Pick anyone in the world who uses a computer now and then and chances are they've had to think up a password somewhere along the line. Regular computer users will have stacked up quite a few, your work pc, Web mail, online banking, blogs, etc. It's no wonder that a lot of people get overwhelmed by the sheer weight of things to remember and forget why they've got the passwords in the first place.
It's not uncommon to see a Post-it note with a password written on it stuck to the top of the computer that it accesses, and when that happens it's easy to see that something has gone wrong somewhere down the line. For users, it's important to remember why passwords exist in the first place, and for administrators setting a password policy, who tend to err on the side of paranoia, it's important to remember that sometimes too much security is just as bad as none at all. To understand what makes a good password, we need to first look into how passwords get broken.
People trying to break your password will generally fall into one of two categories. The first will be professional cyber criminals, indiscriminately trying to gain access to accounts for their own gain. Maybe it's access to your bank account and your funds, maybe it's control of your computer so they can add it to their botnet, maybe it's an attempt to gain access to your work account for the purposes of industrial espionage, or maybe it's just some bored kid looking for something to vandalise.
Whatever the situation, the common factor is that they're not necessarily singling you out and you haven't necessarily done anything to draw their attention. You may just be one of a thousand hit, or one of a hundred thousand chosen at random on the Internet, and the only thing protecting you is the strength of your password.
The second group are people who have chosen to target you; either they know you or they have the means to find out. They may have chosen you for any of the reasons above, or through curiosity or spite. Many people choose passwords that relate to personal information, such as birthdays, addresses or family names -- thinking that either nobody knows these little facts, or that those who would know would never try to use them.
Most people aren't aware how much information ends up being available about them on the Internet, one way or another -- and with search engines getting better all the time, it's getting easier to find out more about people.
How are passwords broken?
There are a number of different ways in which passwords are broken. The oldest, and least sophisticated method is called the brute force attack. An attacker runs through every possible sequence in the set of possible passwords until they find the right one. While it's not clever, the advantage of the brute force attack is that given enough time it will always work. The key factor here is time, but to understand this, let's take an example: cracking a four digit PIN number.
Now in this case, there are four characters and each character has 10 different options -- meaning that there are 10 ^ 4 possible combinations. Or 10,000 attempts to generate every possible password in the set, but since on average you only need to go through half the set to find a given password, a cracker will need only 5000 attempts per password, which a computer can run through in a matter of seconds.
That was a simplistic example, but let's take something a little more commonplace: six digit password, letters only and not case sensitive. This means that there are 26 options for each character, giving us 26 ^ 6 or 308,915,776 different options. Now clearly this is going to take a lot longer, but it's still not going to be enough to discourage an attacker.
At the 2005 Ontario Universities Computing Conference, Johnathan Graham claimed an optimised copy of a password cracker running on a 2.7Ghz G5 Mac had managed to generate 900,000 encrypted passwords per second; a six letter password space could be entirely generated in only five minutes (presentation notes). An eight character password, using the full printable ASCII character set, including uppercase, lowercase, digits and punctuation, would take 200 years of constant computation to crack at this rate.
The second method is the dictionary attack. In this kind of attack the attacker has a big list of possible passwords, so that rather than having to try every possible combination of letters and numbers, they need only try combinations that are likely to be someone's password, somewhere. Don't be fooled by the name into thinking that this list contains only words found in a common dictionary, although that will certainly be part of it.
Your typical password cracker will have several dictionaries, ranging from a short list of only the most common passwords, up to a comprehensive dictionary containing obscure words, names, places, phrases and common misspellings. Oftentimes a cracker will use this dictionary with itself to generate a list of concatenated words, including the addition of digits and punctuation. A password cracker's largest dictionary may run into the 10s of gigabytes, and may run for days.
The last method is the simplest -- trying passwords manually is the sort of attempt your little brother might try. Normally this is a negligible threat -- few attackers have the patience to sit and type out 10 thousand different passwords. The danger here is when the attacker already has the password, even sticking to low tech approaches there are plenty of ways an attacker can get the password of a careless user. The easiest is to just read the password, either on the traditional Post-it note, or on the list of usernames and passwords to company accounts stuck to the side of the secretary's desk -- if you put your password in plain sight then you're trusting everyone who steps into your office to respect your privacy.
Another common trick to look out for is the fake e-mail asking you to "verify" your account by sending your username and password through e-mail -- in fact delivering it right to the attacker who's trying to compromise your account. The success of this scam has led many online sites that use password verification to place warnings to inform users that they will never request a password through e-mail.
This was published in 
1
DavidJ - 10/01/07
Hi,
You can create secure random passwords and easy to remember
acronym (leet) passwords at
http://www.goodpassword.com
David J
» Report offensive content
2
Michael - 11/01/07
You article seems a bit outdated. Passwords as they are commonly used are a very insecure protection no matter what pneumonic is used to select them. Users tend to use the same password on several systems. Chances are one of those systems is not secured. Then there are always people with administrator privileges on the systems where passwords are stored that can copy the file and run a cracker on it. There are so many keystroke logging programs out there that bad people can get them without a lot of effort.
The strongest password is a one use password dynamically created by a token. Nowhere in your article is any of this mentioned.
» Report offensive content
3
Nick Gibson - 11/01/07
While that's mostly true - there are much more secure ways to authenticate than passwords - none of them are particularly widespread, nor easy to set up. If you've found a way to handle all your logins with token based authentication, then kudos to you, but this is beyond 99.9% of web users.
The point is that simple passwords are far and away the dominant authentication method, so if you're going to use them, you should do it right.
» Report offensive content
4
Somnus - 21/01/08
www.PswdGen.com - This is an Online Password Generator with a lot of filters to make the most secure passwords. You can make passwords by mask to.
See it and write comments to my E-mail (somnus[at]pswdgen.com).
» Report offensive content
5
Ian - 11/08/08
Im not sure creating passwords from song lyrics is really as secure as it might first appear to be.
I dont believe it would be too difficult to create an application that would access a song lyrics database, many of which exist on the internet, download all the lyrics to every song in the database then convert each line of each song into the password format described above, and as many other variations of it as the hacker could think of using what would be a fairly simple to design algorithm. He or she would then have a dictionary attack file for use with a password cracker.
The same could be done for whole books, famous lines from books, famous movie quotes, and seeing as how almost every article I have read lately advises people to use a simalar, phrase conversion approach to creating memorable passwords, I wouldnt be suprised if this has already been done, or is being done by memebers of the hacking community.
If you also take into account, a small time hacker can harness the parallel processing power of a single $150 graphics card to generate a quarter of a billion attempts per second, on your password, and that ten years ago a password cracking device known as deep crack was demonstrated to generate 90 billion attempts per second, the incentive to create such a dictionary file is obvious.
» Report offensive content
6
LeeAnn - 11/08/08
Why thank you I an,that was very helpful information,your the smartest one on this website as i'v seen.
» Report offensive content