Generating the Perfect Password
This is an idea I’ve been rolling around in my head for some time. Now that I have a blog, I can finally share it with you:
For years, system administrators and savvy users have needed to create long passwords to thwart password guessing attacks. However, those passwords are complicated and hard to remember. Is there a way to create strong, easy to remember passwords that are impervious to most attacks? Yes, thanks to something I call the compound password. It’s very simple, but also incredibly powerful. Essentially, the compound password is a juxtaposition of two simple words, with their letters alternating. For example, dcoagt is a compound password. Can you see the two words in there? How about now: dcoagt . The two words in the compound password are “cat” and “dog”. To generate the password, “cat” is “inserted” into “dog”. But what of memorability? To the unenlightened, this looks like randomly generated, hard to remember ASCII text. But, remember, this is nothing more than the juxtaposition of two words. A simple entry trick means that all you will need to remember is your two words any time you need to type in that password. Here’s how:
(The | represents the flashing entry thingie doh, cursor that shows where you are in any text entry field, and should not be typed in):
- Enter the first keyword
cat| - Hold down the left arrow to move to the beginning of the line
|cat - Enter the first letter of the second keyword and press the right arrow once
dc|at - Enter the next letter of the second keyword and press the right arrow once
dcoa|t - Repeat step 4 until the second keyword is fully entered.
dcoagt|
That’s it! You now have yourself an impregnable compound password! Now a look at some of the most common password grabbing techniques, and how compound passwords thwart all of them:
- Brute Force The most common reason administrators urge users to choose long passwords with letters and numbers is to thwart brute force attacks, which try every possible combination of letters and numbers to guess the password. As the length of a password increases, the computing power required to guess every combination increases exponentially. Sure, dcoagt may be easy to bruteforce, but what about bguesohrgew (georgew bush)?
- Dictionary A variation on brute force is guessing passwords from a predefined dictionary/wordlist, often appending single or double digit numbers to the end. This improvement on brute force still can’t guess compound passwords though, as they are not found in any dicitonary.
- Guessing Same as dictionary. If someone randomy decides to try dcoagt, they should skip hacking and go straight for the Randi Prize .
With a couple more tricks, even more advanced password grabbers can be foiled.
- Keyloggers Malicious trojans and keyloggers have the capacity to record every keystroke you make at your computer. However, they do not record mouse clicks. If you are afraid of keyloggers, simple replace each keyboard arrow press with a mouse click- enter your first keyword, click at the beginning of the entry field, etc. The keylogger will only capture the keys you press which will look like this: catdog , not even close to your actual password. Great for public computers.
- Shoulder Surfing Shoulder surfing is simply when an attacker stands behind you, watching the keys you press on your keyboard. However, 99% of the time, he will not observe the keyboard arrows you are pressing. Simply put one hand over the arrows and covertly press them as needed while you enter the password with your other hand.
Compound passwords are not a magical solution to everything. They will not protect from phishing attacks or database compromises. But they are an easy way to generate strong, memorable passwords.
Update Since Being Dugg: Of course with the onslaught of diggers some criticism inevitably emrges. People! dcoagt is just an example! I picked three letter words to combine for ease of demonstration! A real password would have longer words and special characters thrown in there, and would be more like edfifgegc!t (digg! effect). Better?
Related Posts:
A domain name, at last
Villainy and Debauchery in Search (Not really)
Why OpenID is Going to Destroy the Internet
The Blog A-List Exists and I can Prove It
The Digg vs. Reddit Experiment Deconstructed
It’s similar to a method I used to use. If were in wide use with a specific method dictionary attacks are possible.
If someone is close enough to see what I type I’d convince them to move. I say this because I had to call security to get someone away from my PC once. They were being an ass about moving away.
I prefer smart cards that have an encryption engine and also require a pin to unlock. For remote applications I’ll take the rolling code devices that require the right code at the right time and a password and login.
My online passwords are completely randomized. I store them in a crypto wallet and don’t really care what they are.
If I felt I needed more security all of my files would be on rewritable removable media and the PC would just be replaceable black box.
Smart cards are obviously the optimal solution, but this method is provided more as a quick and dirty way to make your own passwords more secure.
The method I tend to recommend is one I call “keyshift” — but it is only useful for touch typers. Just use a simple phrase, but move your hands to a different home position before you start. If you combine this with the method mentioned above, utpris ;e;pui;dfb ej ss[ spd\d[erpttgfr!vy
And by using the name of the web site for which you are using (for example ebay or paypal) and a private keyword (for eaxmple the name of your dog - rover) and you have a different (memorable) password for every website you visit.
Ebay - reobvaeyr
Paypal - rpoavyepral
One of the coolest methods I learned was from a webhost I worked at years ago taking song lyrics or phrases and using just the first letter of each word (mnemonics). Then replace a letter with l33t sp34k and capitalize another. Voila, instant easy to remember password.
Examples:
Here I am, stuck in the middle with you = hi@sitMwy
You say you want a revolution / Well, you know = y$ywaRwyk
my password for gmail is catering
I use the old Compuserve method of taking two unrelated words (like umbrella and feather) and combining them with a special character, for example: umbrella!feathers. With the right imagination, you can create a “story” around that combo to remember the password. (Why do chickens carry umbrellas? So their feathers don’t get wet.)
I prefer 12345
in 2001 working for a help desk i asked a customer
to change his password with a few special characters. this is what i got as a reply:
“what..like mickey mouse or donald duck?”
dcoagt is an impregnable compound password? Worst password recomendation ever.
