Jump to content

How to make a strong password


gogoblender

Recommended Posts

Hey guys, identity theft is up these days and so is attacks on any sites and or sites that you may be using. This page is actually from Microsoft, go figger :devil:

 

http://www.microsoft.com/protect/yourself/...ord/create.mspx

 

With the very high number of dictionary attacks being used to crack accounts, everyone is being advised to absolutely not use any words from the dictionary or combinations.

 

Enjoy the read

And surf safely

 

:D

 

gogo

Strong passwords: How to create and use them

Published: March 22, 2006

Password Strength & Password Security

 

Your passwords are the keys you use to access personal information that you've stored on your computer and in your online accounts.

 

If criminals or other malicious users steal this information, they can use your name to open new credit card accounts, apply for a mortgage, or pose as you in online transactions. In many cases you would not notice these attacks until it was too late.

 

Fortunately, it is not hard to create strong passwords and keep them well protected.

What makes a strong password

 

To an attacker, a strong password should appear to be a random string of characters. The following criteria can help your passwords do so:

 

Make it lengthy. Each character that you add to your password increases the protection that it provides many times over. Your passwords should be 8 or more characters in length; 14 characters or longer is ideal.

 

Many systems also support use of the space bar in passwords, so you can create a phrase made of many words (a "pass phrase"). A pass phrase is often easier to remember than a simple password, as well as longer and harder to guess.

 

Combine letters, numbers, and symbols. The greater variety of characters that you have in your password, the harder it is to guess. Other important specifics include:

 

The fewer types of characters in your password, the longer it must be. A 15-character password composed only of random letters and numbers is about 33,000 times stronger than an 8-character password composed of characters from the entire keyboard. If you cannot create a password that contains symbols, you need to make it considerably longer to get the same degree of protection. An ideal password combines both length and different types of symbols.

 

Use the entire keyboard, not just the most common characters. Symbols typed by holding down the "Shift" key and typing a number are very common in passwords. Your password will be much stronger if you choose from all the symbols on the keyboard, including punctuation marks not on the upper row of the keyboard, and any symbols unique to your language.

 

Use words and phrases that are easy for you to remember, but difficult for others to guess. The easiest way to remember your passwords and pass phrases is to write them down. Contrary to popular belief, there is nothing wrong with writing passwords down, but they need to be adequately protected in order to remain secure and effective.

 

In general, passwords written on a piece of paper are more difficult to compromise across the Internet than a password manager, Web site, or other software-based storage tool, such as password managers.

Create a strong, memorable password in 6 steps

 

Use these steps to develop a strong password:

 

1.

 

 

Think of a sentence that you can remember. This will be the basis of your strong password or pass phrase. Use a memorable sentence, such as "My son Aiden is three years old."

 

2.

 

 

Check if the computer or online system supports the pass phrase directly. If you can use a pass phrase (with spaces between characters) on your computer or online system, do so.

 

3.

 

 

If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each word of the sentence that you've created to create a new, nonsensical word. Using the example above, you'd get: "msaityo".

 

4.

 

 

Add complexity by mixing uppercase and lowercase letters and numbers. It is valuable to use some letter swapping or misspellings as well. For instance, in the pass phrase above, consider misspelling Aiden's name, or substituting the word "three" for the number 3. There are many possible substitutions, and the longer the sentence, the more complex your password can be. Your pass phrase might become "My SoN Ayd3N is 3 yeeRs old." If the computer or online system will not support a pass phrase, use the same technique on the shorter password. This might yield a password like "MsAy3yo".

 

5.

 

 

Finally, substitute some special characters. You can use symbols that look like letters, combine words (remove spaces) and other ways to make the password more complex. Using these tricks, we create a pass phrase of "MySoN 8N I$ 3 yeeR$ old" or a password (using the first letter of each word) "M$8ni3y0".

 

6.

 

 

Test your new password with Password Checker. Password Checker is a non-recording feature on this Web site that helps determine your password's strength as you type.

Password strategies to avoid

 

Some common methods used to create passwords are easy to guess by criminals. To avoid weak, easy-to-guess passwords:

 

Avoid sequences or repeated characters. "12345678," "222222," "abcdefg," or adjacent letters on your keyboard do not help make secure passwords.

 

Avoid using only look-alike substitutions of numbers or symbols. Criminals and other malicious users who know enough to try and crack your password will not be fooled by common look-alike replacements, such as to replace an 'I' with a '1' or an 'a' with '@' as in "M1cr0$0ft" or "P@ssw0rd". But these substitutions can be effective when combined with other measures, such as length, misspellings, or variations in case, to improve the strength of your password.

