A Guide To Creating Strong but Memorable Passwords

Started by Ryex, May 31, 2014, 08:31:04 pm

Previous topic - Next topic

Ryex

A Guide To Creating Strong but Memorable Passwords
By: Ryex




Introduction

Password security has been on my mind for a while now. The industry has completely mislead it's users about what makes a a strong password. No doubt most of you have seen this XKCD comic on the topic

http://xkcd.com/936/


Big companies are guilty of this, Netflix for example actually limit you to using no more than 10 charaters in your password, the example password in the comic has 11 and would only take 3 days. 10 characters drops the complexity by an order of magnitude to 224, so your average Netflix password could be guessed in just under 5 hours with an unintelligent brute force.

A better examination of the problem can be found on the XKCD explain wiki http://www.explainxkcd.com/wiki/index.php/936:_Password_Strength

Long story Short Length ALWAYS beats complexity, but a little bit of complexity helps.

Sadly as explained on the wiki XKCD's analyses is slightly flawed in that dictionary attacks are still a problem. That, and my discussions with people about the problem that aren't tech savy has reviled to me that a password like "correcthorsebatterystaple" is hard to come up with and remember as well because of the nonsensical nature of it's origin, meas that we nee another solution.

The is one problem that the comic does not  address, the problem of password reuse. Most people will use a small selection of passwords on multiple accounts spread all over and this is a big problem because not all site have the same security. gaining access to the database of one site cna give a hacker a table of email addresses and passwords to try elsewhere. Add to this the existence of pre hashed password tables (large databases of passwords and their known hash value with a specific algorithm) and a hacker doesn't even have to do much work. Get admin access to a somewhat obscure low security site and bam, more likely than not he has hundreds of account credential on site like Facebook and twitter, those accounts can get him more personal information, possible enough to steal an identity.

Entropy

Pulled from the explain page:
"In simple cases the entropy of a password is calculated as a^b where a is the number of allowed symbols and b is its length."

a^b gives you the number of possibilities, to get the number of bits you take the log base 2.

Entropy in bits = log2(a^b).

To put this in more relate-able terms if you have a password like "buddy" then that password entropy is 26^5=23.5 bits. 26 for all the lowercase letters int the alphabet, 5 for the 5 letters in buddy. Lets add a capital and make the password "Buddy" now the entropy is (26*2)^5=28.5 bits because now there are 26 more possibilities for the capital letters, add a number?  "Buddy3" (26 * 2 + 10) ^ 6 = 35 bits. add 10 for the 10 possible digits. add a symbol and the entropy grows again. but this is an extremity simplified analysis. in the real world there is such a thing as a "dictionary attack" that basically reduces all common words (including Capitals and number substations for letters) to about 12 bits of entropy each, so "Buddy3"'s real entropy is more like 13 bits or lower.





Solution

Have no fear, I'm here to solve your problem. I'm going to give you a way to create unique easy to remember strong passwords for any thing and everything.

Step 1: Create a pattern/template
If all your passwords have a similar somewhat predicable format that is filled in with unique information for each account it is easy  for YOU (not the hacker) to recreate your password form readly available information even if you forget it.

and example of patterns you might use are:
<name><word related to site><significant number>@<word of personal significance>  -> like an email, example: DogFoodShoping1492@TauOfFood
<related word><some name (city, pet, ect.)>:[<significant number>  -> good for a location linked account, example: ApplesNewYork:[1851993

as you can see this quickly creates passwords over 20 characters long yet are easy to remember. The pattern should be unique to you, which means while you could use one of my example patters it's best to use one that will be easy for YOU to remember.

But wait, significant dates? pet names? you not supposed to use those in a password! you are correct good sir, that is what the prevailing wisdom has been for years. but the problem has never been with USING the information in the password, it's been with basing your password on it. lets be honest here, if your pet's name is buddy and your birthday is the 18th of may 1993 then buddy1851993 is a TERRIBLE password. But, if say your on amazon, and you made your password TreetsForBuddy185@93BestDay, that's an entirely different story because of HOW the information is used. It constructs a sentence that will be in your style of speaking. It's long and relatively complex enough that even some one who knew you and that information would have a very difficult time guessing the password as there are so many places to mess up.

Step 2: Fill in your Template

you you have a template? good, now you just have to fill it in and your golden!

ask your self a few questions.
What is the account for,
Online Shopping? what do you plan to buy?
Social Network? Whats the general topic?
Bank? Whats important to you financially? What are you Saving for?
Need a number? Whats the month and year today? what are the last 4 digits of your License Plate? is this the 0001st time your doing this?

example: LittleNowMoreLater514;CollegeBaby

Something to notice is that I CamalCase the passwords in the examples. This is to make use of capitals, when you employ at least 1 capital letter you double the number of possible characters that could make up the rest of the password, doubling your entropy (aka strength) over a password of all lower case. whats more employing CamalCase means that I end up using a capital and I can get passed all the inain (you must use at least 1 capital and one digit) password security checks when signing up at websites. so long as they don't limit the number of characters you can use (NETFLIX) your golden. I also usual use some symbols like a semicolon in a predicable place next to a number. but your pattern should be your own.

Step 2: Your Done!

You now have a password that is unique and related to the topic of the account, easy for you to remember or remake but impossible for a computer or your best friend to guess in any reasonable amount of time (aka a human lifespan). Yay!






