Strong Passwords

Randy DownsOWNER
CERTIFIED EXPERT
Randy Downs dba Downs Consulting Services is a verified Veteran-owned small business (VOSB)
Veteran business database www.vip.vetbiz.gov
Published:
Updated:

Passwords

In the wake of Heartbleed we need to consider stronger unique passwords. We advise our clients to change all their passwords regularly and use strong unique passwords for each site.

We want unique passwords so that a compromised site won’t give away the keys to all our sites. The worst password is something that’s guessable with a dictionary search in any language. One of the most abused passwords is “Password”. If you must use something you can remember then substitute special characters for letters.

Example:
Use | (pipe – above the \ key) or 1 (number 1) or ! (Exclamation)  for L
Use the number 3 for the letter e (imagine the 3 flipped vertically)
Use @ for a
Use the number 5 for the letter s
Here’s more Leet dictionaries references
 

Password Management

A Password Management tool like Last Pass will ease the pain of keeping track of multiple passwords, changing them and tracking their history. With a management tool you can create secure passwords like zC69*&pEa0EsZ@BM

That’s not something anyone is likely to guess but it’s not easy to remember either. The Password Management tools remember these for you and even fill the credentials in for you on most sites. The management tools also make it easier to generate new passwords and remember them. Last Pass also has a Security check that will advise you on which passwords should be changed and how strong they are.

Last Pass is free for PC and laptop use but you pay a nominal fee to use it on your mobile devices (e.g. phone).
1
1,411 Views
Randy DownsOWNER
CERTIFIED EXPERT
Randy Downs dba Downs Consulting Services is a verified Veteran-owned small business (VOSB)
Veteran business database www.vip.vetbiz.gov

Comments (6)

CERTIFIED EXPERT

Author

Commented:
I am in complete agreement radioeng that's why I support applications like LastPass. You can have as many passwords as you want and make them extremely complex. That means you only have to remember one password for the application and you can make it complex but memorable by using Leet speech.
CERTIFIED EXPERT
Most Valuable Expert 2011
Top Expert 2015

Commented:
If you must use something you can remember then substitute special characters for letters.
This advice is relatviely meaningless these days. There are tools available that will take all such special characters into account when generating a brute-force word list. A popular suggestion is to take the first letter of a series words in a song lyric or book quote.

Also, I'm not sure why Heartbleed was mentioned in this article. Heartbleed has nothing to do with passwords other than the fact that an attacker could potentially sniff passwords out of packets that were assumed to be encrypted. At that point, it doesn't matter how complex your password is!
CERTIFIED EXPERT

Author

Commented:
My advice for Leet character for those that insist on a password they can remember. By far the best bet is a random password with as many special characters as your service will support. Last Pass will let you generate 100 character passwords with special characters like the following.

RU#QBvQxzxzu227gFKWzUr6!YgO99eWU$Q!OfEn5PG9t$#0Oq*eu3xYImTsL8JaRk7Yk!GiZf98*&6T%nxHLEYGX1ck&RcuDRr8U

Constantly changing passwords on a Key FOB and other two factor schemes are even better.

Other passwords like TANSTHAAFL (i.e., There Ain't No Such Thing As A free Lunch) are probably easily solved these days.

Regardless of what your password routine is it's much better to do something than to use easily guessed passwords like "password" for all your services. Brute force will eventually guess most passwords but hopefully your server will not allow that sort of attack.

I mentioned Heartbleed because most folks realize that all there passwords have been potentially compromised for the last 2 years. Consequently many are in security mode and starting to adhere to some semblance of security.
Rich RumbleSecurity Samurai
CERTIFIED EXPERT
Top Expert 2006

Commented:
I audit passwords for a living, and I am an active member in olcHashcat/JohntheRipper and InsidePro communities. The best advice is simply this, long password that you can remember, and it not easily guessed by man or machine. (I know, duh right?)
Those passwords can be derived from popular sources, but they should be altered in such a way that is not easily guessed. Misspellings, typo's and abbreviations are very good ways of doing this.
eyekancount2tin (I can count to ten)
^^are4rabbitz (Carrots are for rabbits)
daalaskin|line (the Alaskan pipe line)
u!dodatonteavee (you can't do that on tv)
If you are 1337'ing words that are found in various dictionaries, computers will crack it in short order.
3=e, 0=o, s=5|$, a=4|@, i=!|1, l=||1, g=9, B=8, c=(|[|{, t=7|+, x=*|+
That is easy for a computer to do, and even humans for that matter. Note that bruteforcing hashes is different than bruteforcing logins, like those on a web page or app. There is typically less speed when BF'ing a login as opposed to and offline attack against a hash.
Rather than hijack the article, I'll write up my own. Take aways are however that length trumps "complexity" 99.% of the time, especially when you can't easily source the base the password is from. It's also why "nofatebutwhatwemake" is a good example of and easily sourced base yet is very long.
http://arstechnica.com/security/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/ 
-rich
CERTIFIED EXPERT

Author

Commented:
That's good advice richrumble, My recommendation is to use unique strong passwords for each site that are created & remembered by a utility. The leet passwords are for those that don't want to use a utility.

I actually was crypto technician in the USN and we had "random noise" that helped encrypt our signals. Even at that we only expected the cipher to be unbreakable for a length of time. Our encryption codes were only used for a day but that likely has changed since I got out of the USN a long time ago.

By the way, LastPass will also create pronounceable passwords.

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community