[ale] creating very powerful relatively short memorable passwords

Wolf Halton wolf.halton at gmail.com
Thu Sep 15 09:12:55 EDT 2011


Here is an interesting utility, I found while looking for
password-development models
http://www.multicians.org/thvv/gpw-js.html This creates pronounceable
non-words that follow English lexi to the point that they will be easy to
remember.  Adding some substitutions and some caps, and you have a good
password that is easy to remember.

My own 'system' is to choose a 6-8 character word and have muscle-memory
turn it into something unrecognisable.
Mustang => Mku8set6awnjgy or Mju7swt5aqnhgt or Mmuhsz6taAnNgv
It is fast, and you don't move around the keyboard much as you type, so it
is hard to shoulder-surf.

On Sat, Sep 10, 2011 at 2:54 AM, Ron Frazier
<atllinuxenthinfo at c3energy.com>wrote:

> Hi all,
>
> If you've been watching the list, you know I've been in discussion with
> several others related to the topic of creating strong passwords.  Based
> on prior discussions and recommendations, I had concluded that pass
> phrases are highly desirable.  However, if using a 2048 word lexicon,
> they must be 6 words long to achieve a few days of crack resistance from
> a botnet array.  You have to go up to 8 words to reach a crack time of
> centuries if the attacker is doing 100 trillion guesses / second.  Pass
> phrases this long are impossible to enter into many websites.  And, even
> if they can be entered, it is very tedious to type this many words in a
> password field.
>
> Here, I will describe a good compromise if you either wish to or are
> forced to use a shorter password.
>
> I was slamming my bank in prior discussions due to only allowing 8
> character passwords.  Well, I guess other people have been slamming
> them.  I checked the password policy today and it has been updated to
> the following:
>
> "Must be 6-20 characters with at least one letter and one number. There
> should be no spaces and no special characters."
>
> As you can see, I cannot use a 6-8 word pass phrase here.  However, I
> can still make it plenty strong.  The key to making a short password
> work is not only making it as long as you can, but including as many as
> possible of the following in the alphabet of characters you use: lower
> case letters, upper case letters, digits, symbols.  Adding just 1 of
> these character types, as long as the attacker doesn't know your
> pattern, dramatically expands the number of guesses he has to make.
>
> Here is a simple example of what adding each different possibility
> does.  Imagine a 4 character password.  This one won't be strong, it's
> just for an example.
>
> * lower case, ex: "junk" (excluding quotes), 26 possibilities in each
> character, permutations = 26^4 = 456,976
> * lower, upper, ex: "Junk", 52 possibilities in each character,
> permutations = 52^4 = 7,311,616   (Note that this is 16 times more secure.)
> * lower, upper, digits, ex: "Jun8", 62 possibilities in each character,
> permutations = 62^4 = 14,776,336   (Note that this is 32 times more
> secure.)
> * lower, upper, digits, symbols, ex: "Ju+8", 95 possibilities in each
> character, permutations = 95^4 = 81,450,625   (Note that this is 178
> times more secure.)
>
> These short passwords would be cracked instantly by a cracking array.
> However, a bit of clever adding of characters will allow me to have a
> very secure and pretty memorable password, even at MY bank.
>
> Following is the minimum character length of a password of each type to
> require at least a century of crack time by an array operating at 100
> trillion guesses / second.
>
> lower case, 17 characters, 3.60 centuries crack time
> lower, upper, 14 characters, 3.35 centuries crack time
> lower, upper, digits, 14 characters, 39.33 centuries crack time
> lower, upper, digits, symbols, 12 characters, 1.71 centuries crack
> time   (Note that my bank will not accept this one.)
>
> Going any SHORTER will reduce the crack time to less than a centuries,
> and it does so VERY rapidly.  In the case of the lower, upper, digits,
> removing 1 character reduces crack time to 63.43 years.  Removing a 2nd
> character reduces it to 1.02 years.  And, removing a 3rd character
> reduces it to 6.02 days.
>
> The best compromise of length, memorability, usability at websites, and
> security is the lower, upper, digits scenario with 14 characters.  An
> easy way to do this is to pick 2 words from a standard English
> dictionary which combine to at least 12 characters then throw some caps
> and 2 digits in, or 13 characters and 1 digit.  This has some of the
> benefits of a pass phrase and is pretty memorable, and will be accepted
> by most websites.  You could use more digits, but there is no big
> benefit.  Once you've added even 1 digit, you've increased the
> possibilities at each character spot from 52 to 62.  Note that all this
> assumes the attacker is brute force guessing and doesn't know YOUR word
> pattern.
>
> 4AntimonyBlast - 14 characters - 39.33 centuries crack time
> CastoffWander2 - 14 characters - 39.33 centuries crack time
> Debark3Debates - 14 characters - 39.33 centuries crack time
>
> Here's how the math works.
>
> permutations = 62^14 = 12.402 x 10^24
> time to crack = 12.402 x 10^24 / 100 x 10^12 guesses / second = 124.02 x
> 10^09 seconds
> divide by 3600 to get hours, then 24 to get days, then 365 to get years,
> then 100 to get centuries
>
> To do the whole thing at once, take the number of permutations and
> divide by 315.36 x 10^21.
> time to crack = 39.33 centuries
>
> -----> BOTTOM LINE <------
>
> So, the BOTTOM LINE is: create a password at least 14 characters long
> containing lower case, upper case, and digits; and you will be
> uncrackable by a botnet of 1000 pc's doing a total of 100 trillion
> guesses / second for almost 40 centuries.  Some of the crypto guys can
> chip in and say whether, statistically, the cracker might hit your
> password in 1/2 the time.  In that case, you're good for 20 centuries.
>
> I hope you find this useful.  I certainly found the analysis revealing,
> and I'll be upgrading some of my website and applications passwords.
>
> There's a lot of math here, all hand done.  I'm pretty sure it's all
> right, but if there's typos (at 2 AM), they'll have to be corrected later.
>
> Sincerely,
>
> Ron
>
> --
>
> (PS - If you email me and don't get a quick response, you might want to
> call on the phone.  I get about 300 emails per day from alternate energy
> mailing lists and such.  I don't always see new messages very quickly.)
>
> Ron Frazier
>
> 770-205-9422 (O)   Leave a message.
> linuxdude AT c3energy.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
This Apt Has Super Cow Powers - http://sourcefreedom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110915/83c0a2e8/attachment-0001.html 


More information about the Ale mailing list