 

Avoid your login name. Any part of your name, birthday, social security number, or similar information for your loved ones constitutes a bad password choice. This is one of the first things criminals will try.

 

Avoid dictionary words in any language. Criminals use sophisticated tools that can rapidly guess passwords that are based on words in multiple dictionaries, including words spelled backwards, common misspellings, and substitutions. This includes all sorts of profanity and any word you would not say in front of your children.

 

Use more than one password everywhere. If any one of the computers or online systems using this password is compromised, all of your other information protected by that password should be considered compromised as well. It is critical to use different passwords for different systems.

 

Avoid using online storage. If malicious users find these passwords stored online or on a networked computer, they have access to all your information.

The "blank password" option

 

A blank password (no password at all) on your account is more secure than a weak password such as "1234". Criminals can easily guess a simplistic password, but on computers using Windows XP, an account without a password cannot be accessed remotely by means such as a network or the Internet. (This option is not available for Microsoft Windows 2000, Windows Me, or earlier versions) You can choose to use a blank password on your computer account if these criteria are met:

 

You only have one computer or you have several computers but you do not need to access information on one computer from another one

 

The computer is physically secure (you trust everyone who has physical access to the computer)

 

The use of a blank password is not always a good idea. For example, a laptop computer that you take with you is probably not physically secure, so on those you should have a strong password.

How to access and change your passwords

 

Online accounts

Web sites have a variety of policies that govern how you can access your account and change your password. Look for a link (such as "my account") somewhere on the site's home page that goes to a special area of the site that allows password and account management.

 

Computer passwords

The Help files for your computer operating system will usually provide information about how to create, modify, and access password-protected user accounts, as well as how to require password protection upon startup of your computer. You can also try to find this information online at the software manufacturer's Web site. For example, if you use Microsoft Windows XP, online help can show you how to manage passwords, change passwords, and more.

Keep your passwords secret

 

Treat your passwords and pass phrases with as much care as the information that they protect.

 

Don't reveal them to others. Keep your passwords hidden from friends or family members (especially children) who could pass them on to other less trustworthy individuals. Passwords that you need to share with others, such as the password to your online banking account that you might share with your spouse, are the only exceptions.

 

Protect any recorded passwords. Be careful where you store the passwords that you record or write down. Do not leave these records of your passwords anywhere that you would not leave the information that they protect.

 

Never provide your password over e-mail or based on an e-mail request. Any e-mail that requests your password or requests that you to go to a Web site to verify your password is almost certainly a fraud. This includes requests from a trusted company or individual. E-mail can be intercepted in transit, and e-mail that requests information might not be from the sender it claims. Internet "phishing" scams use fraudulent e-mail messages to entice you into revealing your user names and passwords, steal your identity, and more. Learn more about phishing scams and how to deal with online fraud.

 

Change your passwords regularly. This can help keep criminals and other malicious users unaware. The strength of your password will help keep it good for a longer time. A password that is shorter than 8 characters should be considered only good for a week or so, while a password that is 14 characters or longer (and follows the other rules outlined above) can be good for several years.

 

Do not type passwords on computers that you do not control. Computers such as those in Internet cafés, computer labs, shared systems, kiosk systems, conferences, and airport lounges should be considered unsafe for any personal use other than anonymous Internet browsing. Do not use these computers to check online e-mail, chat rooms, bank balances, business mail, or any other account that requires a user name and password. Criminals can purchase keystroke logging devices for very little money and they take only a few moments to install. These devices let malicious users harvest all the information typed on a computer from across the Internet—your passwords and pass phrases are worth as much as the information that they protect.

What to do if your password is stolen

 

Be sure to monitor all the information you protect with your passwords, such as your monthly financial statements, credit reports, online shopping accounts, and so on. Strong, memorable passwords can help protect you against fraud and identity theft, but there are no guarantees. No matter how strong your password is, if someone breaks into the system that stores it, they will have your password. If you notice any suspicious activity that could indicate that someone has accessed your information, notify authorities as quickly as you can. Get more information on what to do if you think your identity has been stolen or you've been similarly defrauded.

Link to comment

Good tips, however I afraid I won't remember my own password following this lol. :devil:

 

I do change my important ones regularly though so that's ok. :D

Link to comment

It is ironic that Microsoft publishes this and yet their main server operating system only allows the equivelent of a 7-character password, making it impossible to have a secure password if someone can get a copy of the password hashes [encrypted passwords].