Additional Notes


  • As with all published password advice NEVER use a password that has been provided as an example, they quickly get added into search databases and effectively have no entropy.

  • Some sites (Netflix ect.) limit you to a 10-13 character password, these sites are created by trained security monkeys and the caretaker leaves the keys under the front mat. Never trust these sites with any important information. use the maximum password length you can and hope for the best.

  • I have done very little in terms of mathematical analysis on how strong my example passwords are, but the rules to keep in mind when you fill out a template are

    • Use Uncommon Words (avoid Dog, The, Town, ect.) this breaks the usefulness of dictionary attacks

    • Length is what matters

    • you want to remember it



  • I'm not a security expert, take my advise with a grain (or more) of salt



Comments? Critique? Complaints? Compliments? Post below!
I no longer keep up with posts in the forum very well. If you have a question or comment, about my work, or in general I welcome PM's. if you make a post in one of my threads and I don't reply with in a day or two feel free to PM me and point it out to me.<br /><br />DropBox, the best free file syncing service there is.<br />

Blizzard

May 31, 2014, 08:49:57 pm #1 Last Edit: May 31, 2014, 08:52:21 pm by Blizzard
My friend told me what he does. He has a base password and appends the last two letters of the website's main domain name. That way his other passwords are safe if any one of the passwords are compromised. It's much easier to remember for you than using a word related to the website.
Check out Daygames and our games:

King of Booze 2      King of Booze: Never Ever
Drinking Game for Android      Never have I ever for Android
Drinking Game for iOS      Never have I ever for iOS


Quote from: winkioI do not speak to bricks, either as individuals or in wall form.

Quote from: Barney StinsonWhen I get sad, I stop being sad and be awesome instead. True story.

Spaceman McConaughey


Blizzard

Check out Daygames and our games:

King of Booze 2      King of Booze: Never Ever
Drinking Game for Android      Never have I ever for Android
Drinking Game for iOS      Never have I ever for iOS


Quote from: winkioI do not speak to bricks, either as individuals or in wall form.

Quote from: Barney StinsonWhen I get sad, I stop being sad and be awesome instead. True story.

Zexion

This is a really good post o.o
But then is it right to say that a password of numbers is weaker than spicing it up?
For example usually I use a letter and then a serial number of some kind. That way if I forget the number, I just look at whatever I got the serial number from. The letter is usually the same though... Would it make it more secure to instead add a word somewhere between serials?

Blizzard

You should definitely add one number and one caps letter in there, because some sites require you to have upper and lower caps letters as well as numbers in your password. That way you can truly use your base password anywhere. I've started switching my password scheme to a method like that, too.
Check out Daygames and our games:

King of Booze 2      King of Booze: Never Ever
Drinking Game for Android      Never have I ever for Android
Drinking Game for iOS      Never have I ever for iOS


Quote from: winkioI do not speak to bricks, either as individuals or in wall form.

Quote from: Barney StinsonWhen I get sad, I stop being sad and be awesome instead. True story.

Spaceman McConaughey


Ryex

I edited, added a section on calculating entropy, fixed a few typos ect.

Quote from: Blizzard on May 31, 2014, 08:49:57 pm
My friend told me what he does. He has a base password and appends the last two letters of the website's main domain name. That way his other passwords are safe if any one of the passwords are compromised. It's much easier to remember for you than using a word related to the website.

As I said the template is up to you. The goal is to create a long password with enough entropy, even using a base password and extending it for each site with a few letters will create enough entropy to counter the reuse. as long as you get to 35 bits of entropy a password is too hard to guess in a reasonable time frame (1 year at 1000/s)
I no longer keep up with posts in the forum very well. If you have a question or comment, about my work, or in general I welcome PM's. if you make a post in one of my threads and I don't reply with in a day or two feel free to PM me and point it out to me.<br /><br />DropBox, the best free file syncing service there is.<br />

Heretic86

I think people need to stop using "12345", "asdf", and "god" as their passwords.

Oddly, for stronger passwords, use phrases.  "The lazy brown fox humped the chicken"  Totally satisfies entropy.

Problem is that most security weaknesses dont come from shitty passwords, they come from shitty design.  You have 30 seconds to develop an NSA resistant security system.  Go.  What?  Not finished?  Youre fired, and we'll just use the code you spent all of 32 seconds writing, security holes and all.
Current Scripts:
Heretic's Moving Platforms

Current Demos:
Collection of Art and 100% Compatible Scripts

(Script Demos are all still available in the Collection link above.  I lost some individual demos due to a server crash.)

Ryex

Quote from: Heretic86 on June 02, 2014, 10:30:04 pm
You have 30 seconds to develop an NSA resistant security system.  Go.  What?  Not finished?  Youre fired, and we'll just use the code you spent all of 32 seconds writing, security holes and all.


actually... it's not that hard. all you have to do is assume every packet of information you receive is an attempt to hack you. make them explicitly declare exactly what they carry and then double check to be sure that is indeed what they have. if not, kick them out immediately. allow no fault tolerance, be the TSA.  the problem is thats also a good way to end up banning half your intended users with false positives.
I no longer keep up with posts in the forum very well. If you have a question or comment, about my work, or in general I welcome PM's. if you make a post in one of my threads and I don't reply with in a day or two feel free to PM me and point it out to me.<br /><br />DropBox, the best free file syncing service there is.<br />