Creation of strong passwords is the key to online safety these days. With the rapid increase in the web applications, which require you to register with them, there are virtually hundreds of passwords, which an average Internet user has to create to sustain his online presence. Remembering these passwords is a bit tedious work, and because of this, most of us tend to create passwords, which are just easy to remember, often overlooking whether somebody can hack passwords or not. And also repeat these passwords for more than one services.
However, this leaves a hole in our defence against potential online threats. These passwords, which are not that strong, can be hacked sometimes by experts of this dubious art. These masters know the weaknesses of people to create passwords with birthdays, own names, spouse or children names, zip codes and so on.
So how to create hack proof passwords easily
This discussion brings us to a trade off, where you tend to give up the security for convenience. But I have been using a simple trick for years, which gives me fairly strong passwords, without making them difficult to remember.
I, just like any other person, think of some moderately strong password made up of only alphabets, which is easy to remember and modify it with following thumb rules.
- Replace all ‘l’ with ‘|’.
- Replace all ‘a’ with ‘@’.
- Replace all ’s’ with ‘$’.
- Replace all ‘i’ with ‘!’.
- Replace all ‘o’ with ‘0′.
For instance…
- A “silki’ becomes ‘$!|k!’ .
- A “webtoolsandtips” becomes “webt00|$@t!p$”.
- A “windowsxp” becomes “w!nd0w$xp”.
This gives me some really hack proof passwords. Can you hack them easily ?
BTW, PC Hacks has written a neat tip about an effective way to password recovery, which allows you to change your Windows Login password without knowing the previous password. Go, check that out.
December 11th, 2007 at 9:35 pm
it just so happens i made a tool that does just that: http://www.insanesecurity.com
December 12th, 2007 at 12:13 am
Hi insanesecurity,
Your tool is nice. But the problem is that people will still have to memorize the password.
So they should ne knowing the procedure through which this password has been created.
December 12th, 2007 at 9:52 am
Knowing the procedure isn’t going to improve the end user’s memory nor does it guarantee the passwords they create based on this system will be secure, believe me. I did password audits routinely in a 1300+ user environment for several years and it doesn’t matter if they know the procedure, what matters is they understand the procedure in which their password is broken. As always, the best defense is a good offense, take years of experience and my word for that.
For example, if a person who wanted to learn more about creating strong passwords only read your article, they would apply those “thumb rules” to whatever words they can think up (since you didn’t specify users should create their _own_ system, or explain the process in greater depth). So, let’s say this user wanted to use “carnage” as his password. Your system creates c@rn@ge. Can it be broken easily? Yes, in tenths of a second. Another scenario, let’s say I wanted to use “twisted metal”, your system creates “tw!$tedmet@l”. Can it be broken easily? Not as quickly as the first but yes, it can. I’d give it an hour, tops, without rainbow tables.
The user needs to understand the way in which their password is broken, and you fail to mention other important aspects of strong passwords, such as MiXiNg lEtTeR cAsE, placing special characters towards the middle as opposed to the ends for some weaker “strong” passwords, not grouping too many letters together, and also password length.
Your password “webt00|$@t!p$” with special characters and numbers is much weaker than a passphrase consisting of all lowercase letters, like “mydogsnameisfido”. Cracking programs can’t handle passwords that are 14+ characters, and the length alone makes it a stronger password than the one above.
Oh, and to say that these passwords are “hack proof” is just downright insane. Guess you never heard of rainbow tables before, every password example you put in your article can be cracked in minutes if it was used in a windows environment. However, a person with “mydogsnameisfido” as their password would be immune to such an attack
What makes my program so great is that it lets a user set the password requirements (if any) for any organization out there and tailor all results to those requirements. Furthermore, it lets them go even deeper and customize just how strong they want their password to be. But it also has strong default values, and a person can just load it up and use it on carnage or twistedmetal and get much stronger passwords that if they only used your system here. (^r%A9E, 7wI$t3dM37^1. See the difference?
December 12th, 2007 at 10:26 am
Hi,
I respect your authority over the subject and thank you for the detailed comments.
In fact, the method, I just described in my post, is the easy to use, easy to remember type. It is just a simple method, which can be used by any layman for giving the common password more strength.
Your tool, seems to be going beyond that.
Thanks again for your insightful comment.
December 12th, 2007 at 11:30 am
Fair enough. But then that leaves the subject of the article very misleading. A weak “strong” password is hardly a hack proof strong password.
December 13th, 2007 at 11:38 am
Actually really cool trick. Now testing it out there was a problem with a few services that I used and this was it did not accept some of the characters. But over all a good concept.
December 18th, 2007 at 6:22 pm
Never thought of using those characters before…for some reason I thought we were limited to numbers and letters. doh!
December 19th, 2007 at 4:57 am
I would love to use all those, but don’t have that much brain power to remember it
February 28th, 2008 at 6:44 am
Very handy tip! And it’s simple! Thanks for sharing! I had already been implementing some of these. thanks!!
Keep posting and I will keep coming back!
March 2nd, 2008 at 4:23 am
Good post and nice trick but its hard to remember for users. I would better suggest short sentances with numbers.
March 5th, 2008 at 9:33 pm
April 6th, 2008 at 3:17 am
Everybody should remember their passwords without passwords managers.
July 8th, 2008 at 6:19 am
I just using password generator then print it out and paste it as my big wall painting graffiti. SHould no hacker in my house! LoL.
October 22nd, 2008 at 12:53 pm
Good post and nice trick but its hard to remember for users. I would better suggest short sentances with numbers.
March 20th, 2009 at 10:52 am
I dont usually comment, but after reading through so much info I had to say thanks
September 30th, 2009 at 7:08 am
excellent tutorial of how to create strong passwords, a must for anyone that uses them.