SECURITY TO THE CORE

Better, Stronger, and Faster: Bionic Passwords


OK, I can’t get your passwords to become faster, but certainly I can give you tips on how to make them better and stronger (read: harder to break). Probably you have read lot of posts on passwords that gave a lot of information on how good passwords can be easily created. But today I’ve come up with more ideas for you to secure your passwords.

A strong password is the first line of defense against anyone who would want to break into your account, so the tougher you make it on them, the less likely it will be that they get what they want. Use these tips to create a bionic password that will make it tougher to crack or break.

Get creative with words:

You can get a lot of traction out of one word if you can figure out different ways to use it in your password. For example the word “crystal” is pretty clear (pun intended), but you can muddy it up a bit by doing things like removing all vowels, changing how it’s spelled, or reversing certain letters. Examples include “crstl”, “krYs+al”, and “ltsrc” (the first one, only backwards). Mix that up with another word to increase the length of the password and you’ll be good to go.

The same word, only different:

Maybe you like birds, and your favorite bird is the Pine Grosbeak bullfinch. Well, as we all know (sarcasm) the genus for those birds is “Pinicola”. Maybe you also happen to love Coca-Cola. You take out the “cola”, insert “Coke”, and now you have a 2-word password that’s easy to remember: “PiniCoke”. Substitute some of the characters to something like this: “p1niCok3″ and you’re good to go.

Don’t use common number patterns:

Your phone number, street address, even your jersey number from the high school football team… these are all very bad things to use in a password as they are. If you plan on using one of them, be sure to mix things up. If you live on 1313 Kingsfisherbird Lane, you could use the street number like this: “+k1nG13bd13″.

Mix it up:

Using only alpha-characters or only numbers isn’t a very good idea for a password at all. Your password is a digital cocktail. Mix. It. Up. If a decent password is made up of 8 or more characters, you should try to use at least 2 numbers and one non-alphanumeric character (a hash symbol “#”, an exclamation mark “!”, etc.).

Use multiple passwords:

Ideally you should have a unique password for every account that you have. Your home email, work email, computer login, bank account,  Facebook, Orkut, Twitter… any account you have that requires a user name and password should have its own unique password.

These suggestions are not the end-all, be-all and i don’t necessarily advocate using every single password tip listed. But they can be food for thought when devising a new password. You’ve seen my repeated suggestion to mix things up, and that’s a big thing. Keep things fresh, get creative, and you’ll be far and away ahead of the pack when it comes to creating a strong (and difficult to crack) password.

Advertisements

30 responses

  1. h3@t1330

    This works well:

    Take a secret word, 13 characters is convenient. Now pick a seed a word associated with the system you’re logging in to. Could be the website name, your user name (if it’s unique), the business, whatever.

    Using the seed to modify your start point in the secret word, and to add additional numbers.

    For example, say the seed was “Passhacker” and the secret word was mishmashables. Take the number of letters in ‘Passhacker’ (10) and start that many into mishmashables and type out, say, 8 characters, looping at the end of the word.
    Passhacker = esmishma
    Now use the number of letters in the seed to further fuck it up
    esmishma101890

    (in this case the rule is num of letters in the seed, ‘number’ of the last letter of the seed (just counted out, b=2, z=26, etc.), num lttrs sqr – num letters) = 10 , 18 , 90

    Tons more rules are possible, but you get the picture.

    There you go! nothing to write down so long as you’re disciplined in how you generate your seed words.

    The problem is a LOT of seeds have 7 letters (who knew) and if you’re generating many passes for the same organization using the same user name it’s hard to get unique seeds. The latter is a serious issue, still working on a fix. Suggestions welcome!

    Enjoy

    June 5, 2010 at 12:11

  2. Babysitter

    This is the great information regarding how to hack the weak password. Security should be must.

    June 5, 2010 at 12:12

  3. Web Your ***

    Seriously i LOVED this informative article. Thought I use many of the techniques, I would have never shared the information and let the HELPLESS stay HELPLESS with a weak password. LOL.

    Good write up and topic, and the points are very helpful with good information/great example.

    Web Your ***®

    June 5, 2010 at 12:16

  4. Jimmy

    I’ve seen lot applications like RoboForm etc, but then a hacker would just need to crack the 1 password, through any method, and get access to EVERYTHING.

    Great Article BTW.

    June 5, 2010 at 12:17

  5. Cris

    Great article Avinash. I’ve found this after hearing a story on NPR about password security and wanted to verify their numbers. I’m a technical support executive, so it’s handy to have stuff like this to show my customers.

    Regards
    Cris

    June 5, 2010 at 12:27

  6. Rivero. J

    Nice Password tricks Avinash…

    Great Article.

    June 5, 2010 at 12:28

  7. Longboard

    With the various requirements by site on password formats and strength, I still have to keep a seperate document just to track all of my different passwords.

    Even the so called “master” password managing pieces of software are less than 100% effective (that is another area of frustration).

    Performing a round of password changes takes much more than 15 minutes. In order to realistically manage mine I schedule them in buckets and manage as tasks.

    June 5, 2010 at 12:32

  8. Sinmaker

    Hi Avinash,

    It would be time consuming, but yes I think it’s probably a good idea…I’ve been contemplating doing this for quite awhile…maybe coming up with a personally meaningful “super password” that will be legal for most password systems…..half the problem is finding where all you have a password at! Using the internet since its inception, I’ve lost count lol..

    Keep your good work on !!

    Sin

    June 5, 2010 at 12:33

  9. CiX

    Thanks for this Great article Avinash…

    June 5, 2010 at 16:11

  10. Jenese

    Well, I don’t want to take any risk with password. I don’t try to create a stronger password by my own. I simply go to aafter.com; type password: in the search box and then press enter.

