Here is an interesting utility, I found while looking for password-development models<br><a href="http://www.multicians.org/thvv/gpw-js.html">http://www.multicians.org/thvv/gpw-js.html</a> This creates pronounceable non-words that follow English lexi to the point that they will be easy to remember. Adding some substitutions and some caps, and you have a good password that is easy to remember.<br>
<br>My own 'system' is to choose a 6-8 character word and have muscle-memory turn it into something unrecognisable.<br>Mustang => Mku8set6awnjgy or Mju7swt5aqnhgt or Mmuhsz6taAnNgv<br>It is fast, and you don't move around the keyboard much as you type, so it is hard to shoulder-surf.<br>
<br><div class="gmail_quote">On Sat, Sep 10, 2011 at 2:54 AM, Ron Frazier <span dir="ltr"><<a href="mailto:atllinuxenthinfo@c3energy.com">atllinuxenthinfo@c3energy.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Hi all,<br>
<br>
If you've been watching the list, you know I've been in discussion with<br>
several others related to the topic of creating strong passwords. Based<br>
on prior discussions and recommendations, I had concluded that pass<br>
phrases are highly desirable. However, if using a 2048 word lexicon,<br>
they must be 6 words long to achieve a few days of crack resistance from<br>
a botnet array. You have to go up to 8 words to reach a crack time of<br>
centuries if the attacker is doing 100 trillion guesses / second. Pass<br>
phrases this long are impossible to enter into many websites. And, even<br>
if they can be entered, it is very tedious to type this many words in a<br>
password field.<br>
<br>
Here, I will describe a good compromise if you either wish to or are<br>
forced to use a shorter password.<br>
<br>
I was slamming my bank in prior discussions due to only allowing 8<br>
character passwords. Well, I guess other people have been slamming<br>
them. I checked the password policy today and it has been updated to<br>
the following:<br>
<br>
"Must be 6-20 characters with at least one letter and one number. There<br>
should be no spaces and no special characters."<br>
<br>
As you can see, I cannot use a 6-8 word pass phrase here. However, I<br>
can still make it plenty strong. The key to making a short password<br>
work is not only making it as long as you can, but including as many as<br>
possible of the following in the alphabet of characters you use: lower<br>
case letters, upper case letters, digits, symbols. Adding just 1 of<br>
these character types, as long as the attacker doesn't know your<br>
pattern, dramatically expands the number of guesses he has to make.<br>
<br>
Here is a simple example of what adding each different possibility<br>
does. Imagine a 4 character password. This one won't be strong, it's<br>
just for an example.<br>
<br>
* lower case, ex: "junk" (excluding quotes), 26 possibilities in each<br>
character, permutations = 26^4 = 456,976<br>
* lower, upper, ex: "Junk", 52 possibilities in each character,<br>
permutations = 52^4 = 7,311,616 (Note that this is 16 times more secure.)<br>
* lower, upper, digits, ex: "Jun8", 62 possibilities in each character,<br>
permutations = 62^4 = 14,776,336 (Note that this is 32 times more secure.)<br>
* lower, upper, digits, symbols, ex: "Ju+8", 95 possibilities in each<br>
character, permutations = 95^4 = 81,450,625 (Note that this is 178<br>
times more secure.)<br>
<br>
These short passwords would be cracked instantly by a cracking array.<br>
However, a bit of clever adding of characters will allow me to have a<br>
very secure and pretty memorable password, even at MY bank.<br>
<br>
Following is the minimum character length of a password of each type to<br>
require at least a century of crack time by an array operating at 100<br>
trillion guesses / second.<br>
<br>
lower case, 17 characters, 3.60 centuries crack time<br>
lower, upper, 14 characters, 3.35 centuries crack time<br>
lower, upper, digits, 14 characters, 39.33 centuries crack time<br>
lower, upper, digits, symbols, 12 characters, 1.71 centuries crack<br>
time (Note that my bank will not accept this one.)<br>
<br>
Going any SHORTER will reduce the crack time to less than a centuries,<br>
and it does so VERY rapidly. In the case of the lower, upper, digits,<br>
removing 1 character reduces crack time to 63.43 years. Removing a 2nd<br>
character reduces it to 1.02 years. And, removing a 3rd character<br>
reduces it to 6.02 days.<br>
<br>
The best compromise of length, memorability, usability at websites, and<br>
security is the lower, upper, digits scenario with 14 characters. An<br>
easy way to do this is to pick 2 words from a standard English<br>
dictionary which combine to at least 12 characters then throw some caps<br>
and 2 digits in, or 13 characters and 1 digit. This has some of the<br>
benefits of a pass phrase and is pretty memorable, and will be accepted<br>
by most websites. You could use more digits, but there is no big<br>
benefit. Once you've added even 1 digit, you've increased the<br>
possibilities at each character spot from 52 to 62. Note that all this<br>
assumes the attacker is brute force guessing and doesn't know YOUR word<br>
pattern.<br>
<br>
4AntimonyBlast - 14 characters - 39.33 centuries crack time<br>
CastoffWander2 - 14 characters - 39.33 centuries crack time<br>
Debark3Debates - 14 characters - 39.33 centuries crack time<br>
<br>
Here's how the math works.<br>
<br>
permutations = 62^14 = 12.402 x 10^24<br>
time to crack = 12.402 x 10^24 / 100 x 10^12 guesses / second = 124.02 x<br>
10^09 seconds<br>
divide by 3600 to get hours, then 24 to get days, then 365 to get years,<br>
then 100 to get centuries<br>
<br>
To do the whole thing at once, take the number of permutations and<br>
divide by 315.36 x 10^21.<br>
time to crack = 39.33 centuries<br>
<br>
-----> BOTTOM LINE <------<br>
<br>
So, the BOTTOM LINE is: create a password at least 14 characters long<br>
containing lower case, upper case, and digits; and you will be<br>
uncrackable by a botnet of 1000 pc's doing a total of 100 trillion<br>
guesses / second for almost 40 centuries. Some of the crypto guys can<br>
chip in and say whether, statistically, the cracker might hit your<br>
password in 1/2 the time. In that case, you're good for 20 centuries.<br>
<br>
I hope you find this useful. I certainly found the analysis revealing,<br>
and I'll be upgrading some of my website and applications passwords.<br>
<br>
There's a lot of math here, all hand done. I'm pretty sure it's all<br>
right, but if there's typos (at 2 AM), they'll have to be corrected later.<br>
<br>
Sincerely,<br>
<br>
Ron<br>
<br>
--<br>
<br>
(PS - If you email me and don't get a quick response, you might want to<br>
call on the phone. I get about 300 emails per day from alternate energy<br>
mailing lists and such. I don't always see new messages very quickly.)<br>
<br>
Ron Frazier<br>
<br>
770-205-9422 (O) Leave a message.<br>
linuxdude AT <a href="http://c3energy.com" target="_blank">c3energy.com</a><br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>This Apt Has Super Cow Powers - <a href="http://sourcefreedom.com">http://sourcefreedom.com</a><br>