Making a good passphrase

[haxwithaxe]

Hey all,

I'm writing this post to share what i've learned about making a good passphrase.

good = secure + memorable

I understand that there are sysadmins for big companies that need to use randomly generated passphrases and that's okay, those people need to use lots and lots of passwords and there's no way in hell they can remember them all.

This is for those one-off email accounts and social networking accounts that you want to keep the real life red team out of.

my rules that I use in addition to the normal passphrase hygiene(ie long, all 4 char types represented):

1) Never, Ever write it down in any way. that includes the passphrase keepers. Again not for all passphrases just the ones you can manage to keep in your head. You'll be suprised what you can do and in most cases. If you do forget it you can use the automated passphrase recovery procedure on the site you used it on.

2) It Never, Ever has any dictionary words in "plaintext"(I explain latter)

3) I must remember it. With me that's a feat in and of itself. I have left an account idle for years and been able to go back and remember the passphrase within 3 tries.

4) It must be pronounceable (yes no dictionary words and yet it's "pronounceable" as in sentence)

5) IT'S A PASSPHRASE not a password so don't be afraid to use spaces and make phrases(thanks to the hak5 crew for reminding us of that a few ep's back)

The way I do this is i set out a cypher for certian letters(ala 1337 speek, btw never use leet speek for your cypher). I use letters, numbers or special characters or combonations there of to represent individual or multiple characters. Think of it as ascii art passwords. The characters you use in your cypher should have a significance to you. If %@ reminds you of H then by all means use it as such. Also don't forget to use spaces. Always use the same cypher though, its the secret decoder ring for your electronic life. Also never share it with anyone. If there is a share account for something(family email perhaps) use a shared cypher.

I use passwords that have a significance to what they protect. This may be something I think about the site/app or something I'm trying to do on the site ... whatever. Just don't rely on the physical appearance of the site/app 'cause that tends to change.

Please share your tips, tricks, and rules of thumb for crafting a good passphrase, but don't let your self give away the keys to the kingdom.

ps. After i started writing this I went back and changed all the occurences of password to passphrase. I suggest we all never use the word "password" again as it perpetuates the (often unconcious) idea that it needs to be a single word.

[Burncycle]

If you do forget it you can use the automated passphrase recovery procedure on the site you used it on.

Doesn't that defeat the purpose though?

What I've found works really well for me is to take a phrase from the lyrics of a song, grab the first letter of each word, do some character replacement so you end up with an amalgam of letters of both cases, numbers, and special characters. For example, take the lyric "Auschwitz! The meaning of pain," You end up with ATMOP, but you can keep in the punctuation for added special characters, so "A!TMOP,", which in turn becomes "A!tm0p,". This technique is handy when its a shared password that several people need to know, because you can title your passwords without the sheep being any wiser. For our example, you could call this the "Auschwitz" password or the "pain" password.

As far as password strength goes, there is a trade off between actual security and memorability. A truly secure password will contain as few recurring characters as possible in the least repeatable pattern possible (search around for anything on password or information entropy).

[Brian Sierakowski]

One technique I've seen for creating long memorable passwords is to us a phrase that the persons remembers for one reason or another.

For example: I have a dream that one day this nation will rise up and live out the true meaning of its creed: "We hold these truths to be self-evident, that all men are created equal."

Or: All truly wise thoughts have been thought already thousands of times; but to make them truly ours, we must think them over again honestly, till they take root in our personal experience.

I've see a lot of people use long phrases that they've possibly have to memorize in school, and while they are all plain text and dictionary, the sheer length makes them very difficult to crack.

[wh1t3 and n3rdy]

Long pass phrases can be an issue for people who cannot type well.

[Netshroud]

While I'm no expert on passwords, I will often pick something (anything) then make it l33t or inverse l33t with numbers and letters and symbols etc.

So for example, "Full of fail" could become "FU|10Ff41|_".

I'll then screw around on http://www.passwordmeter.com/ trying to make it stronger, so I can end up with something like "Fu1|0V f4|1_"

(of became ov due to phonetics)

Although my password will usually be quite a bit longer than that.

[Infiltrator]

Long pass phrases can be an issue for people who cannot type well.

Or you could it type it onto a notepad file and save it to an encrypted USB stick and make sure you have it secured to your car keys or strap around your neck.

[pizzaguy]

Or you could it type it onto a notepad file and save it to an encrypted USB stick and make sure you have it secured to your car keys or strap around your neck.

That defeats the purpose of a memorable password, doesn't it? At that point one would be best using randomly generated passwords and Keypass.

[Charles]

That defeats the purpose of a memorable password, doesn't it? At that point one would be best using randomly generated passwords and Keypass.

This works very well.

[Alias]

Or you could it type it onto a notepad file and save it to an encrypted USB stick and make sure you have it secured to your car keys or strap around your neck.

You should also not only use cryptography but steganography as well as this will hide the encrypted partition of the USB. This means that even if the USB is stolen and the thief is not technologically retarded it's more unlikely that he/she will even realise that their is an encrypted partition on the USB.

The only problem you've got is that you're using a password to protect a password. Which is stupid cause if the password you used to encrypt your system password with is a lot less secure then it may be possible to recover the encryption password and thus obtain your system password.

The best thing todo is just have a good system password that is easy to remember and very, very hard to brute force.

[Infiltrator]

You should also not only use cryptography but steganography as well as this will hide the encrypted partition of the USB. This means that even if the USB is stolen and the thief is not technologically retarded it's more unlikely that he/she will even realise that their is an encrypted partition on the USB.

The only problem you've got is that you're using a password to protect a password. Which is stupid cause if the password you used to encrypt your system password with is a lot less secure then it may be possible to recover the encryption password and thus obtain your system password.

The best thing todo is just have a good system password that is easy to remember and very, very hard to brute force.

Yeah I know, I just wanted to know what you guy's response would be. I've been doing a bit of brute forcing myself and learned a lot from it. All my passwords are pretty secure, I think it would take a very and very long time to crack it.

Edited April 17, 2010 by Infiltrator