[…] maybe not. But most people do pick poor passwords. I just read an article on digg that suggests a method to create an easy, stronger password. I disagree with this nonsense method, as it is exactly the type of complicated thing that leads to […]
A simpler solution is taking a phrase of your own devising and using the first letters, and adding alphanumeric characters as desired. This phrase can be a song, a book title, or something longer for extra protection.
E.g. My Old Kentucky Home becomes mokh. Add a birthdate or something else you easily remember and it can become mokh*2159.
Easier device then word juxtaposition in my opionion.
I prefer the RMM, or Random Monkey Method. For the absolute most secure way to encrypt a password, let a monkey randomly type it in for you. Sure, you may have some shakespear every once in a while, but for the most part its safe.
I’m still trying to develop the RMMDM, or Random Monkey Method Decoder Monkey. Its proving much more difficult than I first realized, but it should be ready before Duke Nukem Forever comes out.
I’m working on disposable monkeys as well for the ultimate form of encryption.
I use a password vault, that randomly generates passwords for me, it takes a few days, but I start to memorize them as they are, and the vault is protected by a 42 digit password that is standard for anything that I need to secure.
With a typing speed of 90 wpm, it’s damn hard to spot what someone’s password is when all they see is a blurr of fingers.
Generating the Perfect Password
How to easily create personal passwords that are easy to remember and withstand brute force attacks, keyloggers, and even shoulder surfing.
Another method is using a password hash tool to generate a unique hash for a certain website based on a masterpassword. It looks at domain, so calendar.google.com and mail.google.com are the same pass.
I’ve been using the bookmarklet at http://labs.zarate.org/passwd_new/ and haven’t run into any problems. Not good for offline stuff, but dcoagt wouldn’t be either. There is a mobile page there too for generating passwords on a different machine or your cell/blackberry.
Mine is *******
Does that make me incredibly smart, or incredibly stupid?
The trick I use is to take a simple password and press the key to the right of it (e.g. ‘q’ becomes ‘w’). If the key is on the far right then roll over to the far left (e.g. ‘p’ becomes ‘q’).
‘dogcat’ becomes ‘fphvsy’
It might feel a little awkward at first, but once the muscle memory kicks in …
@Stephen VanDyke: Same method I use
But remember, l33t alone is no good password generation, if you use it on dictionary words alone - most password cracking apps speak l33t well and will try most common dictionary words with l33t substitutions on their second attack (after running the list plaintext).
Marco
Better yet, get onboard OpenID…one password, one login, multiple personas, improved security…surf all day. http://openid.net/
Teeg has the right idea. Memorizing a randomly-generated password is not really all that difficult; people are just unwilling to spend the time that it takes. 10ish minutes of concentration should get you well over 20 characters. Rarely are the randomly-generated passwords assigned by your sysadmin this long anyway.
I like this tip, I would be more comfortable with throwing in a non alpha-numeric character or two.
My method is perhaps a little odd. I open a text editor, find my home keys, and then randomly strike 7 - 10 keys, more like hitting the keyboard with all 8 fingers. Just now I com up with “oawiufh”, then I stick a non alphanumeric character somewhere in the middle, so maybe I end up with “oaw^iufh”.
Of course, “oaw^iufh” will never be cracked in a dictionary attack.
But the biggest reason I prefer this method over others I have tried, they way the password is generated almost guarantees that, at least for YOU on the keyboard you used to generate it, the password will feel very natural to input, it just flows from one character to the next very well.
The best way I can describe it is, I don’t so much memorize the password itself, as the gesture used to create it…. and it only takes 4 or 5 practice entries for my fingers to memorize the gesture.
Even after weeks of use, I generally either need to have a keyboard in front of me, or perform the ‘gesture’ in my head if I for some reason need to recall the password itself. Maybe the fact that I don’t even have it memorized makes it even more secure?
Just my 2 bits, everyone else may well hate this idea.
Nice idea, i don’t think this is a “perfect password” generator, but it helps
I really don’t like this method because it’s too simple. It’s a great idea because it gets people on the right track of not just using a single dictionary word as a password, it trivializes the solution by saying that alternating letters of 2 dictionary words makes the password impregnable. This would have been a perfect article had you just suggested coming up with novel ways of combining multiple dictionary words rather than suggesting using your method.
I personally stay away from dictionary words entirely, but that’s not to say that the following wouldn’t be just as secure as anything I use… taking your method a bit further…
1.) two dictionary words are selected: cat & dog.
2.) optional modifiers are applied.
2a) 1337speak on the first dictionary word and then it is reversed: c47 -> 74c
2b) Alternating Caps on the second: DoG
2.) a combination method is selected, we’ll use yours: 7D4ocG
Personally I stay away from these methods though, because the complexity required to make a sufficiently strong password makes it much more difficult to type, which makes it easier for someone to see me type it over my shoulder. Your method does correctly state that using the mouse to change the position of the cursor while typing does very slightly improve keystroke recorder succeptability, but you fail to mention the length of time it takes to try all iterations once given your 6 characters as the password (keystroke recorder would see “catdog” they try all possible combinations.. and voila)… hopefully they get locked out first and you’re notified of the attempt.
My personally preferred method relates to patterns on the keyboard because they can be typed at incredible speed and are entirely not based upon dictionary words… thus making the dictionary attack useless. A keyboard pattern attack could be written, but the true password strength lies in the strength of the pattern. It has the added benefit that the pattern can be moved on your keyboard to create many passwords that are entirely different in visual representation but require no extra work in memorizing them. Example:
6&YtGhNb is a pattern I just devised as an example… transposed it could be…
1@WqAsXz
2#EwSdCx
3$ReDfVc
4%TrFgBv
etc… need a new password? don’t just throw away your old one, add to it… add one new layer of complexity each time you change your password… next time do:
bVFgTR4%
xZAsWQ1@
cXSdEW2#
Do you see the patterns? Without having at least 2-3 of the passwords, you’d never be able to discover them, which makes them pretty safe to use the same pattern for your different accounts, and just change the password scheme occasionally… all you have to remember for each site is the letter your pattern begins on.
