Password Tip
Password Tip
(OP)
I came up with an idea for generating passwords that comes up with un-guessable and easily remembered passwords that I want to pass on.
Think of a sentence that you can easily remember, one that has capitals, numbers and punctuation in it. Pick a sentence that has meaning to you but not to any one else. You could make up a sentence about a grade school teacher or someone from your past. It could be something that is so trivial from grade school that only you even remember it. Take the first letter, respecting the capitalization and punctuation using numbers as appropriate. You can also use symbols i.e. & for and, # for number 2 for two, to and too etc.
For example lets assume that I pick the sentence “My friend John, has two cats and a number of dogs.” This would translate into a password MfJ,h2c&a#od. Another example would be “I was in the same class with Bill, our mailman, in grade 3 and 4” becomes IwitscwB,om,ig3&4
Try and guess those passwords but I can easily remember them.
They are not the ones I use (or even true statements) so don’t even try.
Rick Kitson MBA P.Eng
Construction Project Management
From conception to completion
www.kitsonengineering.com





RE: Password Tip
Just an idea, again, and of course not useful to determine my password. :)
RE: Password Tip
RE: Password Tip
Have a nice day!
OhioIE
RE: Password Tip
Rick Kitson MBA P.Eng
Construction Project Management
From conception to completion
www.kitsonengineering.com
RE: Password Tip
Have a nice day!
OhioIE
RE: Password Tip
Corporate security is a major concern to many administrators especially if their network is on the Internet. Firewall or not, there is always a way to get into a network. But it never hurts to reduce the possibilities
-al
RE: Password Tip
With a little work you could come up with a sequence that is easy to type and still follows a mnemonic sentence as I originally suggested.
How about “There goes Bob, he’s just imported oil.” Or TgBhjio?
I know it doesn’t make sense but at least it follows a pattern on a Qwerty key board. (Try it)
Rick Kitson MBA P.Eng
Construction Project Management
From conception to completion
www.kitsonengineering.com
RE: Password Tip
On the other hand, system administrators can do quite a bit to make things more difficult for those who want to access systems they're not supposed to. Even standard things such as locking out accounts after several incorrect logins can go a long way toward preventing access (after all, if there are umpteen million password combinations, what's the chance a password cracker will be correct on one of the first several tries)? That's just one of many tools system adminstrators have at their disposal....
RE: Password Tip
You really cannot stop a determined thief or hacker. Computer security involves much more than passwords. Locking accounts, changing passwords from defaults all are a big part of security. Its an old UNIX flaw that some distributions used the password root as the default for the root account. This has resulted in some major security breaches.
In one of my first exposures to computer networks the system administration changed user names and passwords on a monthly basis. These usernames and passwords were 8 alphanumeric characters long and were assigned on a random basis.
You can guess what happened. Almost every computer had a post it note on the monitor or under the keyboard with this months names and passwords on it.
Rick Kitson MBA P.Eng
Construction Project Management
From conception to completion
www.kitsonengineering.com
RE: Password Tip
How hard is it to crack a short password if a hacker has a program on your computer running every possible combination all day long? With the limited number of keys on a keyboard, it shouldn't take long to crack a short password, no matter how you make it up.
With a 4-place password, for example, my keyboard gives roughly 78 million possible alternatives. A 3 GHz computer could crack that in seconds with even the crudest scheme. I'm sure others have already worked out the number of places you need in a password to be reasonably secure. Is there a website that has that information?
RE: Password Tip
Alphanumeric passwords (99% of the existing passwords, since you are rarely allowed to use extra symboles like ",#& etc) makes you a combination of 26 (lower case) + 26 (upper case) + 10 (numbers) = 62 possible characters per slot. Make your password four digits, and you come to a number of 62*62*62*62 alternatives, that is 14776336, which is less lower than your expectation.
also, a quick search on the web about passwords creation (Google search for "password") gives you a couple interesting pages :
http://www.alw.nih.gov/Security/Docs/passwd.html
http://www.microsoft.com/security/articles/password.asp
http://www.theregister.co.uk/content/55/31920.html
http://zdnet.com.com/2100-1105_2-5053063.html
http://segobit.virtualave.net/pbm.htm
there are many others. Also look for "encryption" or words like this
Cyril Guichard
Mechanical Engineer
RE: Password Tip
Yes, your number is more accurate for most cases. As your links indicate, most passwords don't allow non alphanumeric symbols. I assumed that all keyboard symbols were useable just to estimate an upper bound on the combinations, in order to show that short passwords can't be good. I have always wondered if any of the less common ASCII symbols could be used, and I'm aure the answer is "yes" if the program allows it; but I haven't seen any that do.
The links imply that any password can be cracked in a matter of seconds; and I am surprised to see that the time is so short, although the relationship between length of password and time-to-crack is not discussed in a systematic way.
It is also stated that the use of random symbols in a password (&,#,$,<, etc.) is helpful for making it more difficult to crack, I suppose because they reduce the usefulness of pattern algorithms in password cracking codes, thereby requiring more of a brute force method. But some programs don't allow symbols in passwords.
So, while length is important, randomness is important also. Using a short, favorite word for a password is almost like having no password at all.
RE: Password Tip
With a 4-place password, for example, my keyboard gives roughly 78 million possible alternatives. A 3 GHz computer could crack that in seconds with even the crudest scheme. I'm sure others have already worked out the number of places you need in a password to be reasonably secure. Is there a website that has that information?
and I respond below:
Assuming a 4 character password of case-insensitive alphanumerics only, we get 1.67 million combinations (36^4). Allowing case sensitivity and shifted numbers gives us 72 characters, and 72^4 = 26.9 million combinations.
More importantly, though, while it may be true that a 3GHz computer can generate 78 million 4-character groups in a few seconds, it is probably NOT true that that same computer can make 78 million login attempts in a few seconds.
For fun, I'll throw a few numbers at the question...
Assume fast connection (100Mbps ethernet)
Assume very fast authentication (time to check password = 0)
Assume password and login request fits in a 256 byte packet.
Assume total login requires 4 packets (request login, receive challenge for password, send password, receive notice of success/failure)
Network efficiency of 75% (packet collisions, etc limit throughput)
Time to make one login attempt = 0.11ms (This gives about 9000 attempts per second.) Time to work through 78 million combinations = almost 2.5 hours. Time to work through 78 million combinations if account is locked out after 5 failures, and re-enabled hourly by a really stupid sysadmin: 1780 YEARS!
With a 56K dialup connection, with similar assumptions, things are much slower: perhaps 6 or 7 attempts per second, max. Interestingly, if the account is locked out after a number of failed logins, the total penetration time is no different than if a faster connection was in place.
The moral? Choose a good password, and then choose an authentication process that throws a flag when things look fishy.
William Wicker.
RE: Password Tip