Hunting for an Ideal Password

Difficulty level
Information for
                 
 
surfer
"John Doe"layman
expert
 
web-master

[ Language ] :: [ Main Index ] :: [ Site Navigation ] :: [ Tutorials ] :: [ Downloads ] :: [ Contact ]

 

When you ask someone responssible how your password(s) should look like, he usually answers as typical assistant at any academy which need to prove himself that he is smart. You can heard something like: "At least 6 chars, better make it 10 . Difficult to guess for everyone but easy to remember for you. So nothing from dictionary, nothing personall. Better use a password-generator." Helpfull, isn't it?

Is that noise behind worth?

Fair question right on the beginning. "Is it really SO IMPORTANT? Something really worth to care?" I personally believe that "Yes, it is. Definitelly!" Please, let me explain this. To say it simple, your password asserts the computer that you are really a person who claims you are. Anyone who knows your password will be able to do anything that you are allowed. Even worse: you can be called to responsibility for actions he performed. So I deeply believe, that passwords are definitelly worth about to care.

As I have done at my research for e-mail boxes' hiding, I conclude that I have to use the same method again. So I surf over the internet for a few weeks and checking. Not all of ideas here are original. In fact, most of them come from someone head. But as my "His Maginficance" (academy rector) said: "90% of any PhD's research is borrowing. You need those 10% to not be called a copyist or plagiarist." Hope those 10% of my original ideas are presented.

Well, I start with oppossite matter.

How the password MUST NOT be choosen!

So, how the password should definetelly NOT looks like, or do not use as password ... :

  1. Word from any dictionary - no matter about language
  2. Word which has meaning in any context
  3. Name - no matter if it belongs to male, or female, persons living or death, real or fictional (like Shakespeare, myths, Bible, angels, etc.), pets, asteroids and other cosmic bodies (stars, satellites), machines, tools, entertaiment legends (cartoon, movies, sports, actors, songs, singers) and a lot of simillar
  4. Other gramatic categories - such as short-phrases, abbreviations
  5. Numerical, alphabetical and keyboard sequences
  6. Famous misspeled version of words
  7. So called SMS, or emoticon (smileys) shortcuts: e.g. QT = "cuttie", or U4E = "yours for ever", "@)" means "pig", ":-)" means "happy smile"
  8. Password you found somewhere - no matter if as example of good password

And additionally, any from the above modified in any of these ways:

  1. A single character before or after it - e.g. "earth1", "2enter"
  2. With single letter capitalized (not necessary on the beginning) - e.g. "Hello", "myAccess"
  3. Reversed, doubled or mirrored - e.g. "mice" modified to "ecim", "micemice", "miceecim"
  4. With characters substituted by numbers: the famous is substition "o" with "0" (oscar - zero) and "l" with "1" (india / lima - one) from typewriters. E.g. "1amg01ng".
  5. With signle word or phrase substituted by its SMS or Emoticon version. E.g. "see you soon" transformed to "CUsoon"

The most famous emoticons (smileys) and SMS phrases you can view in these text documents.

How the password SHOULD looks like?

Maybe you have concluded that there is no possibility to create a password without help of some password generator. And, by the way, why not to use it to generate some random characters sequence? If it is good enough for application codes of multi-thousand-cost software, it is impossible to not be capable for such simple task.

True, but there is one difference: activation codes can be even 30 charcters long because there are always written down somewhere. Your password you must hold in your memory - otherwise it is meaningless.

You password length should be at least 6 characters long. The usual maximum is 8 characters because of UNIX systems restriction. They strip anything after the 8th character. Because the symetric algorithms are used, your password strength is from 48 bits to 64 bits. Any person with single computer which want to break this password by trying all possibilities will presently spend a more-less a whole year!

Maybe you heard that software from the end of 90's (like Microsoft Office '97 or Adobe Acrobat 4.0) has password strength limited up to 40 bits - using the International Traffic in Arms Regulation, which has been in receipt of disable to buy american technologies by nacist goverment back at 1943. Later it has been changed by Bill Clinton administrative to 56 bits. As for now, there are no restriction for some algorithms at USA and none restriction for any algorithm at European Union. Please see an official domain of European Parliament Committee Echelon at www.europarl.eu.int/committees/echelon_home.htm for details about interception capabilities. Or an Electronic Frontier Foundation site at www.eff.org. I mentioned this also at cookies tutorial. Appropriate legislatives are "Encryption Final Act" and "Network and Information Security" at EU and "Export Administration Regulation" (FAQs site) at USA.

So, how to BUILD it?

I personally believe, that the only effective and actual (final) route is squeezing some phrase into a few letters and additionally to add there some numbers (punctuation, control characters - but do not ever use ^D, ^U or ^H !!!).

For example: let our phrase which help us to memorize our password will be: "Log-in every day and recalling the password is not fun." We will squeeze it to "lied&rpinf" and we change characters "l" and "i" to "1", so password will be "11ed&rp1nf". It has 9 characters so the last one will be ignored. Additionally we can capitalize e.g. "r" after shorted "and": so "11ed&Rp1nf".

Or you can take every second word, or every last letter (instead of first one), or something unimmaginable. Just use your immagination - but go futher than simple mispelling.

What letters-case you should prefer? Capital or lowercase? I think it is not a question of death or life. Most people prefer a lower-case letters, because the keyboard send them standartly and they are after a capital letters at ASCII / Unicode table. Their logic presume that someone who wants to crack a password by brute-force (it will check all possible combination) will logically used a simplest loop: for password_letter = 'A' to 'z' do ... . They are not wrong, usually. However, I saw a few source-codes which starts checking from lower letters, then continue with interpunction (mostly only '.', ':', '/', '\', '!' and the rest left to end of process), later with numbers and finally with capital letters. They are not signifficantly slower than simple loop for (more-less up to 0.1%) and probably found a correct phrase much-more quicker.

How to PROTECT it

Your password you should keep to yourself and never give it to no one at any circumstancess. There are behind the famest breakthroughs usually not a technical skills, but trivial human psychology. A specially be aware for following still successful traps:

Most of this kind of techniquess are described at classic novell The Cuckoo's Egg by Clifford Stoll. When you want to know more about real cases of human naivity, try to search web for phrase "social engineering".

You can translate or link this tutorial under conditions written at this domain's "Legal Stuff" page and followed. If any doubts, please contact me.

Copyrights, trademarks and credits are collected here.

Marián Stach
Prešov, Slovakia Central Europe
2003-09-08

[ Language ] :: [ Main Index ] :: [ Site Navigation ] :: [ Tutorials ] :: [ Downloads ] :: [ Contact ]