 

In Windows NT, or any system attached to a Windows NT Domain, the password is stored encrypted, but the system encrypts the first 7 characters and the last seven characters of the 14-character password separately. So if someone gets a hold of the password file, they can run a program like l0phtcrack and break every password in a day or so.

 

In addition, if you want to create a strong password, many systems prevent you from doing so by making restrictive password rules that severely limit your choices and make it more difficult for an average person to come up with a password that they can remember. Writing a password down or calling the helpdesk to get your password reset is more likely to be the cause of a breakin than is someone guessing your password if you are given sufficient freedom to create a good pasword. In addition, many systems require you to regularly change your password (monthly) and prevent you from using the same password . . . ever. The result is that users need to come up with a new, secure password every month. If a user comes up with one good password and does not share it or write it down or allow others to see them type in their password, there is little to be gained by changing it. When forced to constantly change their pasword, users start writing them down or make them an obvious series like: FDM01, FDM02, FDM03 . . .

 

Password tips:

 

1. Determine [if possible] what characters you can use, and how long your pasword can be. 8-12 characters is usually pretty strong.

2. For Microsoft NT, a 7-character password is probably more secure than an 8-12 character password, because breaking the second 7-characters quickly might give the attacker a clue as to the first 7.

3. Bracket a word, etc. with special characters, =password= and +Hello+ are reasonably strong passwords and easy to remember.

4. Use patterns on the keyboard, like: 1q@W3e$R [type it to see how easy it would be to remember] and you can change it the following month to: 2w#E4r%T and it is completely different and yet still easy to remember.

Link to comment

Thanks gogo and Ike. Recently I revamped my passwords to stronger ones, because both Mika and someone else got hacked. Good stuff, I might repost it a few other places if that is okay. :D

Link to comment

Heya Blade, I took my content directly from the microsoft site, so feel free to spread it around.

 

:)

 

gogo

 

p.s. Ike and so true about how many sites have restrictive rules regarding passwords. I usually use passwords in between 16 to 258 characters each, and I've found that in a good number of sites that I attempt registration on, the passwords don't allow the kind of flexiblity we need to create strong ones.argh... :D

Link to comment

Thanks gogo! I'm sure some of my friends would like to read this. :)

 

Also, because you said between 16 and 258, that means one of your passwords is prolly 258 since it is an abnormal number! :D

 

*Starts typing all possible 258 combinations of number*

Link to comment
Thanks gogo! I'm sure some of my friends would like to read this. :)

 

Also, because you said between 16 and 258, that means one of your passwords is prolly 258 since it is an abnormal number! :)

 

*Starts typing all possible 258 combinations of number*

 

You forgot the alphabets too! :)

 

Its virtually non-guessable even with super computer. But you raised a good point, a 258 characters password gogo?

 

Let me guess, combination for your fridge? :P

Link to comment
  • 1 month later...
Guest FrostElfTwin

I wrote this a couple of years ago... still applies today.

 

 

 

 

 

Strong Passwords

 

Individuals create strong passwords based on their own lives and

values. Strong passwords protect against computer-based attacks and

physical attacks. Strong passwords are NOT copied.

 

Method 1: Sports based.

For a sports fan: hocbas, hocbasvolà h0cb1sv0l

Based on hockey, baseball and volleyball—sports the person loves to

watch or play.

 

Method 2: Based on your pet & family

Hasufel & Olorin à H15uf5l & 0l0r1n à H150L0 where letters have been

replaced with numbers

 

Method 3: First letters of a famous or treasured passage:

But, Wait! There’s More! à BuWaThMoà 8uWaThM0

 

Method4: People you admire: (sports stars, movie stars, politicians,

philosophers)

Salman Khan & Halle Berry à SalBerryà 51lB5rry

 

Method5: Absurdities & song lyrics. Phrases or ideas that stick in

your mind, that you can’t get rid of: PaddlingButterfly àPadButter à

Pad8utter

LoseYourself à L0seYurslf àL0seYrs1f

 

All of the above methods allow for a strong link to the password

creator, yet are hard to attack with a computer, and hard to break from

shoulder surfing. Without the key, partial information doesn’t help

the password cracker.

Once a strong password has been created, it should be practiced several

times throughout the first day. This should cement the memory.

 

be practiced several times throughout the first day. This should

cement the memory.

