Home page logo

basics logo Security Basics mailing list archives

RE: Choosing unique passwords - how paranoid is too paranoid?
From: "Chris LoVerme" <chris.loverme () sl-tech net>
Date: Thu, 26 Jun 2008 17:49:32 -0700

Great topic... For years I've always struggled with a good password rotation and selection theme. I think everyone has 
their own methodology about it and there's the issue at heart; someone figures out the method or the routine and cracks 
away. I've found some good themes and I've tested them against password crackers and dictionaries.  The following is on 
my blog as well (if reading this here is a pain) and hoping not to break any rules here.  I want to test against linux 
too, but haven't done so yet, that will make a good follow up post I suppose :)

Make your passwords more difficult to crack:
These days it’s actually quite difficult to pick a decent password that’s difficult to crack; the future is going to 
present us more options around biometrics or algorithmic keys.   More than likely, passwords will never go away but 
will continue to be combined with a device (card, key, etc) which is called two-factor authentication (something you 
know such as a password, and then something you have such as a card or fingerprint).  If you’ve done technical support 
or network administration, no doubt you’ve seen all the password combinations from numbers, to letters and numbers, 
mixes, and so on.   You also know that social engineering often gets someone to give up their password, so it is 
difficult to guard against that as well. 

Crackers are basically hackers that use toolsets designed to defeat either the password or the method that encrypts the 
password.  There’s lots of commercial software available because people forget password, even system administrators, so 
you’ll find a password cracker for just about every system out there.   Most of these applications start with what’s 
called a dictionary attack, which means it has a large text files with just words in them and it tests them.   Some of 
these dictionaries are giant, in other languages, and focus on specialty niches like movies, Shakespeare, etc.   The 
other common attack is a brute force attack in which the program will try to logically guess your password in a 
sequence such as “pasp“, “pasq“, “pasr“, “pass“.   Brute force can take a long, long time because your password might 
be 16 characters long, contain symbols (*&^%$#), capital letters, numbers, and so on.   Brute force attacks will 
eventually find your password no matter what, plus the time to find your password decreases as crackers take advantage 
of powerful hardware like distribution farms (lots of computers) with multiple, multi-core 64 bit processors.   A bank 
of 10 servers with dual 64 bit quad core processors could crack the password “g00dn1gHt3very1″ in less than 10 seconds 
if encrypted with a 40 bit algorithm.

Anyway, let discuss 5 good password techniques that will throw off the dictionary attacks and brute force methods.

1. Use a pass-phrase - Pass-phrases are much better, basically use a sentence rather than your child’s first name.  
Unfortunately, most programs limit your password length.  If a program doesn’t limit password length pick a pass-phrase 
because it’s easy to remember, won’t be in a dictionary, and hard to brute force.  An example would be “I love 2 drink 
sugar free lemonade!“.  That’s a 35 character password with a capital letter, a symbol, spaces, and a number.   (I 
tested this password with 128 bit AES encryption and a cracking tool was unable to crack the password after working on 
it for 12+ hours on a single dual core 3.2Ghz processor.

Example test (I love 2 drink sugar free lemonade!):
Works on Windows Vista
Works with WinRAR 3.70
Works with WinZIP 11.1
Works with Excel 2007
Does not work with Word 2007 (character limitation)
Passed Basic Passware Audit*

*Password Audit Notes: Passware 8.0 has a 27 character limit on brute force attacks for the Office Recovery tool.  The 
RAR & Zip Recovery tool has a limit of 12 characters.  In all my tests, I used the defaults. This is one of the top 
password recovery and audit tools on the commercial market and retails for $495.   If you’re an IT specialist, I 
suggest a copy.  (No, I’m not getting paid for referring them)

2. Math - These are easy to remember, won’t be in a dictionary, and hard to brute force.  Use a word, symbol, and a 
number.  Here are some examples of passwords: 12*Twelve=144, Ten*10=100!, Eighteen-1=17.  Combine this tip with the 
previous one for a super strong password: “Ted said 2*2=4″.  When I spoke with Microsoft consultants a couple of years 
ago, they fell in love with this method.

Example test (Ted said 2*2=4):
Works with Windows Vista
Works with Word 2007
Works with Excel 2007
Works with WinRAR 3.70
Works with WinZIP 11.1
Passed Basic Passware Audit

3.  Extended ASCII (Grpahics) - Some password crackers don’t have options for Extended ASCII, in fact, it’s rarely used 
anymore within the Windows world due to fonts and graphics.  They aren’t preloaded into cracking tools, they aren’t 
well known, and they’re not in dictionaries.  Someday this might change, but until then, a passphrase like “451°F will 
burn paper” is a platinum-class passphrase.  Easy to remember, is 21 characters, has extended ascii, numbers, and a 
capital letter.

The whole extended ASCII set is 127 through 255, 255 is fantastic because it looks like a blank space but it isn’t! 
Imagine a password that’s intertwined with 255’s and spaces.  Even if a password cracker cracks the password and is 
able to display it, it’s going to show as a bunch of blank spaces looking as if it failed to crack it correctly.   It’s 
even better if someone is using a sniffer and not looking at the hex codes.  Some web browsers won’t be able to display 
this but here’s what it looks like: “     ” That’s two 255’s a space, then two more 255’s.  
All the extended ASCII sets make good passwords (for programs that support them) or add one symbol to your current 
password.  Here’s a another slightly artistic example: “░▒▓▒░”  A poorly written cracking program may not be able to 
display these characters and may crash or display other symbols in an interpreted font set.  For example, ▒ may show up 
as “_” in another font, but the underlying value is ASCII 177 not “_”.  Remeber to add words to make it a phrase and 
make it even stronger.