    June 5, 2010 at 19:46

  11. GusRandy

    Hi Avinash,

    I really Wonder whether people would say strong passwords are worth it after a government employee with access to confidential data uses a weak password and 3 million SSNs are hacked.

    June 5, 2010 at 19:48

  12. Mikin

    Hm.. Really nice idea. However, I always use Sticky Password manager to keep my passwords safe and well organized.

    June 5, 2010 at 19:49

  13. Spedro

    Strong passwords aren’t that hard…

    Use a descriptive sentence that means something to you with proper names in it and numbers.

    Strip out the first letter of each word, the numbers and the punctuation, and Voila’ you have a strong password which is easy for *you* to remember and nearly impossible for anybody else to guess.

    June 5, 2010 at 19:50

  14. Octavian

    The first thing you achieve with a strong password is over-complication, and an immediate requirement to write it down. Straight away you’ve introduced a major risk, and the more you have, the bigger the problem. Most of us log onto loads of sites, loads of retail outlets etc etc, and cannot possibly to remember different hard & complex passwords.

    Overly complex adds nothing to security ! A little complexity & 8 digits min, and our own system/format rules should be enough for us all surely??

    June 5, 2010 at 19:53

  15. Mysterious

    Hi Avinash,

    You do know quite a lot and this has been an extraordinary help for me and others too! Your blog Rocks!

    It´s really nice to follow you!

    Thumbs up!

    Warmest regards and infinite blessings,

    Mysterious Guy

    June 5, 2010 at 19:57

  16. Liza

    Some of my passwords are not strong enough. I need to make some changes.

    Thanks

    Liza

    June 5, 2010 at 20:01

  17. SweX

    Nice article. It makes easy to build my own password by applying the algorithms you mentioned.

    June 5, 2010 at 20:02

  18. Stonyman

    If your computer is hacked than you’re boned.

    Seems to me that the solution is to have a strong password and keep your computer free of malware.

    Is that really so hard?

    June 6, 2010 at 10:47

  19. Trident

    “Security” people who don’t know anything about non-IT users like to make password rules that are so obtuse that normal users simply can’t deal with them. The result is sticky noted passwords.

    Users have to be able to remember their passwords in order for this security to be of any use. Push them beyond that ability, and you’re actively making the situation worse.

    June 6, 2010 at 10:49

  20. Leech

    I use a particular method to come up with passwords that gives me a length of 10-12 and makes them memorable, at least to me anyway.

    Anyways nice article Avinash. You are really serving the community.

    June 6, 2010 at 10:51

  21. Igster

    Some people just can’t help themselves, even after you’ve explained all the security risks. Oh well, you can but try.

    June 6, 2010 at 10:52

  22. Sidebottom

    Make the password memorable to yourself – otherwise you will tend to break one or more of the other rules.

    Sidebottom

    June 6, 2010 at 10:55

  23. Anonymizer

    Always Use a password manager.

    It will generate complex and unpredictable passwords for each different sites, and you will only have to remember one difficult one to access the password manager.

    They will event permit you to log into sites without having to type it (useful to defeat Key-loggers). And if you want to access them from abroad your home (in case of an online password manager), you can even use “on time” passwords, that even if someone see it, it cannot be reused.

    June 6, 2010 at 10:59

  24. Lmao

    I agree with Anonymizer, password managers are great, though there are a few rogue ones out there that will actually steal your passwords so put in some research time before choosing one!!

    June 6, 2010 at 11:01

  25. Frying Duck

    I’ve been using Ked Password Manager for quite a while now. It offers both a GUI and CLI, which is all I care about 😉

    June 7, 2010 at 10:00

  26. KaizerSoze

    All passwords should be simply: “Password”.

    Yes capital P, no quotations. Now I want to see a hacker hack this!

    KaizerSoze

    June 7, 2010 at 10:02

  27. Krishna

    Very interesting– & useful. I plan to make use of this information.

    Thanks for posting this 🙂

    June 7, 2010 at 10:03

  28. Slayer

    Cool stuff, Avinash. I have some really tough passwords, but they’ve still got words in them, and now that I’ve read more about brute force stuff, I’m pretty sure I need a rehaul.

    June 7, 2010 at 10:05

  29. Laura Brown

    I can certainly say that I agree with Avinash, that today we need a stronger and better passwords. But password fatigue is all too common. One solution that my fiancee uses is password safe. It works great until he needs to get to his e-mail from a friend’s computer, then he’s SOL because he doesn’t have his password database with him, and he doesn’t know what his password is.

    I break things down into three major categories:
    super sekrit, sekrit, and internet. The super sekrit passwords are things like root accounts I have access to, and whenever anyone wants a really strong password. The sekrit accounts are the ones that are pretty standard, normal user accounts, bank accounts online, etc. Then there’s the Internet, where I give out the password to friends all the time. These are basically systems that want a password from me for an “account”, to place an order, etc. ones I could really care less about.

    I have about 2-3 passwords for each “grouping” and that’s about it. Yeah, it’s not as secure as it might be, but there aren’t that many accounts, and I get tired of remembering 3000 passwords.

    Some of the Internet class accounts are starting to require stronger passwords, and I’ve locked myself out of some accounts because all of the passwords that I “normally” use for that class aren’t acceptable (and let me tell you, the Internet ones? any cracker will get them in about 2 seconds), and I can’t remember what I used. It’s an annoying problem, but I don’t think you’re going to get a single sign-on solution that works among several thousand completely unrelated systems.

    I kinda like all the ones that are using paypal – I just have to remember one (usually).

    June 7, 2010 at 10:12

  30. aizerSoze. I did actually once cracked a password which showed to be “Password”

    June 8, 2010 at 02:20

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s