Tuesday, May 21, 2019
 Now reading ...
Mar
20
Sat
Posted By Subodh on Saturday, March 20, 2010
3853 Views 10 Comments


I found that password! Password Break-ins can be avoided.

I’ve had the thousandth aha moment. I found someone’s password. Again! Having seen this cockiness of “it can’t happen to me” for such a long time; Time and again proves just one of the two things – Either people believe they are invincible and do not really care or they just do not know how to generate strong random passwords that can be easily remembered. Irrespective of which group you belong to, do me a favor please; Before you come asking me to check your password’s astronomical complexity level, please answer the following questions.

1. Can you keep your password in full public view?

2. Can you remember the password 5 years after you generated it (No writing it down)?

3. Is your password unique (never used the same password at more than one place)?

4. Is there anything valuable someone might steal by getting access to your password?

If you answered no to any of the questions above, you need help. Read this blog post and if you still feel you’ve got it all covered; more power to you.

I’d give my secret recipe for generating passwords; Passwords that can be written in full public view, will never need to be written down, can be remembered for as long as you’re alive (and mentally sound), cannot be broken by your friends or relatives and passwords that are unique to every place you need them. For the record, my Bank of the West password is “Amazing Amazing West of 2005!” Go figure!

Before I get into how to generate a password that only you can remember and use, let me touch a few nuances of security that you ought to know; you probably do but never gave much thought to it.

1. Security is never secure enough.

What was fine for a password 10 years ago, just doesn’t cut in today. DES64 was thought of unbreakable just a few years ago, now it can be broken in less than 48 hours using plain brute force on an average desktop. If you think writing password as p455w0rd is sufficiently complex? Think again, there are dictionaries available online to do that conversion. Using your complicated first name and a 12 character last name to generate a humongous 18 character password? Chances are both those combinations are also available as a dictionary.

2. Too much of complexity is a disaster waiting to happen.

If you use one of those random password generators to generate a really complex password you’re still asking for trouble. Why? Coz to remember it, you’d have to save it somewhere. Or write it down. Or, coz you think it is so awesome, you’d use it at multiple places. Including the one at facebook. Chances are, the password is not going to be cracked but discovered by someone intent (think ex!) on it. Oh wait, you’re not the kinds who thinks there is nothing useful in your account anyway; Are you?

3. Watch those damn rules.

Everyone out there seems to have an opinion about what is the definition of a secure password. “It must contain a special !@#$ character,” “Must have an uppercase,” “Must have a number.” You know what? Screw that. The only thing they make you do is force you to generate complicated passwords that you cannot remember thus making you write it down. Besides, using one of those things only reduces the complexity of a password to a limited number of combinations. Writing a password down? Gah!

4. Security Questions.

They let you choose passwords that can (if done correctly) take eons to break. Even if you get a password right, they still make you answer “security questions,” usually just 2-4 of a few 300 or so possible questions. Those 300 or so possible questions are the same at facebook or yahoo or your bank accounts or for that matter any frickin damn site. Oh and the Mom n’ Pop shop from where you order that stuff online once in a while has those same questions too.  And the complexity of breaking through with answers to those questions is far far less compared to what it would take to break your password.

5. You’ve no idea

Even if you’ve been careful all along, did you ever think of a possibility of how the passwords are actually stored on the other end? When you click “forgot password” link and your password is sent to you by mail, there is a possibility that it was never really out of the reach of prying eyes(reversible encryption or not). Oh, and some mom n pop shops do not even encrypt the password when storing it in their databases. Think you do not know a mom n pop shop? I had to call up the Frys Credit Customer service the other day; Imagine my chagrin when he recited over the phone what my password was! He recited – as in three effing times. Need another example? A McAfee rep gloated when I asked him how did he know my password - “Oh, we know everything!” I cancelled my Enterprise license the very next day.

 

Wait a minute, I thought I was going to show you how I generate my passwords! Here we go.

The rules for generating a strong password that you can remember …err.. reconstruct.

 

Get something unique

Numeric. Remember it. This is the only number you’re ever going to need to remember. It should be large enough so you could use it at multiple places without reusing all of its digits. Need an example? 264 = 18446744073709551616. Even if you remember the first four digits as your first ATM card pin you still have a lot more numbers to use for later. This number is your numeric seed.

 

Make your alphabetical password suffix

It doesn’t have to be complicated. Just something you’d never forget. How about “Popocatepeti?” Or that restaurant you’d sworn you’d never go again to? Or even the name of the street you grew at.

