Choosing Stronger Passwords - Advice From a Professional
Obvious Password Advice
Password advice has evolved over the years, but many of the suggestions remain the same, and ultimately it comes down to these simple rules:
The longer the better.
The more obscure the better.
The less predictable the better.
Sounds obvious and it is. However most passwords, if you’re in the password auditing business like I am, are very easy to guess (aka crack) when using a computer. Poor advice over the years has been given, things like using numbers in place of letters such as E=3, O=0, A=@ and so on. While they look complex to a human, this is not, and never was complex for a computer to calculate or try.
Appending or prefixing digits/symbols to passwords is an OK practice, but unless the base password is long and not easily sourced/found, it too doesn't do much good in the end. "November1963" is nice and long, however the base word and the digits added are easily/quickly found. What about "Alohomora*&^%", that must be better? I don't recognize the word, and those characters at the end aren't easy to guess from the looks of them. But alas, the word is from a Harry Potter spell that is used to open locks and doors, and the ending characters are a pattern on the keyboard. Speaking of which I find people doing keyboard patterns like this: "1qaz2wsx3edc". While that is a nice long password, it's the first 3 rows of the Qwerty keyboard from top to bottom. How about this: "_P0o9i8u&Y" Looks pretty strong, almost random... but it's the top few keys of the keyboard, on the right, with shift held for the first and last two letters. These patterns are easily found with modern password cracking techniques.
It's not a weak password that is the always the trouble, sometimes you have spyware, or there are side-channel attacks like heartbleed that cause a company or service to recommend you change your password. Phishing campaigns, hackers, social engineering and viruses also make companies ask you to reset your passwords. It's not that you had a bad one necessarily, but that it could of been compromised despite how strong it was or wasn't.
The fundamentals really are to have a unique, long password that is again not sourced easily. The Harry Potter example above surprised me when I found it... I had to search the base word on Google to see how I found it, and it turned out I have a dictionary with Harry Potter words and characters. Popular culture is one way to pick your password, however you do have to make it deviate and be different than it appears "normally". A fine example of what not to do can be found in this article from ArsTechnica. The password was "nofatebutwhatwemake", very long but not that obscure or hard to source, it's a Terminator movie quote. You have to change the base word or words. You can't just "leet-speak" it... "n0fatebutwh@tw3mak3" will also be found by a computer very quickly.
If you want to use popular culture or possibly well know phrases or idioms, make sure you add in some misspellings or some quirk that makes the word(s) obscure. The heading above is an example, Ms. = Miss, so it's a play on the word, kinda, sorta :) Use tin in place of ten, or 1st for first, 8 for ate. Do not use OU812, it's too popular and in every crackers dictionary already. Make your password something like this: "^^are4rabbitz", which translates to "Carrots (^ is called a caret), are for rabbits). Misspellings, abbreviations and homophones are great ways to make a password that you can remember, but would be hard for a computer to guess.
kat+dawg=snizy (cat plus dog equal sneezy -- Maybe you are alergic?)
kanteyedoit2? (Can't I do it too?)
youalwaysfollowsQ (U always follows Q)
talklikdisyodadoz (Talk like this yoda does)
!stopB-leaving (Don't stop believing)
crackTHISmr.securityN0itAll (crack this Mr. Security know-it-all)
Do not use “password strength” checkers, or other services that ask you for your password. Your password should never be typed in any place except where it is supposed to be typed, in the password box. Password “checkers” are a bad idea, and are often phishing for your password in the first place, and you are just telling them what it is! Misspellings, jargon, slang or colloquialisms can help passphrases, however the more popular, the worse they are to use. Twitter-speak appears in peoples passwords, but it also appears in dictionaries and rules used to find users passwords.OMG, FML, FTW, SMH, GTFO, STFU, LOL, AFAIK, Fubar, TBT, hashtag, iluv, <3, awesomesauce, w00t, 0wnd, pwnd, werd, yolo, gg, b4, brb, totes, gr8, ytmnd, etc… All poor choices in your passwords.
Theme to your Scheme
You can still add "leet-speak" to your passwords, but overall it's not helping you very much. Length is key, make it as long as you can comfortably remember is best. Some folks find it easier to associate a password with the site or application they are using, but if you have theme to your scheme, don't make it universal, it has to vary from site to site. (These three are bad examples, since they all stay about the same, so if one were compromised, it would be easy to go to other sites and compromise them too)
doodih8Amazon.com (Dude, I hate Amazon.com)
doodih8Gmail.com (Dude, I hate Gmail.com)
The site or app should not appear in your password, unmolested. If should be thoroughly changed so it's not easily guessed. Again the above is what not to do, and below is more acceptable:
Incrementing passwords are the same as password reuse!
At places of work you are required more often than not, to change your password on a regular basis. Do not just add one digit or symbol to the password. Do not change just one digit or symbol. This is the same as password reuse, computers trying to find your password will find your passwords easily:
Not only are the passwords above based on an easy dictionary word, but they are appended by a simple colon and incrementing digits. When the cracker finds the first, the very next one he/she tries will be found. Microsoft Active Directory and other authentication applications often keep a small history of your passwords to help you not pick the same password twice, but if you are just changing the last character, to a cracker, you are using the same password; it will find it no problem.
Passwords should be 10 or more characters at a minimum. Statistically speaking you should include more than one character class (Digit, Alphabet, Specials and Upper/Lower case). I recommend you use two or more of those classes, but if the password is long and obscure, you don't even need to do that, here are some examples of one or two classes:
Wassupwichu, Wazzupw/yew, Wazzupwiffyou?, Waz^withdat?
0hBrosephwhereRU, Ohbrawearu@yo?, YoBroKantfindYew
4scoreN4yrzago!, ForeScore=(2weeks), ForScore&4ysAGO
weakand@burnies, weekendAtburnkneez, weakND@burndizzelz
heyMustbeDa$$$, hayMustBtheMonet, hey!MustBeeTheMoney
dewn0tAskme!, AskmeKn0tplz, plzDon’tAskm3, forSeriousDN@sk, ewwWouldn’tDare!
Notice the misspellings and various homophoness being used. Also notice "hey must be
the monet" is very clever if I do say so myself. Because "monet" is the painter, and in
that song, it kinda sorta sounds like that when they sing the chorus :)
More examples to get your mind going:
theEndisNye, daendizNigh, disisDendmyfriend, endIsNow-yes?
seaYounextClockface (see you next time)
Auf_Veder_Sain (very incorrect spelling)
SighOrNarah! (ok that’s enough)
p.s. here is a file with some passwords created using the advice above. You can see that after 48 hours of constant cracking, I was able to get some of the weaker ones. I used 16 cores and a few thousand different attacks. Some that fell were a surprise, others were not. The majority however are much stronger than their correctly spelled or non-homophone counterparts. Wordplay.txt