It’s the classic challenge of finding the right balance between security and accessibility. As admins, we know that bad guys really are trying to crack passwords, and the stronger the password requirements, the more secure we’ll be. As users, they want to be able to access systems quickly and easily, and not spend hours trying to remember twelve character random strings, or being yelled at for writing them down.
A quick search on Google turns up over 38,000,000 hits on the phrase “password crack.” Many of these link to tools that can go through the entire dictionary in a matter of seconds. There are commercial and open source tools, as well as websites that make password attacks trivially easy to perform for even a relative beginner. Many of these take advantage of weaknesses in how passwords are implemented, including rainbow tables, birthday attacks, and collision attacks. Other means of discovering passwords take advantage of human nature, such as social engineering, playing find the post-it note, and what I like to call the cadbury attack. What are we to do?
Brute forcing short random passwords can be done in minutes. Simple math supports longer passwords being harder to crack. The following table assumes a straightforward brute force attack, using a single CPU Pentium class PC to exhaust the key space at 100,000 attempts per second. $200 netbooks are more powerful, and we’re not factoring in any of the above-mentioned ways to reduce the time required to crack a password.
|
Password basis
|
# of options
|
# of possibilities
|
estimated time to crack
|
|
common English words
|
~ 234,000
|
~ 234,000
|
seconds
|
|
8 case insensitive letters
|
26^8
|
208,827,064,576
|
~2.5 days
|
|
8 case sensitive letters
|
52^8
|
53,459,728,531,456
|
~1.5 years
|
|
8 case sensitive letters & numbers
|
62^8
|
218,340,105,584,896
|
~7 years
|
|
8 case sensitive letters, numbers, & metacharacters
|
96^8
|
7,213,895,789,838,336
|
~200 years
|
information in the above table derived from Lockdown.co.uk
However, when we look at it from the user’s perspective, we have to appreciate their point of view. An admin who insists on a twelve-character password including at least three capital letters, three lower case letters, a non-consecutive block of numbers, and at least two metacharacters (and what the heck is a metacharacter, anyway?) means that he or she is insanely paranoid and probably lines their bedroom with aluminum foil to keep out the brainwaves. Anything harder than a word means having to write it down to keep from forgetting it, because they know how much grief they’ll receive when they call the support desk to get their forgotten password reset. No one would guess that they are a Dallas fan, so why can’t they use “cowboys” as a password? And bad guys will ever look for that post-it note on the SIDE of the monitor, right?
Here is where some creative spelling comes to the rescue and allows us to reconcile the two sides. Pull out the lyrics sheet from your favourite Prince CD and see how he spells. What?!! You don’t own any of his works? Okay, set your Google language preferences to hacker and see how everything is spelled. With a little practice, you can begin to see how to spell using numbers, punctuation, and phonetics.
Next, use your own inside joke to give yourself an easy to remember password that will make any admin proud! Ready? Think of your favourite movie. Now think of the star. Every star in every movie has a “catch-phrase.” As an example, think of Arnold Schwarzenegger’s “I’ll be back!” Easy to remember, thirteen characters long, and meets the complexity requirements of most networks. You can get even more creative. Try “!’11 b3_B@ck.” It is even more complex, but almost as easy to remember and to type. Type it in half a dozen times and muscle memory will kick in, making it an easy to use password that is going to be very hard to crack. Here are some examples…use these to get a feel for strong passwords. Don’t use these as actual passwords. Don’t do it; I’ll be testing your VPN later this evening, and I will try each of the examples listed below.
|
movie
|
quote
|
password
|
|
Any James Bond
|
Bond, James Bond.
|
B0nd,J@m3sB0nd.
|
|
Any Arnold Schwarzenegger
|
I’ll be back.
|
I’llb3b@ck.
|
|
Spartacus
|
I am Spartacus!
|
1@mSp@rt@cus!
|
|
Soylent Green
|
Soylent Green is people!
|
S0yl3ntGr33n!sp30pl3
|
|
Marathon Man
|
Is it safe?
|
1s1ts@f3?
|
|
Spinal Tap
|
These go to eleven.
|
Th3s3g0t011.
|
You could use a phrase from that song you always remember from your youth. Use the first full sentence your child uttered as a baby. Almost anything will do provided you don’t walk around the office all day long saying it. I know the Budweiser commercials were funny, but if you say WAZUP to everyone you see, odds are it will be the first thing someone tries when they are after your account! And speaking of that commercial…if you have ever worked with the larger birds, you’ll love this version I found while digging around the tubes.
What tips do you use to help users with creating strong passwords? Leave a comment and share some wisdom.
You might also enjoy:
