes 70^8 possible passwords or 7^8 (5,764,801) times as many for (576,480,100,000,000) total.

I don't know which of the non-alphabetic keyboard characters are valid on OS X. For a credit card I have some of those 8 are not valid but for another credit card I have, they are.

[macmath]

....I forgot to include capital letters, so I fixed the above post.

[jack_zack]

i am not sure if this is suitable for all of you. But many (including me) chose a slang word from another language and and make that word be the password! BUT with english letters of course. This method is eaiser than taking the first letter of every word in a phrase.

for instance in the slang of my native language

raheeb = cool

ppl who know sapnish or french or other languages can do the same thing but they must use slang and make sure that the word they chose isn't spelled the same way in english.

so raheeb can be used as a password because it's not found in dictionaries.
Plus the user can stengthen it by adding symbols:

?!raheeb?!

to make it harder to crack a user can add three easy numbers at the end:

612: area code of MN
554: first three digits of zip code
2118: two ages the user's age and some one else's age.

so a sample of an easy yet hard to crack password would be:

?!raheeb?!612

another suggestion which is fast and easy:

when some one wants to crack a password he will think letters and numbers.
He will use dictionaries etc.
My suggestion would be why letters and numbers??? If you use only symbols
your cracker will get stuck in an infinite loop trying all combinations of letters and numbers and symbols. While u fooled him by avoiding the key element in his trials (numbers and letters)

a smart pattern for symbols (type skip type skip type skip type)

push the shift button then use the pattern begining with the one button:

!#%&

no letters no numbers yet easy and traps the cracker in an infinite loop.

you can modify the pattern or come up with ur own

of course i don't follow those methods
it's a suggestion to make users create strong password in an easy way

my password for sensitive accounts (personal email etc) is impossible to crack

sample of my method:
3alateben^&*(424182117

DON'T USE THE THREE PASSWORDS MENTIONED HERE WHATSOEVER

[hayne]

Quote: Originally Posted by jack_zack ppl who know spanish or french or other languages can do the same thing but they must use slang and make sure that the word they chose isn't spelled the same way in english. so raheeb can be used as a password because it's not found in dictionaries.

Non-English dictionaries are easily available and are commonly used by password crackers. And dictionaries of slang words are also readily available. Basically, if you know it is a word, then someone else is likely to have put it into a word list. Modern machines can check all known words in all known languages in a few seconds. So you really need to ensure that your password is not a word in any language.
Adding symbols & numbers in the middle is a good way to ensure that it is resistant to crackers. I.e. the "strengthening" techniques mentioned by jack-zack are not merely a good idea - they are necessary. Note that merely adding one or two digits at the end of a word is not sufficient.

[jack_zack]

Quote: Originally Posted by hayne Non-English dictionaries are easily available and are commonly used by password crackers. And dictionaries of slang words are also readily available. Basically, if you know it is a word, then someone else is likely to have put it into a word list. Modern machines can check all known words in all known languages in a few seconds. So you really need to ensure that your password is not a word in any language. Adding symbols & numbers in the middle is a good way to ensure that it is resistant to crackers. I.e. the "strengthening" techniques mentioned by jack-zack are not merely a good idea - they are necessary. Note that merely adding one or two digits at the end of a word is not sufficient.

first of all if u type a foriegn word using english letters to resemble it u end up with a word that can't be found in an english dictionary. raheeb can be found in an arabic dicitionary but never in an english dictionary whatsoever. kabeesh sounds like the italian "capesc" or (whatever the spelling is) but it's spelled in a different way. If a user used it to be a password it is not considered a word found in a dictionary
there is no kabeesh in any dictionary on earth. I am not asking users to use foriegn words. I am asking them to express the sound of a non-english word using english letters.
By that they end up with a word easy to remember and easier than picking up the first letter in every word of a phrase.

for versace they can use verzachy
for gucci they can use guochee

they are basically creating their own unique words by chosing non-english words and using english letters to resemble it.

[jack_zack]

Quote: Originally Posted by hayne Non-English dictionaries are easily available and are commonly used by password crackers. And dictionaries of slang words are also readily available. Basically, if you know it is a word, then someone else is likely to have put it into a word list. Modern machines can check all known words in all known languages in a few seconds. So you really need to ensure that your password is not a word in any language. Adding symbols & numbers in the middle is a good way to ensure that it is resistant to crackers. I.e. the "strengthening" techniques mentioned by jack-zack are not merely a good idea - they are necessary. Note that merely adding one or two digits at the end of a word is not sufficient.

one more thing u r stating that non-english dicitonaries are used by crackers. Well of course but non-english dictionaries will include the word in it's language spelling not english spelling.