Jamon
@JPresEfnet,
Very similar to my method actually… I gave an example that uses less of this for readability purposes, but combining the method you describe and the one I describe makes for a very strong password that can be input lightning fast… which adds a nice layer of protection.
oh, if anyone absolutely can’t figure out the patterns and it’s driving them crazy toss me an e-mail at JamonTerrell @ your favorite Google owned e-mail service
“I use the old Compuserve method of taking two unrelated words (like umbrella and feather) and combining them with a special character, for example: umbrella!feathers.”
That’s easy to break, unfortunately. Password crackers are sophisticated enough to see right through that, or anything that uses dictionary words, even if they’re d!sgu!5eD.
so smart, man
head -c 8 /dev/random > /tmp/gen_password
openssl enc -base64 -in /tmp/gen_password | head -c 10
done and done.
Of course, a simple math problem makes an excellent password. For example, 5*6+2=32 could become 5times6+two=30two or cinque*six+dos=32, etc. Complicated, long and easy to remember.
I don’t think this is a very good way of creating passwords. Many sites now require that a password be of mixed case, include numerals and possibly a special character.
I use a program called 4UOnly put out by Dillobits Software for storing my passwords. You add an entry for a service (e.g. “Wordpress”) along with your username. The program can than generate a random password with the options you select. It also supports copy-paste so you never have to type in your password or even remember what it is. It’s small enough that I keep it on a usb stick so I can bring it wherever I go.
ugh, I used to interpolate words for passwords like this. Now that someone blogged the method, I’m sure standard dictionary cracking tools are going to start checking this as well. So much for that idea.
I just really don’t know who’d want my password anyway. Dave, how is math easy to remember?? hahaha. I think I’ll stick to my standard one…not tellin what that is though!
about the keylogger tip, although they will not know the password they will have everything they need to perform a brute force attack.
they can easily compile a list of all the permutations and do an attack based on that, 100% success rate!
Unless you take it onestep further, use your mouse to highlight a section of the text then overwrite, This will insure that the logged text will be of a greater length than your key so no same length permutation will work.
Bobak
I like the initial letters approach. Makes it very easy to remember for the person entering it, and is easily combined with caps, nums & special characters. eg. The River - “I Come from down in the valley, Where mister when you’re young” becomes !cfd1tVwmWyY
Passwords are never going to be 100% secure, and there has to be a balance between complexity and practicality, along with a recognition that they are only one element of the whole security picture.
Good article though, and obviously you’ve struck a chord here, judging from the number of comments
i use the first three letters of something in capitals (possibly an acronym), the first three letters of something in lowecase, then three numbers.
This is all pointless if someone can use a rainbow table to reverse hash your password. No matter how complex or twisted you make the password a rainbow table can reverse it.
These days you are much better off to use a sentence: TheQuickBownFoxJumpedOverTheLazyDog
Safety is found in length, not in complexity.
I’ve been using a simple algorithm for years but starting appending to it recently. Basically I use the site (because you can always remember that) + a special word like clown (could be more complex like &*() or 7890) with a final 2 characters you can rotate if required like at work (4r | 5t | 6y | 9o) whatever.
Example
Yahoo – Yahooclown4r
Google – Googleclown4r
Digg – Diggclown4r
Work – workclown4r next 45 day password change goes to workclown5t
But honestly I’m using roboform because it’s just simpler.
www.grc.com/password/
best one ive found yet.
i may not use the full line that is generated but rather a apart of it though
[…] Generating the Perfect Password […]
Ok, enough with “cool new way to remember your password” entries on digg.
Hi. I take the name of my favorite escort (Sandra) and mix it with the name of my most annoying STD, giving me ShAeNrDpReAs. Works for me.
- - Horseonovich
12345?
That’s the same combination I have for my luggage!
Very nice idea for creating a password. I especially like the way you foil the trojan’s by using mouse clicks and cursor spaces. This is works fine and dandy for passwords that do not change. How ’bout a design for passwords that have to change every 30 days or so?
I use special character in place of a=@ and any two numbers at the end of all just to make more complex password but i really like the idea of Compond password.
I know a few songs on piano, so I just pretend my keyboard is a piano and play a song. Tada! Instant 24-25 character password I can type in 3 seconds. When I need to change it, just start on a different key.
Nice
Cool. I just take the acronym of a short sentence usually.
[…] another method for creating a decent password that I stumbled across today. Essentially, the compound password is a juxtaposition of two simple […]
I work for a VoIP service so I use phone numbers with the special charaters above the last number at the end and names throughout. Been doing it for years. Quick to enter, complex, and easy to remember. Example:
old friend Andy at 2471591
A2n4D7y1591!
or
Justin 2235838
J2u2S3t5I8n38*
and you can combine them for a hardened pwd
A2n4D7y1591!J2u2S3t5I8n38*
then the hint (if you need one) is “Andy,Justin”
Wouldn’t use any of your own numbers…..
Sounds like a cool idea, but a bit confusing? Having worked with older folk and their computers I’d like to see you explain how to enter it to some of the old folk I’ve help with their computers.
Overlapping Words For Strong Passwords
Ilya Lichtenstein writes about his new method for generating hard-to-crack passwords. The method consists of inserting letters of one word between the letters of another word. Pretty novel algorithm if you ask me.
