Secure passwords

June 15, 2011 / No Comments

I’m big on password security. It drives me crazy when people can’t remember their passwords. Before recently I couldn’t tell you any of my passwords if you held a gun to my head. Not because I am forgetful, but because I had crazy passwords, all over 10 digits with upper and lower case letters, numbers, and symbols. They were all stored in LastPass, so they were always filled out for me, and if I needed to know them I could just look them up. Everything was great until I listened to a recent Security Now podcast.

Steve Gibson realized that the entropy of a password really isn’t as important the length, and the use of upper case, lower case, numbers, and symbols. The use of all four of those increases the character set to 96, 26 upper case, 26 lower case, 10 numbers, and 33 symbols. That combined with a long password makes it virtually impossible to brute force it unless you use dictionary words, or make it too easy.

Which password below is stronger?

D0g…………………

PrXyc.N(n4k77#L!eVdAfp9

Yep, the first one because it is longer. It would take the first one 95 times longer to crack, yet it’s simple to remember. The key is to just have a short password you can remember, and then some kind of padding system you can remember. The first one probably isn’t the best because the padding is simple, but it is simple to come up with your own algorithm for passwords.

Everybody should sit down for 5 minutes and come up with their password algorithm. You could just have four characters that you can remember like tR4$ or something followed by some simple padding like q]q]q]q]q], and you will have a 14 character password that is easy to remember and super hard to crack. My algorithm takes some characters out of the URL, so now all my passwords are long and hard to crack, but yet easy to remember.

The only problem are sites that don’t allow symbols in their passwords. I’m talking to you Verizon and Capital One. So I have a handful of passwords that can’t use my algorithm and have passwords that I can’t remember, but thanks to LastPass, I will never not be able to know what it is.

Steve Gibson has a site explaining his whole theory on why length is more secure than entropy. According to his calculations the fastest my passwords could be cracked in is 1.65 hundred centuries, and I’m fine with that.

Leave a Reply

Your email address will not be published. Required fields are marked *