What Makes A Good Password
A good password is one that has the following characteristics;
- Length – between 6 and 12 characters
- Complexity – should include upper and lower case letters, numbers and special characters
- Uniqueness – should not be birthdays, anniversaries, names, sequential or repetitive characters or any word that can be found in a dictionary
Password Attack Methods
From an automated stand point, there are two basic type of attacks to try to “crack” a password - Dictionary and Brute Force attacks.
A Dictionary attack is one that systematically tries every word in a dictionary in an attempt to “guess” the target password.
A Brute Force attack is more effective but requires exponentially more time as it will systematically use every combination of letters, characters and numbers to guess the password. There are 95 separate characters in the usable set of password characters (52 letters (lower and upper case) 10 digits and 33 special characters). The process would begin with a 1 character password requiring 95 iterations. Adding a second character would require 9,029 (95 squared) iterations. Adding one more place would increase the attempts to 857,375 iterations (95 to the 3rd power). A 5 character password would increase the iterations to in excess of 7.7 billion iterations.
Note –
A 5 character password is considered a weak password
which is why we want our passwords to be between 8 and 12 characters.
Creating a Password
There are a number of tricks to employ to manually create complex and unique passwords such as an acrostic string, a substitution cipher or both.
Note –
There are password generator that utilize hexadecimal keys to generate 64, 128 or 256 bit keys. Such a generator would convert an ASCII string such as “password” to a hex key of 70617373776f7264. But we want a method a bit more “user friendly” yet effective.
Acrostic String (Acronym)
Use the first letter of each word in a short saying, ditty or favorite song verse, to create a string of characters such as;
- amacewcir - All men are created equal with certain inalienable rights
- htsitcbomngdag - Hot town, summer in the city. Back of my neck getting dirty and gritty
Both of these would be acceptable passwords as they are not words in a dictionary and would therefore require a brut force type attack to crack. These are easy to create and remember as both are familiar to the user. And if you go back a bit I’ll bet you can come up with some old song verses that are virtually forgotten in todays society. Do you remember Jonny Preston 1959 “Running Bear” - “On the banks of the river stood Runnin' Bear, young Indian brave…”? Which would convert to “otbotrsrbyib”
Substitution Cipher
Replace one or more letters with numbers and or special characters
| Number | Letters |
Special Characters |
Letters or Numbers |
| 1 | lower case i, or l; upper case I or L | ! | lower case i, or l; upper case I or L; 1 |
| 2 | z or Z | @ | a |
| 3 | e or E | $ | s or S |
| 4 | h (upside down) | ^ | n |
| 5 | s or S | ^^ | m or M |
| 6 | b or G | & | and |
| 7 | t, T or L (backwards & upside down) | + | t |
| 8 | g | | | I or L |
| 9 | g, q, d (upside down), P (backwards) | < | c or C |
| 0 | o or O | ? | q |
| 13 | B |
Applying a substitution cipher to the first acrostic string above would result in the following;
@^^@<3W<!r
Notice this password contains lower and upper case letters, numbers and special characters.
So, can you read the following passwords which are known words in the English lexicon ;
Y3!!0w5+0^3
6@R9^3rv!113
If you do use a word or name in picking your password try to use a word that is not in a dictionary such as “Da ow a ga” which in the Washoe language is “edge of the lake” (later morphed and anglicized to Tahoe).
D@0w@6@ or 9@0w@6@