…
Unfortunately, it would be trivial to write a dictionary generator for this - remember, it’s not just Webster’s you have to worry about, “dictionary attacks” are really “common word list attacks.” Of course, this applies equally well to pretty much every trick I’ve ever seen (ie replacing Z with 2 or using the first letter from each word in a phrase.) I like APG (Automatic Password Generator) - http://www.adel.nursat.kz/apg/. I find I can actually remember the pronounceable passwords it generates, but they look like random monkey typing.
I like using this product for my passwords: http://keepass.info/
What makes you think that key loggers can’t record mouse clicks? Keylogger technology has come a long way my friend… It is absolutely possible for a simple keylogger to be able to detect your simple trick.
thats sooooo cool. where did u come up with that?
Mike: I am working with the assumption that it would be prohibitively inefficient for filesize and bandwidth for a keylogger to record every single mouse click.
Everyone Else: Thanks for all of your great suggestions. With so many techniques, keeping a one word, even with a couple numbers attached, password, is inexcusable.
Here is my method.
Pick a sentence, preferably with numbers and symbols in it, like:
“Mary brought 2 presents for Karla’s 12th birthday.”
Stick with one or two sentences in the beginning; easy sentences for not-critical passwords (i.e. forums), harder/longer sentences for sensitive ones (i.e. banking account).
Now decide on the algorithm (the set of rules). For example, pick the first letter of each word in the sentence, and that’s the password.
Algorithm: First letter/symbol of each word.
Sentence: “Mary brought 2 presents for Karla’s 12th birthday.”
Generated password: Mb2pfK1b
That’s a hard password to crack. You can try the second letter of each word, and if it is a single letter word/fragment (like the “2″) then chose that. Or the last letters of each word, from left to right, or from right to left.
Algorithm: Last letter/symbol of each word.
Sentence: “Mary brought 2 presents for Karla’s 12th birthday.”
Generated password: yhsrs2tM
Or try the 1,2,3 letters of each word in the sentence, then 1,2,3 again.
Algorithm: 1st/2nd/3rd letter/symbol of each word, then repeat 1/2/3 sequence. Include the number.
Sentence: “Mary brought 2 presents for Karla’s 12th birthday.”
Generated password: Mb2efatb
Hope that this helps. And in my case? I hardly use this method anymore. Since I’m a medical student, I pick complicated/weird words of anatomical structures or of diseases, spelling them forwards and backwards!
Like: spinothalamic tract, or “tcart cimalahtonips”. Try cracking that one, Mr. Hacker!
Reading a technical article about rainbow tables (method used to figure out passwords from a compromised hash) has brought me to a conclusion that passwords don’t really need to be random letters, though it works. They do need to use upper and lower case and special characters and be as long as practicably possible.
[…] read more | digg story […]
What I would do is to take the letters in scribbles, throw them on floor and pick 8 to 10 letters randomly, arrange them and use them as password.
Just in case I forget, I would take a picture using digital camera and store the image in a folder I know.
—-
http://savingenergy.wordpress.com
all I do is use a favorite scripture reference from the bible. like,
malachi47
or something along the lines of that. though it is really easy to break… hmmmm mabey I should change it now…..
I use 1 german word and 1 french word with the number 7 at the end of it.
i prefer mkpasswd -l 15
My personal method works really well for me, mostly because of my clutter. Things get rotated on and off of my desk quite frequently but they remain on long enough to come up with and remember a password. What I do is take three objects on my desk and use that to create the password. One I use the brand name, another what it is but not brand and the last a chunk of the bar code.
For instance BicMatic , aftershave, 14678. Then I remove repeated letters from the names , BicMat, fershv, 14678. Jumble and its a strong password ferBiMac14sh6v78. I try to say it at this point to try and remember how I mixed and during the learning period the three objects help me to remember what I used.
Curious, I thought I’d try the compound password trick on something console-based like ssh. Sure enough, it doesn’t work. The console interprets arrow-keys as control characters, not as movement. That means you have to revert to the actual typing of the compounded password ie: dcoagt. Just one more reason its a poor method of increasing password security.
12345
Amazing, I’ve got the same combination on my luggage!
Set course for planet Druidia.. And change the combination on my luggage!
(I’ll bet she gives great helmet)
David: If you’re using SSH, you probably don’t need any help creating a strong password. This is more for the layman who would otherwise use “dogcat” as his password and think he is safe because it is not found in any dictionary and will probably not be guessed.
Everyone Else: Once again, the creativity of some of your password generating techniques astounds me and puts mine to shame
[…] saw a Digg submission pointing to a blog posting entitled Generating the Perfect Password. The posting has some decent advice on how to come up with […]
Quite an interesting insight into creating secure passwords. The ‘clicking’ trick is something new to me. A nice way to divulge the attacker!!
Cheers,
bnkm.
I generally use words, symbols numbers and random letters in my passwords. It’s easy to remember the words, and that generally links my brain to what symbols and numbers I used, and where.
the best for me is using english script to write foreign languages (example nihau (hello in chinese)). ofcourse they need to be long enough to prevent brute force. But atleast you find them in any dictionary. Using your method with this will make it even harder to crack password. Thanks for sharing.
Nice methods seen so far. Well done. But had anyone here read digital fortress? is it true that the NSA got that powerful brute force machine? lol
Go esoteric….use concepts or associations that only you know of!! for example- meanings of your name in your mother tongue, private memories etc..the permutations and combinations are not technical enough and can beat any wordlist.
I bought a grame of Uranium, a Geiger counter and used it to generate a sequence of random bits whicht gives me *true* random passwords!
Problem was the other day when it generated 00000000
That’s a lousy password, easily cracked. It has a strength of 28 bits. In other words, the total number of combinations that a computer would have to guess would be 2^28. That sounds like a lot, but a determined cracker could break that in very little time.
This is what my passwords look like
L!@572ZgNef2×6rc&Y450UjO
That’s a 144 bit password. It would take a maximum of 2^144 guesses to break that.
To add another layer of security I use is that, all my passwords are different. I couldn’t possibly remember them all, so I use Roboform as a password/form filler. It keeps all the passwords as AES 128 bit encrypted files. Which are protected by a master password. The master password is only 8 characters, but I use upper case, lower case, numbers and symbols, so it looks something like this 0%XY*4vC.
Also, getting to my other passwords, through my master password requires physical access to my machine. I’m always behind a firewall, and I always lock my workstation while I’m away from it.
Have you got a cure for the monkeys who type a password only to forget it half an hour later, even though it’s the name of their son?
Years ago someone told me that misspelled words in odd formats were a good idea. “Crazy Cat” is easy to remember but “CrayZKat” is more secure. (I know, not a very secure example)
Only by avoiding real words can we have secure passwords.
I had not heard of an idea like yours before. I am going to try it out. Thanks.
I usually create passwords like this:
2.MYKEYWORDHERE.8 for example, so mypasswords look like 2.whatthehell.8 or 2.thisisacoolexample.8
Cheers
Can someone explain to me why any of this even matters when most systems will only let you try 3 or so wrong guesses before you get locked out. So how would someone get the chance to try a word dictionary. Bank machines will eat your card if you start guessing and others will just lock you out.
Besides, I don’t really have anything that anyone would want or that I would care if someone took.
The best way to prevent a keylogger is something like a fingerprint reader …
I creat password combine with numbers and letters!
have a nice day!
If you are going to use this method, then please at least come up with your own algorithm for how you parse in the second word.
I would suggest adding a third element - numbers
and a fourth element - symbols…
then find a way to parse them all together
7230
}%)~
cat
dog
becomes:
cat (first pass)
c}a%t)~ (second pass) start at 2nd position
c}da%ot)g~ (third pass) start at 3rd
c}d7a%o2t)g3~ 0 (fourth pass, adding space) at 4th
but again, don’t use this algorithm… create your own chaos.
Re:
“The best way to prevent a keylogger is something like a fingerprint reader …”
I know of a hack for that. put a piece of thin plastic (sandwich bag) down on the fingerprint reader and use something smooth to put pressure on the pad. unless the last person to login wiped off their print, it’ll probably be read again
Hi, my name is . . .
I’m a password-o-holic
I have so many passwords that I have a document indexing my passwords.
And I must confess, my passwords are not nearly strong enough. How else would I remember all of them?
So call me loose. Call me over-extended. Just don’t forget to call me.
Roboform
You really should use different passwords for different sites, particularly if you use online banking. Accordingly, a variation of several of the ideas shown here can be combined.
Take an old phone number or other long number like a SS#. Combine that with the domain name of the site, but intersperse them. For example let’s say your number is:
(123) 456-7890
www.gmail.com: g7m8a9i0l
www.yahoo.com: y7a8h9o0o
www.wordpress.com: w3o4r5d6p7r8e9s0s
It’s easy to remember, and if you use a number that nobody is going to associated with you (this is why I like a really old phone #, or an old GF’s phone #), highly unlikely to crack, even if someone suspects you’re using this technique. - Tim
https://www.grc.com/passwords.htm
All ya need!
“Shoulder surfing is simply when an attacker stands behind you, watching the keys you press on your keyboard. However, 99% of the time, he will not observe the keyboard arrows you are pressing. Simply put one hand over the arrows and covertly press them as needed while you enter the password with your other hand.”
99% based on scientific research?
(Just being picky - I think this is a really good idea)
So many password suggestions around here, that I’m getting “password envy”!
Just remembered, I have to change all my passwords now…
I don’t believe that my “technique” is the best, but it does the job.
Base-word technique, with a twist. If you don’t know what base-word technique is, you just create a word, which is your base, and add the name of the site and voila!
I call it base-word, because BASE was my first base-word.
However, a better idea would be to make your name/nickname the base-word. To make it better and alpha-numeric, convert it into leet-speak and remove the first and last letters of your name for kicks.
Example: ankit@gmail.com password: nk1gma1l
I use KeePass Password Safe, it generates passwords for me and stores them so you don’t have to remember them. I keep the passwords db and the program installer on a USB stick so I always have them at hand.
It generates passwords such as -OaxiCb;{o^3!@w1f^ AC&mg, good luck trying to crack that
it’s time i employ this tactic too!
thanks!
Good idea! I tried it, and I think it was really smart! Thanks!
GrayV: 99% based on hyperbole.
What happened to the good ones like love, sex, money .
I would just use this perfect password: tinstaapp. It stands for there is not such thing as a perfect password. Really easy to memorize…
I use my own modified method of Diceware. What is irritating is the length and characters most websites and applications will take.. which is poor. Too many crappy PHP coders out there.
http://world.std.com/~reinhold/diceware.html
Lotus Notes had a cool login box. It used random amounts of “*” per character typed into the password box, and it had 3 images in the dialog box that would change every key typed. I guess the idea is if someone was looking at your screen they would be distracted by the pictures.
I is to be making my password to be ‘catfish’… is I to be using good password?
[…] usas tu cumpleaños como Password? Mejor usa el método perfecto para crear tus contraseñas, no creo que quieras perderlo […]
this will only work for a while, because hackers wil learn thath this is used and try to bruteforce by combining words. Theoretically not a strong way to create passwords.
