Coming up with Strong Passwords
21 December 2007
Passwords are the first line of defense into almost every computer and every server. Some do use One-time Passwords, Keycards, or biometric sensors - but they are the unusual ones.
Let’s go back to basics, and figure what our requirements are. If we wax a bit, and dream up the ultimate set of requirements for strong passwords, it might look something like this:
The passwords must be easy to remember. If you can’t remember it, you may be caught short and not be able to log in. If you have to write it down, someone could see it or snatch the sticky note. Also, if a user has to write their password down, they are likely to write it down where all the world can see it.
The password must have a random character distribution. This is different than being random you might note. A fully random password means that a password of all ‘A’s is equally possible to any other; what we really want is a random distribution of letters within the password (I hope I said that right!). In that case, all ‘A’s would be impossible as the distribution is all on the letter A. The ideal would be random letter distribution, but an English (or native language) letter distribution would probably be suitable.
Writing down the password must not give it away. This is one I’ve not seen anywhere, but it would be nice.
A new password must be easy to generate. Ever have to come up with a suitable password? Of course… but how long does it take to come up with one that is both secure and easy to remember?
So how do we come up with passwords and adhere to our given requirements?
My thoughts are: use a phrase you can remember (easy to remember) and then write it down in a series of boxes - that is, in a 6×6 grid for example. With such a grid, you could then write in a sentence (left to right), then read the letters in a different order (perhaps top to bottom, over one, bottom to top, over one, top to bottom …). In essence, you are memorizing a simple and easy password and a pattern - then typing in the resulting text. Left over characters could be Xs or Zs or numbers or special characters.
I can’t speak to the strength of this method, but I suspect it is pretty strong. You could even “clip” the password at a certain number of characters while using a large phrase - which would make it stronger perhaps, since the entire phrase would not be used.
If this interested you, you may also be interested in Diceware: a method of using dice to select words (for a passphrase) in a wordlist. There are some interesting ideas on how to make the passphrase stronger, and so on. However, my idea requires no additional materials at all and results in a seemingly random set of characters for a password.
Leave a Comment
Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Trackback this post | Subscribe to the comments via RSS Feed