[Dshield] password security

John Hardin jhardin at impsec.org
Thu Feb 5 01:32:06 GMT 2009 

On Wed, 4 Feb 2009, Dr. Daniel Carras wrote:

> Brute Force dictionary crackers would have "10 Bottles of Beer", they 
> wouldn't have eeqmc2, this would require a different algorithm. However, 
> any increasing number account hacks look for password files on the users 
> system.

Dictionary crackers do multi-word passphrases?

And, "eeqmc2" would be very easy to brute force due to its limited length 
and small universe of characters. Actually, the *source* of your example 
password would be stronger, assuming the site allowed it: [e = mc^2] has a 
mixture of punctuation marks, spaces, letters and numbers. It's still 
dangerously short, though.

Components to a good password:
  Length
  Size of universe of source characters
   (don't limit yourself to lowercase ASCII)
  Memorability (so you don't have to write it down)

What I usually recommend is:

Figure out some rules that you will use for changing a plaintext phrase 
into a password, trivially for example: convert all letters "o" to numeral 
"0" or punctuation marks "()" or a specific accented "o" non-US-ASCII 
character (though that may be difficult to type in some situations...)

Take your source phrase and apply those rules to get your password.

Of course, the source phrase must then be memorable. Ideally it would be 
suggested by the site so that you can have a different passphrase per 
site. For example, you might use the source phrase "Microsoft sucks" as a 
starting point for passwords for Microsoft sites if you didn't 
particularly like them... :)

And if the site expires passwords (or if you do so proactively to improve 
security) then have some sort of rule for generating a sequence of 
passwords from that phrase, for example (again trivially) by appending the 
name of the month to the source phrase when you change your password. 
(That, of course, assumes you remember *when* you changed the password...)

That might give you a password for a physics site that looks like:

   #1n5t#1n s#z: #=m(^2

Start with "Einstein says: E=mc^2" for the physics site;
Apply rules:
   says -> sez
   E -> #
   i -> !
   s -> 5
   c -> (

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin at impsec.org    FALaholic #11174     pgpk -a jhardin at impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   The question of whether people should be allowed to harm themselves
   is simple. They *must*.                           -- Charles Murray
-----------------------------------------------------------------------
  8 days until Abraham Lincoln's and Charles Darwin's 200th Birthdays

More information about the Dshield mailing list