That’s a great idea!
use you’re favourite word or a name backwords and add you’re favourite number in it.
I like my way better. I have a different password for each website I visit, which makes them even more secure… BUT, I never have to memorize them.
I create the password with a simple formula based on the website’s name. As an example, I may take the website name ‘wordpress’, take the next to first and next to last letters ‘o’ and ’s’, tack on the length of the site name (wordpress = 9), then maybe the first letter of the sitename (’w'). My password so far is ‘os9w’. You get the idea. Keep going till you have 8 characters. For ebay it would be ba4e****.
@Dana:
The brute force/dictionary attack is never used against a login prompt. Rather, the attacker would obtain an encrypted password file, whether from /etc/passwd, an MD5 hash from a compromised database, or a SAM file, and try different combinations at his leisure, at the rate of thousands a second. That’s the real reason you need to have a long, unguessable password such as the ones suggested here.
I is to be making my password to be ‘catfish’… is I to be using good password? No one is to say I am doing with the good password?
Well, I preffer to do an application that makes passwords
Many systems require at least 1 number in the password mix.
I´ve really liked your method. It´s simple and provides a lot safer password for day to day use like e-mails or an acount on amazon. This way most users won´t have to worry about their password being exposed while surfing on a public computer or something. I´m changing all my passwords right now using your method! Thanks for the idea!
what happened to creating passwords that a HUMAN could easily recall? a jumble of letters is much worse then a letter/number/symbol combo…
To go with your example (cat & Dog)….c@7D0g is much easier to remember and more difficult to hack. Please don’t tell any of my users this trick for creating passwords….
I’ve taken to making a phrase-length comment on whatever the weather is whenever I generate a password, badly translating one or two of the words involved into whatever language I can remember at the time, and then l33tsp34k1ng and capitalising random parts of it.
So, it’s raining become 1lpl3ut (Il pleut - french).
Sunny became s0nna1g (badly mis-remembered Old English).
It’s fairly strong because it relies on context at the time of password generation, plus it’s a phrase, plus it could be in any one of the 3 or 4 languages I barely know well enough to mangle (and if I get desperate, I’ll start using online dictionaries to translate words).
And finally, it’s relatively easy to give myself an aide memoire for the password that won’t necessarily give the whole thing away …
@joshmaher: With my method, all the user has to remember is “cat” and “dog”, and the way to type them to create the password.
I’ve got two random generated passwords. One is six chars, and the other ones eight. I first begun with the first one, and used it a while. Then later on changed to the second one. Then at last, I had to have a password with 16 chars to overcome the dumb LM-hashing in windows, so I put both together, and concatenated them with a ‘-’, and ended it with a ‘_’. Works pretty neat!
[…] schrieb ja neulich bereits über Passwörter. Jetzt bin ich hier auf ein Blogposting zum Thema “wie erzeuge ich das perfekte Passwort” gefunden. Es […]
[…] I happened to be reading a random blog today, and stumbled across this article called, Generating The Perfect Password. Out of curiousity, I began reading it… It’s full of tips and tricks that people have […]
A very powerful tool and tip, something that i have been struggling with for a long time! thanks to you my headache have been solved!
this good way, thank to you
[…] seriously, Neomeme has got a pretty nice technique on how to generate a perfect password (a one thats both secure and pretty easy to remember). I use a similar technique myself, but with a […]
you guys must have some pretty sensitive ’stuff’… or be SOO paranoid ?? :p
[…] The Perfect Password? - I dont think so […]
Quoting someone else for brilliance:
–
Ian on January 16th, 2007
I prefer the RMM, or Random Monkey Method. For the absolute most secure way to encrypt a password, let a monkey randomly type it in for you. Sure, you may have some shakespear every once in a while, but for the most part its safe.
I’m still trying to develop the RMMDM, or Random Monkey Method Decoder Monkey. Its proving much more difficult than I first realized, but it should be ready before Duke Nukem Forever comes out.
I’m working on disposable monkeys as well for the ultimate form of encryption.
–
I would like to borrow your idea to help protect my bank account from my wife. Maybe we can conspire on alternative animal algorithms. Possibly smearing catnip on the keyboard and letting a feline go to work on it (preferably not one that can easily eat the keyboard).
[…] easy to remember and can stand up to keyloggers and brute force attacks with a compound password. Read More Add this post to…FurlDel.icio.usSlashdotBoing BoingShoutwireDigg Related […]
[…] read more | digg story […]
@Caffeinated Coder Interestingly enough, referrer logs show that one of the top search terms people use to find Neomeme is “monkey generated password”. Indeed, the first google result for that phrase(without quotes) is this blog!
I guess I’m something of an authority on monkey-based security now!
i know your password!
dang, this post sure got some legs.
hehe, I would never remember the order….was it (see dog at) cdogat or was it (see dat hog) cdatog, or did I use a symbol this time (d@cog)…..for me that’s what makes a long word/phrase easier to remember.
[…] Generating the Perfect Password [Neomeme] […]
“Secure Passwords Keep You Safer
” by security guru Bruce Schneier is good reading on this topic.
Your technique is very good, but now that Rainbow-tables exist, every password that is shorter then 15 characters, wheter they are complex or not, can be cracked in *SECONDS*, except if proper security measures are applied within your OS.
Let’s take this password for instance: 2743jnfsdjhjhs
Looks complicated? Of course it does, but a villain using a password cracker that uses rainbow tables would unravel it within a minute.
