Strong Passwords, Passphrases, and Keys
Posted by very nice on 12:22 AM with No comments
Internet Fixes has an article this week about using passphrases instead of passwords. That would involve using Windows’ ability to utilize 127 character passwords, and using a random phrase instead of using a random password.
Example: My Aunt Nellie eats cat food!
Here we have 29 characters, including spaces, three capitalized letters and a punctuation mark. This is a pretty strong passphrase. In theory, it would require a supercomputer working for millions of years to solve a random key involving 29 units. Of course, that isn’t really a random key. It’s a random phrase that, again in theory, could be cracked by a brute force attack on a fast computer, or a distributed computing network using botted machines with a sophisticated cracking program using a good dictionary.
Also, some programs and web pages will not accept passwords that long, and some will not accept spaces. For those problems, the article suggests eliminating the spaces. That pulls the length down to 24 characters, still plenty strong enough (and perhaps even harder to crack).
Another method, and the one I prefer myself, is to use the first letter of each word, along with the punctuation and capitalization. I like to use favorite quotations, and throw in a curve like a misspelled word or two commas instead of one. That way you can actually write the thing down and (a) it won’t look like a password or passphrase at all, and (b) it becomes so random that it’s hard to imagine a program that could crack it between now and the end of the universe.
Example: The woods are lovely, dark and deep, but I have promises to keep, and miles to go before I sleep becomes Twal,dad,bIhptk,amtgbIs — also 23 characters but even closer to truly random. Change those commas to something else, toss in an extra character or add an exclamation point, and you’ve got a very secure key.
Why is this important? Well, you have to be able to remember at least a master password to get into RoboForm or other password managers. [What? You don’t?] Second, someone else has to be able to do so too, in the event of an emergency. They aren’t likely to have memorized “Twal,dad…” but they can write that quote down and, knowing the trick of converting it, drag that sucker out years down the road. Just remember to tell them if you change it, and to use something else for your “private” files — you know, the ones you get from that Russian site.
We’ll discuss strong encryption of files and drives another time.
Example: My Aunt Nellie eats cat food!
Here we have 29 characters, including spaces, three capitalized letters and a punctuation mark. This is a pretty strong passphrase. In theory, it would require a supercomputer working for millions of years to solve a random key involving 29 units. Of course, that isn’t really a random key. It’s a random phrase that, again in theory, could be cracked by a brute force attack on a fast computer, or a distributed computing network using botted machines with a sophisticated cracking program using a good dictionary.
Also, some programs and web pages will not accept passwords that long, and some will not accept spaces. For those problems, the article suggests eliminating the spaces. That pulls the length down to 24 characters, still plenty strong enough (and perhaps even harder to crack).
Another method, and the one I prefer myself, is to use the first letter of each word, along with the punctuation and capitalization. I like to use favorite quotations, and throw in a curve like a misspelled word or two commas instead of one. That way you can actually write the thing down and (a) it won’t look like a password or passphrase at all, and (b) it becomes so random that it’s hard to imagine a program that could crack it between now and the end of the universe.
Example: The woods are lovely, dark and deep, but I have promises to keep, and miles to go before I sleep becomes Twal,dad,bIhptk,amtgbIs — also 23 characters but even closer to truly random. Change those commas to something else, toss in an extra character or add an exclamation point, and you’ve got a very secure key.
Why is this important? Well, you have to be able to remember at least a master password to get into RoboForm or other password managers. [What? You don’t?] Second, someone else has to be able to do so too, in the event of an emergency. They aren’t likely to have memorized “Twal,dad…” but they can write that quote down and, knowing the trick of converting it, drag that sucker out years down the road. Just remember to tell them if you change it, and to use something else for your “private” files — you know, the ones you get from that Russian site.
We’ll discuss strong encryption of files and drives another time.
0 comments:
Post a Comment