How hard is it to come up with a good password?
Russ CooperMarch 19th, 2009
I was reading Graham Cluely’s blog post about Jack Straw’s email account being hacked. At the end of the entry Graham has included a video describing how he comes up with a very strong password which, he says, is easy to remember. See:
http://www.sophos.com/blogs/gc/g/2009/02/24/nigerian-scammers-hack-jack-straws-email-account/
Well, after watching it I realized that we computer security folks are definitely a bunch of nerds, particularly if you think what Graham suggests is “easy” for the average person.
Here’s what I do to come up with a really strong password. I simply grab an envelope or newspaper I’ve got nearby. Preferably something local, as in a bill from your plumber or the local flyer for grocery stores. Now scan over them to find an address…any address. Bingo…your new password.
For example: I have a bill here for repairs on my Invisible Fence (wire that keeps my dogs in my yard). Their address is 7615 Leskard Rd., as printed on the invoice. We have alpha (upper and lower case), numeric, and special characters (the space and period). What more complexity could you ask for?
Just keep the invoice on your desk for a couple of days and the address will become easily remembered…until they make you change it again.
Alternatively if you don’t happen to have a piece of paper with an address, just put anything you want into Google and do a search. Then follow the first few links till you get to a site that lists their address and use that. Bookmark it in case you forget the address.
Simple, easy to remember, hard to crack, and in case you lose it you only have to remember whose address you used.
Tags: Information Security, InfoSec, password, reasonable control, Threat
I prefer to use the free, open source password manager, Password Safe from sourceforge ( http://passwordsafe.sourceforge.net/ ). Users need only remember the “combination” to their Password Safe and it takes care of the rest. It uses the Twofish encryption algorithm to securely store passwords on the system. It will generate secure random passwords using rules the user can set. For example minimum of 10 characters, 2 letters, 2 digits and 2 special characters.
For web sites, it can store the URL for the login page and a user can launch the page from Password Safe and Ctrl-T will enter the ID and Password for the user. Two keystrokes and you’re logged in.
You can keep your Password Safe on a USB key, now supports YubiKey or if you choose, a U3 version is available for $10.00.
Posted by: Dave Kennedy on March 22nd, 2009 at 1:48 amI’m with Kennedy. Pressing a button for a random password is quick and convenient. This keeps the desk free of bills and is portable between systems.
Posted by: Wade Baker on March 23rd, 2009 at 2:15 pmYojimbo, my password keeper and go-to GTD app, does not generate passwords on its own, so I jump to Terminal and run pwgen unless I have something clever in mind. Don’t use pwgen if you want something easy to remember, though.
Posted by: Kevin Long on March 25th, 2009 at 7:20 pmI recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.
Joannah
http://linuxmemory.net
Posted by: Joannah on April 3rd, 2009 at 12:30 pm