 

Make your mental algorithm

Mine used to be as follows:

a) “Convert what stands about the site to another language. Then back, literally” Example: “Facebook-> चेहरा किताब Cēharā Kitāb”

b) Of the final word (per site), remove all vowels so “Cēharā Kitāb –> ChrKtb”

c) What is the current year?  2010? Find the 10th letter out of our numerical and alphabetical suffixes (You’d get good at this as you generate more and more passwords). so ChrKtb –> ChrKtb7i

d) There you have it, for most sites, this password would work. However for those where it won’t (asking for a special character?) just make up your own sequence of special characters that you would embed before you add your numeric suffix. For example, ChrKtb7i-> ChrKtb@$7i

You know what’s the best part?

You can even write down your password

Yes, this password can be kept in full public view (of course, will you?). So, the password for my facebook account is “Face Book Special secret” The password for my other facebook account is also the same except; it is “Face Book Special Secret 2.” which translates to ChrKtb@$7I2.

Of course, I’ve found more complicated ways of goofing up my passwords otherwise I wouldn’t be telling you all this, now would I :D ?

BTW, do let me know if this helps. Or if you think passwords are not all that important. Or, if you have a better scheme! Comments are open for the next 90 days!

  
 You may also be interested in
  
 Comments & Discussions

  • Gravatar
    Bruce Lee Saturday, March 20, 2010 at 12:54 PM

    I use pwsafe. I don't know most of my passwords anymore. Just the one that opens the safe.

    • Gravatar
      Subodh Shakya Saturday, March 20, 2010 at 6:27 PM
      Ah One master password for all the passwords!
      So long as it works for you great. From what I know of pwsafe, people who use it, vouch with it. But then again, what if ... happy

      • Gravatar
        Bruce Lee Friday, March 26, 2010 at 11:42 AM

        I used to use an algorithm (not as complex as what you describe above). One of the problems I ran into was the notion of adding something about the website to the base password. E.g. super simple case: append "a" for amazon.com, "b" for buy.com, etc. What happens when the thing about the site (in the example, the name) changes? This typically happens when you create an account on a new site (possibly beta) which can undergo substantial changes when it goes live.

        PWSafe has problems to be sure...mostly maintenance. I have the program and data on a flash drive. Have to remember to pull out the flash drive when I need a password and when I create a new one. If I lose the flash drive I can always download the program again but I have to remember to back up the data periodically.

  • Gravatar
    Daruwala Saturday, March 20, 2010 at 10:04 PM

    I remember one.. replace the vowels in the name of your favorite car with your roll number!

  • Gravatar
    bipin Sunday, March 21, 2010 at 12:54 AM

    c) What is the current year? 2010? Find the 10th letter out of our numerical and alphabetical suffixes (You’d get good at this as you generate more and more passwords). so ChrKtb –> ChrKtb7i
    No way you expect me to remember the year I made an account. When did you make that hotmail account?

    • Gravatar
      Subodh Shakya Sunday, March 21, 2010 at 5:11 PM
      I remember :)
      But then again, the number could be as simple as the last time you changed your password! Or anything else for that matter. The idea is to get an algorithm in your head winking without requiring you to write the password down and still be able to come up with "WTF" kinda passwords in a jiffy.

      • Gravatar
        Daruwala Sunday, March 21, 2010 at 8:35 PM

        Oye! you told me that. It's not my idea.

        (thought you would figure that out winking )

  • Gravatar
    Joy Monday, March 22, 2010 at 1:31 AM

    I found someone’s password. Again!
    How do you go about finding these passwords? Why does no one leave their password around for me to find? Puzzling!

    • Gravatar
      Subodh Shakya Monday, March 22, 2010 at 7:51 AM
      They're all around you.
      Besides, shouldn't you feel happy nobody around is gloating about the *strength* of their passwords to you. *Gloat, *strength & *fools : Three things that can get on anyone's nerves! Meh!
      PS: This post was written way back, I just published it now so technically, it doesn't happen every day, just once in a while winking

      • Gravatar
        Joy Monday, March 22, 2010 at 1:55 PM

        Ah, yes! I had this feeling of deja vu when reading the post and then remembered the title discussion. happy

  
Locations of visitors to this page Clicky Web Analytics 

Subodh's Blog Rating

 

DISCLAIMER

The opinion expressed
on this page 
is strictly that
of the page author
who has a
habit of animating
day-dreaming
and
fictionalizing
out of thin air.
 

The contents of this page
have not been
reviewed 
nor
approved
by 
Yahoo!

 Follow this blog
  
 Tag Cloud
  
Archives
 

Top 5 Posts of Last year
Copyright © 1995-2009 Subodh Shakya. All rights reserved.{Powered by SpeedBlog}