Here’s a link *shameless plug* showing how such an application works: Cracking your Windows SAM Database in Seconds with Ophcrack 2
So the question is, How can you *REALLY* protect yourself against such attacks? The solution is easy. By default, Windows OSs store its users’ passwords in the SAM database using the LMHash presentation, which all password cracker can easily exploit. The solution to this is to force windows to switch the default password presentation scheme from LMHash to NTHash. Here’s a link to another article I wrote on how to do this. *Other shameless plug*: Preventing XP from Storing an LM Hash of your Password in the SAM Database
Cheers everyone!
Great articles, Kiltak. It’s true that rainbow tables can crack even complicated passwords in minutes(I’ve done it myself when users with encrypted files have forgotten their passwords). However, compound passwords are still fine for wesite logins, as MD5, though not perfect, is a lot more secure.
Instead of making a comment and maybe using my blog URL as my signature, I chose to spam my blog randomly. Now the link to it is nowhere to be found.
[…] by Bob Morris on January 19th, 2007 Generating the perfect password Take two words, then alternate the letters to make your password. Thus, ‘dog’ and […]
Sounds like an idea.
Brilliant.
just like this
http://mbcpoetry.wordpress.com
> Pick a sentence, preferably with numbers and
> symbols in it, like:
>
>“Mary brought 2 presents for Karla’s 12th birthday.”
>
> Now decide on the algorithm (the set of.. [SNIP]
Hold on just a sec there, here I thought someone would show us the good stuff - what algorithm?
Just stick with the sentence, as it is!
“Mary brought 2 presents for Karla’s 12th birthday.”
Now run that through complexity calculators and see how good it actually is. It’s got all four character types in it, as well as a very strong actual length.
Is it hard to remember an entire sentence? Not very likely. Hard to come up with them? Naah.
How fast can you type in a sentence in clean regular english?
What are the chances of someone shouldersurfing actually managing to catch all those characters correctly - especially at the speed you normally are able to type english in? Fairly low I’d guess.
Only keyloggers left then, so so be it, passwords are weak by nature, but why go to the trouble with complex algorithms and repositioning of words to get something that is so-so to remember and often annoying to type?
Length is almost always better than character complexity. The correct capitalization and ending punctuation is just a bonus, as are the numbers in this particular sentence.
Afraid of spaces in passwords? Why? I’ve seen a few ftp clients freak out and some old UNIX’s can only support up to eight chars, but that’s about it to my knowledge (and the ftp client was simply replaced).
There’s a very nifty bkkmarklet that lets you have very strong passwords without ever having to enter them yourself! What’s more, the passwords are generated on the fly, not stored anywhere, and each is different because it’s based on the website domain you’re visiting:
http://www.angel.net/~nic/passwdlet.html
[…] Neomeme svetainėje tvirtinama, kad tokie slaptažodžiai, nepaisant paprastos ir lengvai įsimenamos darybos (bent kol kas) yra labai sudėtingi automatizuotoms slaptažodžių spėjimo programoms. Paįvairinimui galite įterpti trumpesnį žodį į ilgesnį nuo tam tikros raidės, ar kai kurias jų rašyti didžiąja. Galima pridėti ir skaičių. […]
[…] out this article where it teaches you a method to generate a seemingly random password which is actually a […]
[…] Suggestion for advanced passwords Filed under: Uncategorized — dancmorgan @ 2:40 pm link […]
I’ve found that sites list the passwords I now use as ’strong’ because of the combination of letters and numbers I use. Only I do it in a way that’s easy for me to remember. Leetspeak! Instead of my password being ‘catdog’, it world be ‘c4td0g’. ‘Telephone’ would end up being “t3l3ph0n3″, which looks confusing to remember, but if you know the right numbers to replace the vowels with, it becomes a heck of a lot easier.
[…] Generating the Perfect Password « Neomeme read the comments for all the tips! […]
I use a compleetly random 12-charecter password generated at:
http://www.pctools.com/guides/password/
That way, I don’t use an algorithm and there’s no chance that even if you knew everything about me you’d never guess.
I use words from several foreign languages intercalated with numbers and/or symbols. An alternative I haven’t tried yet will be to switch to a Dvorak keyboard layout but type words, etc. on the computer’s QWERTY keyboard. Mac’s can easily do this; I don’t know whether PC’s have the ability to switch to Dvorak.
[…] secure passwords and Gina’s excellent Geek to Live feature on the same subject. — Rick Broida Generating the Perfect Password […]
[…] LifeHacker’s got a tip on how to create perfect passwords. The NeoMeme blog has the tip and the trick is to take two words and toss them into a blender. It’s a pretty good idea, […]
Thanks for such a nice tip. My password last month got theft because of keylogger in public cafe. Thanks again!
Something that seems to be overlooked by most users: you can create any password you want, and it will get cracked at some point given enough effort and computing power.
The entropy you add by including mixed case letters, non-alpha-numeric characters, mixing words, etc is all moot when time is not critical.
The probability of generating the correct password with a brute-force attack, even given *no* parameters on the password (length, allowable characters, etc) is approaches 1 as time taken approaches infinity.
The difficulty in cracking a password comes from it’s difficulty to decipher, which is a function of character variation AND length. You can generate any random password you like, but if it’s only 1 character it will take about 5 seconds to crack with a BF.
But how many cases have you heard of involving someone who actually *cracked* a password by way of a BF? They’re rare enough. More common is the over-the-shoulder attack or keylogger attack, or various forms of phishing that get the user to GIVE their password away. Therefore, vastly more important is choosing something that can’t be guessed (not brute-forced, but extrapolated from publically-available facts, birthdate, name, etc) and actually physically protecting your clear (plain text) password from theft.
