What holds your personal and private files, documents, financial reports and pictures from the world? Is it a simple five letter word which happens to also be your dog’s name? Alma mater with the year of your graduation tacked on the end? Did you know that a simple password that’s in the dictionary (including foreign languages) with either a leading number or trailing number can be broken trivially by someone with the right tools? Did you also know that that someone with the right tools could be anyone who’s able to find and download them? The simple solution to this is to create a strong password and this tutorial is to show you how.
Strong Passwords Don’t Have to be Difficult.
One of the greatest reasons people will choose a simple password is so they don’t forget it. Could you forget your dog’s name or where you went to school? It’s much easier to forget “h8FsnP2bd!jdm3” than it is to forget “fluffy”. The key to having a strong password that you won’t forget is to take something that you won’t forget and use it as the foundation for your password. For the following tutorial, I will use our dog as an example foundation.
How to build a strong password:
Before we build our password, let’s look at the various ways that a password can be broken. There are three main attacks on a password which are:
– Dictionary Attacks
– Brute Force
– Rainbow tables / Hash Cracking.
The first attack, or dictionary attack is simple. A program will automatically try to login using words from the dictionary. With a decent laptop this won’t take more than a few hours. Many passwords can be broken this way. This is one of the easiest and most common methods of password breaking.
Second is the brute force method. This is where the program tries every letter combination until it finds the right one. Even with a supercomputer, if your password is long enough this could take years. However, combining brute force with a dictionary attack will speed things up immensely. Think apple5 is a tricky one? Think again. Everyone knows to put numbers in a password and everyone knows they’re put either in the front (5apple) or the back of a word (apple5) 75% of the time.
Even more deadly is the what the forensic professionals use. They will scan your hard drive to build a dictionary from all the words found inside. Combined with a special algorithm to weigh the words and phrases and deal with leading / trailing numbers, they can crack about 90% of them in a very short time. (Although, unless you are doing something you shouldn’t, don’t worry about this one too much..)
The third method is more of a vulnerability of the password storage method than it is of the password but it can be defended against by both password length and the use of special characters to increase the time and resources required for a successful password crack.
Note: A rainbow table attack is to gain access to a Windows login password.
Building our defense:
To build our defense, we need to look at our password’s weaknesses. Short words in the dictionary without any special characters are the weakest. Even a long word from the dictionary is a weak password. Leading and trailing numbers also don’t help. Looking at this, here is what we need for a strong password:
– Not a word from the dictionary
– Password length of at least 10 characters
– Include special characters (if possible)
– Include numbers inside the password, not just in the beginning or at the end.
Creating our password:
Now that we know what we need, the question becomes “How do I use these guidelines and remember the password?”. First, take something you know you won’t forget. I’ll use the dog again in my example. His name is Wukkie. Now, I add some more information to build a stronger password. Wukkie likes to bark. Using this, I will build the phrase – Wukkie likes to bark. To remove this from being a phrase, we will swap word positions and get: “bark Wukkie likes to” (Yes, jedi speak is fun to use in passwords)
Next, let’s add some numbers to spice the password up and we get: “bark2Wukkie4likes6to”. Try to use number combinations that you will remember. I used even numbers, however such a convention can be added in to a dictionary / brute force algorithm so try to add in a date or combination you would remember but won’t be obvious like a birthday or anniversary.
This is getting good but its still very simple. Let’s reverse some words for added complexity. Now we have “krab2Wukkie4sekil6to”. This is a decent password to use for different applications so if your password requirement isn’t so harsh, you can stop here.
Lastly, we will add special characters into our password. Not every password can have these characters as older systems only allow alphanumeric (numbers and letters) combinations. Older systems may also not be case sensitive. Since we already left the dog’s name capitalized, we have one special character in the password. That’s good but lets add more. Special characters are symbols such as @, !, #, $, %, (, ), * and &. Let’s throw in special characters in place of the 4 in the middle of our password. To make it easier we’ll use $ which is the same key as 4 using the shift key. Now our password becomes “krab2Wukkie$sekil6to”.
Testing your password strength:
Now to test our password, OS X includes a password assistant which will show you how strong of a password you have. To access the Password Assistant:
1. Go into System Preferences and choose Accounts.
2. Click on your account in the left and choose “Change Password”.
3. Don’t actually change your password, just click on the little Key image next to where you type in a new password.
4. The Password Assistant opens up.
5. Here is what our tutorial password’s security strength is.
Not bad for an easy to remember secure password. Now, don’t write it down on a post-it attached to your display. 🙂