 

 

 

====

 

One of the attacks people can use is to shoulder surf. That means, they watch you type stuff in.

If they're a touch typist, they can read your fingers as you type (they're experts at Qwerty or Qwertz or whatever keyboard).

 

That's why patterns like 1q2w3e aren't so good.

 

Also, these days, it pays (particularly at ATMs) to cover your hand when typing in your code number. Prevents people from getting a good recording (with their pinhole cameras).

 

Yipes! The world is gettin' more sophisticated!

Link to comment
  • 2 months later...

Nothing like being a couple months late to a thread. Any way I use roboform on my main computer and have roboform2go on my U3 drive. They have a password generator built into the program but I have never used it. My luck my password would have been a combo of gogo and foodmuttley.gif

Link to comment
  • 1 month later...
  • 3 months later...

I more have the problem with forgetting things like my passwords, but I write them often enough so that my hands remember the word placement >.<

Link to comment
  • 1 year later...

Use some song lyrics or something from literature..

 

example

 

Killing An Arab

 

Standing On The Beach

With A Gun In My Hand

 

KAA;SOTBWAGIMH

 

or just KAA;SOTB

 

or even better make three letter and less words lower case

 

KaA;SotBWaGimH

Edited by claudius
Link to comment
  • 1 month later...

Hi fellows of DarkMatters, this thread is a GREAT idea.

Please let me add that... profanity is a REALLY bad one (as hinted to by Microsoft in gogoblender's post already).

One major ISP collected data about passwords, I believe it was in 2006. They put all processing into one computing job, so that even the admins and other employees couldn't see the intermediate results:

-collected passwords of all users, stripped the user names

-hashed the individual passwords

-discarded the rare hashes (9 or less)

-checked all hashes for multiple passwords, discarded the ones which were least used (<10 again)

-made a ranking

-mailed all users with the frequent password hashes (thus without any knowledge about the pwd itself)

-stored the ranking and gave the users 3 months to change their passwords

-output the top 200 passwords in an ordered list.

Excerpt:

#1 "lol" (over 52,000 users),

#2 "password" (~30k iirc),

#3 "...." (one of the 7 dirty words),

#4 "...." (another one),

and the remaining 5 were in the top 200 as well, along with some misspelled variations (e.g.#2 without the "p") !

Now, if many users think alike, if one of them tries to hack, all others with similar passwords are in danger. More so since the list got published and the hackers know what to try...

To make a long story short, profanity in passwords is a bad idea as well. If you have to be "funny," try something creative, like "comeonbraindamagedISPletmeinalready" (another good idea is to type every other letter, thus produce a somewhat lengthy and unreadable, yet easy to remember gibberish like "cmobanaaeIPemiaray").

Little kids ask so many funny, impossible to guess, and (for parents)easy to remember things. You can use these as starting points, too.

One more pitfall I can think of:

-Please don't use anything VERY popular (Bible, Bill of Rights, Moby Dick, LOTR, James Bond, StarWars, Trek books/movies, etc) to provide initials. Hackers try these, too, and they don't provide more than a million (give or take) of different combinations each. You can use these as starting points, but please use a less predictable conversion scheme than initials.

Link to comment
  • 2 months later...

I made up a word to use as my password.

It's adviceable that you use the same one everywhere. Especially if you have the memory of a goldfish, like me.

Especially if you have the memory of a goldfish, like me.

 

:P

Link to comment
It's adviceable that you use the same one everywhere. Especially if you have the memory of a goldfish, like me.

Especially if you have the memory of a goldfish, like me.

 

:D

 

bahhh, internet pirates who needs em?

 

I remain, disturbed!

Link to comment
  • 4 weeks later...

A commercial how to create a good password:

 

 

The boy asks his girlfriend Mary what cup size she has. She answered 75B. And then he remembered his password:

MhKG75B!

Mary hat Körbchengröße 75B

Mary has cup size 75B!

 

It has characters and numbers, specials signs. But it fails the part of easy to remember, because boys seem to never know the cloth sizes of her girl friends.

 

Stumpled above this one when searching for a commercial about the Volkswagen Sharan from years back.

Link to comment

A good password has to balance security with our ability to remember it because minimizing the number of places that a password is written down or otherwise recorded is a good idea. It is a tough line the most memorable passwords are the easiest to crack while the most secure are a jumble of characters that are impossible to recall.

Link to comment
  • 3 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...
Please Sign In or Sign Up