[…] that are easy to remember and withstand brute force attacks, keyloggers, and even shoulder surfing.read more | digg story digg, del.icio.us, Bookmark […]
I think its a great idea
this blog lead me to change my password.. some thing more complex but still simpler for me.. found so many ways to make an impregnable password..
[…] de leer el articulo de neomeme sobre como generar una contraseña facil de recordar, pero a la vez que cumpla muchas restricciones […]
Nice trick. It may work for keyloggers with regards to the mouse click. But it will defeat the purpose to have a easily typed and remembered password.
If you type slowly, chances are someone is able to shoulder surf over your back. Covering the keypad will not help much as more often then not, the button pressed is the back arrow.
Anyway it is a good hint for starters and thanks for the share!
[…] este método consegue combater qualquer técnica de descobrir a sua senha. Generating the Perfect Password […]
[…] Generating the Perfect Password « Neomeme (tags: howto lifehacks security) […]
Here’s a good site for good, strong passwords.
http://strongpasswordgenerator.com/
I use a similar method to some of the ones suggested. The people I work with can’t generally remember patterns(or don’t want to try). So I just took the idea of song lyrics/poetry/quotes and let them use the whole line.
A fan of the Doors?
Passwd: Comeonbabylightmyfire!
FDR?
Passwd: theonlythingwehavetofearisfearitself
In this case, they only thing we have to fear is fat fingers
When’s the last time you saw Jim Morrison and FDR mentioned in the same IT posting?
I leave a post it note with my password written down, afixed to my monitor, cause its so complex, I always forget it…
ummm get a life all of you hahaha
The Perfect Password?
Another forgetfoo post is a link to Neomeme on Generating the Perfect Password. How about “ppearsfweocrtd” ? Definately an interesting…
Epics: Better make sure nobody guesses your password of “password1″ then.
db:I sincerely hope you’re kidding.
i changed my password into something that is spelled awkwardly with a combination of numbers in between the word/s.
nice simple solution. -> big complex result. thanks.
[…] original de: NeoMeme Traducido y adaptado por h3ll0! para […]
hi, as I am typing this, I have a response to this post. I am publishing a post of picking the perfect username. Mind if I do that?
I’ll save it as a draft til you say.
Go right ahead! No need to ask me for permission to respond to my posts, just link here in your post.
[…] The Perfect Username Posted January 29, 2007 In response to Neomeme’s post, Generating the Perfect Password, I have made a post called Developing The Perfect […]
[…] http://neomeme.wordpress.com/2007/01/15/generating-the-perfect-password/ […]
[…] I found a very interesting post on Neomeme about passwords, which suggests mixing two words to generate a password. The password […]
[…] Buscando información encontre que h3ll0 para Digitalz habia traducido una parte del muy buen post de NeoMeme. […]
I like to use special characters. alt+keypad=win. But it doesn’t work everywhere you go, so be sure to check first!
If You have multilang. keyboard you can which languages and type for example English password with Russian characters
[…] hem de kolay hatırlanabilen bir şifre üretmek mümkün müdür? Ilya Lichtenstein‘ın Generating the Perfect Password yazısı kadar yazıya yapılan yorumlar da bir o kadar yararlı. Buyrun ben […]
[…] hem de kolay hatırlanabilen bir şifre üretmek mümkün müdür? Ilya Lichtenstein‘ın Generating the Perfect Password yazısı kadar yazıya yapılan yorumlar da bir o kadar yararlı. Buyrun ben […]
[…] Value of Tagging: Part 1 + Part 2 Compound Passwords Security Now Podcast: 8 Sep […]
[…] alle nostre e-mail quando siamo fuori casa. In realt
i just want to know how usernames and password are created Eg;
username
217435
password
227333
how is this this created is there any software
[…] de expresión en nuestra blogósfera, y a 10 años de la aparición del 1er blog, están estas tres fuentes con recomendaciones de […]
[…] Generating the Perfect Password […]
I’ve been using similar method since 2001…
(my name) (home phone)
eg:
name 12345 = n123am45e
pretty easy to remember but tough rite…
Nice and elegantly simple solution to the password problem. Thanks!
I will use a password manage software to generate a random password and fill it out with a short cut.
Well i agree with your points. But i tend to mix up a combination of letters, symbols and other integers. But the down side is i often forget the password and then have to continually call up so a new one is sent out.
Sander Nude Kathy…
The Alana Evans black; boxer hardy, fun?! Established opinions despite kathy sander nude Gauge dartmouth?! …
indian lesbain…
Houses Monica Mendez orderly actually misstthickness contribution whereas backed. Mwn indian lesbain ugly when fit minutes while indian lesbain. …
Disney XXX Toons
…
…
This is a really solid post. I never knew that about keyloggers. If people just did this even one time with the arrow key for everypassword, then keyloggers would never get it right even if you did have spyware. great idea!
Just use a random password, an old one of mine was He8V29Bh71! (No the esclimation mark is not only there cause its mad but cause it was part of the password) use symbols and high and low letters by holding the shift key down fast with a hidden movment of the finger and do it fast and no one will get it! After a while you will be able to type your password no matter how long very fast. And dont be an idiot use some decent antivirus and/or anti-spyware and be internet wise, eg: dont go clicking on free offers, lmao
man, that’s a smart method! however, bruteforce reveals any password, it’s all about computing power and the price of info stored behind this password. but anyway, respect for the article!
I would just alternating Upper Case and Lower Case letters. So dcoagt would be: DcOaGt . I also like to add a special symbol and a number. So the password could be DcOaGt$1 . Its not that hard to have a stonger password! Thanks for the great article.
Yeah, but sometimes you cannot use special chars. No doubt the best way is mixing letters with numbers.