Example test (451°F will burn paper):
Works with Windows Vista
Works with Word 2007
Works with Excel 2007 (not Mac compatible)
Works with WinRAR 3.70
Works with WinZIP 11.1 (not DOS compatible)
Passed Basic Passware Audit

4. Common Set (capital letter, longer than 6 characters, and number or a symbol) - Common set passwords involve a 
pattern and are great to use because they’re not in a dictionary, brute force will take some time, but these are not 
always easy to remember.  Examples are: Tropicana9, Battlestar3, !Starbucks!, Goldfrapp$, etc. 

Bold example:
Works with Windows Vista
Works with Word 2007
Works with Excel 2007
Works with WinRAR 3.70
Works with WinZIP 11.1 
Passed Basic Passware Audit

5. When possible save your documents in a higher encryption such as 128bit AES or RC4 RSA encryption.  128bit AES is 
set by default in Office 2007. 

People are now using passwords that they think are secure but really aren’t anymore because password crackers have 
picked up on these ones. Password methods to now avoid:

1.  Leet (or Hax0r) - This was clever, but the brute force crackers picked up on it quickly and coded for common 
substitutes.  There’s even a dictionary now for it, so avoid these passwords.   Examples of these now well used 
passwords are: l33t, r0xx0rz, n00b, etc.

2.  Foreign Language - Language dictionary sets are common now, so forget the Russian password you came up with.   A 
brute force is going to crack this very fast anyway. 

3.  Qwerty - Keyboard patterns all well known now and in dictionaries as well as some brute force options.  Examples 
include: qwerty, asdfg, poiuy, and zxcvb.

Not sure if you password is secure?  Try cracking it yourself (elcomsoft, lostpassword.com) provide tools for 
dictionary and brute force password recovery.  

There's a good interesting article here too: http://www.codinghorror.com/blog/archives/000949.html

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Kurt Buff
Sent: Wednesday, June 25, 2008 6:08 PM
To: Johann MacDonagh
Cc: security-basics () securityfocus com
Subject: Re: Choosing unique passwords - how paranoid is too paranoid?

On Tue, Jun 24, 2008 at 8:27 PM, Johann MacDonagh <johann () macdonaghs com> wrote:
Hi all,

I've recently began a full on password change process where I'm 
increasing the security of passwords I use for various systems I use 
(computer systems, websites, etc...). In the past I've only used a few 
different passwords and hoped for the best. I'd like to start working 
on a new system that allows me to create easy to remember passwords 
for each unique system. I don't want to create completely random ones 
and rely on a password manager, because I use these systems at home, 
at work, and on my iPhone. They need to be something I can easily type.

So my first scheme involved coming up with a rather long base 
password, choosing a 4 character acronym for each system, mixing it up 
in a certain way, and inputting those jumbled characters in predefined 
locations. This solved one issue:
1. If someone where to compromise one password, it's unlikely they 
would be able to deduce the same pattern for other systems.

Then, I got paranoid. What if they had two passwords? The differences 
could be found, and analyzing the 24 different permutations (4!) of 
the differences could quickly find a pattern.

So, I modified it a little. I took the name of each system, padded and 
mixed in yet *another* master password (this time much shorter), and 
ran it through this (on OS X):

echo -n mypaddedstring | openssl dgst -md5 -binary | openssl enc 

and took the first few characters. I put that in a certain location of 
my master password. The reason to use a hash function is pretty 
obvious, and
base64 allows me to add in additional bits to brute force with the 
same number of keys.

This has worked out better. I've started using mnemonics to remember 
each system's unique part. Muscle memory!

Now, I'm up against a wall. I can't possibly remember a different 
password for *each* system. So I came up with the (final) idea of 
classifying systems as high or low, depending on the problems a 
compromise would create. For example, my registration on some random 
forum is low, whereas my PGP passphrase is high.

I know this is looking like there will never be a question, but there is.
What does everyone think of this system? Would you classify sites that 
hold somewhat private information (such as Amazon.com without any 
saved payment
methods) as high or low? Is there another way?

Let me close by saying that the day I can use a smarcard for 3 factor 
authentication (PIN, physical access to card, and biometrics) to 
access ALL systems (hey, web developers, you can ask for x.509 certs 
you know!) is the day that I stop worrying about all this. Or should I 
be worried about that too? :)


Way too complex

Get a USB key or PDA, and put your favorite password manager on it. I like PasswordSafe, but Keepass is derived from it 
and many like it, though I haven't tried it. I'm sure there are commercial alternatives as well, but these are OSS - 
and available on sourceforge.

I like my passwords to be pass sentences. 20+ characters, with all of the punctuation and other non-alpha characters 
they deserve. Much easier to remember and to type. Think up a sentence, commit it to your password management 
application, have it ready. One site, one pass sentence. Very easy.

Even if the site/server/application doesn't take passwords that long, having it in your password management database is 
better than trying to remember it, and your password management software will generate passwords if your brain is 
non-functional for whatever reason.

Back up your password management database, too.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]