????
this the raheeb u will find in arabic dictionary not raheeb.

in an italian dictionary u will find
capisca
u won't find kabeesh

there is no dictionary on earth that will include

raheeb or kabeesh or verzachi

by my method a user creates a password that doesn't exist in any dictionary yet it's easy to remember

understand my method before u comment...thanks

[jack_zack]

???? = raheeb in arabic

arabic text is not supported by the forums.

[hayne]

Quote: Originally Posted by jack_zack there is no dictionary on earth that will include raheeb

Look here:
http://dictionary.sakhr.com/idrisidic_2.asp?Sub=raheeb
and now imagine that a password cracker suspects that a sufficient number of potential victims might be doing Arabic to English transliteration to create passwords. A dedicated cracker might well grab the English side of an Arabic-English dictionary to add to his word lists. And such things tend to be shared...

[yellow]

Quote: Originally Posted by jack_zack If a user used it to be a password it is not considered a word found in a dictionary there is no kabeesh in any dictionary on earth.

It is not all about dictionaries. It is about dictionaries, word lists, slang terms, proper names, location names.

For instance, there are 176 hits for the name "kabeesh" on Google. Obscure yes, completely invisible to radar, no. Yes, chances are much lower that kabeesh would be broken, in comparison to dangit. But don't give it mystical prowess. I've broken many a password at work where someone used hebrew or french or spanish and thought no one would ever get it. Now I'm going to add a phonetic arabic dictionary to my repertoire.

As for only using symbols in a password, it's really not such a good idea. Look at the math. There are significantly less combinations using only symbols then there are using letters, caps, numbers, and symbols.

[yellow]

Another thing to remember (something I consistantly forget), as computers get faster and can do more computations in a second, our passwords get weaker. And with technologies like xgrid, being able to spread your cracking over many multiples of CPUs.. well that's just plain scary.

[themacuser]

Another tip: Hold down the option, shift etc. key while typing parts of the password.

password becomes ?åßß?ø®? . Which one seems easier to crack?

[retcynnm]

Steve Gibson of Gibson Research has set up a secure webpage that will generate unique random passwords of pretty considerable strength.

[yellow]

Quote: Originally Posted by themacuser Another tip: Hold down the option, shift etc. key while typing parts of the password. password becomes ?åßß?ø®? . Which one seems easier to crack?

The problem with that is platform compatability. You cannot use this for things like a GMail passwod (for instance), because if you were at a PC you'd struggle to get the same characters for your password. Assuming of course the GMail site even recognized/accepted the characters.

[vickishome]

I wonder how well my method of creating passwords might hold up.

I have a file on my hard drive that contains all of my passwords. It is not named with anything that relates to passwords nor does it contain the word "password" within it. And that file is itself password protected.

When I need a new password, I create a new entry and then hit random keys (characters, numbers, caps, lower case, symbols, anything). When I have 10-15 of these, I then save the file. I then copy and paste this into whatever it is I'm using that needed the password. The password file is backed up onto more than one HD on more than one computer because if I ever lost that file, I'd be completely dead. I don't even allow backdoors with the stupid question/answer that many websites use. My answers do not match the questions and are passwords themselves, equally as random as the original password.

My biggest concern is allowing my keychain to save these passwords. I've often wondered if that is where someone could hack and get all of my passwords. I have a love/hate relationship with keychain.

[yellow]

The keychain file itself cannot be (easily) broken, it's got 128Bit AES encryption on it. However if someone gets

Your "password protected" text file (Word I'm guessing), CAN be broken VERY easily. And it doesn't really matter if it has the word password or anything in it, it'll be pretty obvious to someone when they open it what it is. I would advise against this..

[vickishome]

Quote: Originally Posted by yellow Your "password protected" text file (Word I'm guessing), CAN be broken VERY easily. And it doesn't really matter if it has the word password or anything in it, it'll be pretty obvious to someone when they open it what it is. I would advise against this..

Understood.

The question is (1) How would they get onto my Mac in the first place, and (2) How would they even begin to find that file among the thousands of other files on my hard drives?

It's not possible to have hundreds of different random passwords without storing those passwords somewhere. So I must have a file that stores them.

[ldrury]

Quote: Originally Posted by vickishome Understood. The question is (1) How would they get onto my Mac in the first place, and (2) How would they even begin to find that file among the thousands of other files on my hard drives? It's not possible to have hundreds of different random passwords without storing those passwords somewhere. So I must have a file that stores them.

An easy solution to this though, just make a little encrypted disc image, and save your text/word file containing your passwords in it..... thats what I do.... you can carry it around your neck on a USB drive as backup too....
Lee