Strong and secure passwords

"What is the password dude?" He was grinning like Comrade Zuma at an arms show - a safe distance away behind the security gate.

It was national braai day and I was in no mood for games.

"Rumpelstiltskin" I said, utterly humorlessly.

He just grinned wider.

"What freaking password are you talking about?", I asked a little more loudly than necessary.

"The password to come in for the braai!", he said cocking his head to one side feigning surprise, and continued: "Didn't you get the memo?"

He slapped his forehead: "Oh no - of course you didn't...", he grinned even more broadly: "you were to busy writing newsletters skinnering about your...", he pretended to search for the word, "dim witted", he spat out, " urm...how did you call it....ah...'friends' weren't you?"

So he read the newsletter. That was a surprise. I didn't know he could read.

"Look cuz, it's only a newsletter and it's only fiction.", I said trying to look apologetic. I continued: "It's nothing personal....it's just that you guys are...so...entertaining."

"Well dude, I'm entertaining both of us right now!", he cackled and spoke in bold font: "what. is. the. pass. word.". He smiled sweetly...or a rather he tried to smile sweetly. I thought it looked more like a stroke in progress.

"Ok", I said reaching the end of my patience, "remember the world record you hold in screwing up a chicken braai?", I stepped right up to the gate and continued with a low voice: "I have photos."

He once burned a chicken so badly that if future archaeologists were to dig up the poor thing they might think it was blown all the way here from Chernobyl during that nasty nuclear accident thing. In fact, it probably is radio active too. If I should publish pictures of that unfortunate event, his reputation as a braai master will be severely dented. He will have to endure months - years even - of teasing.

For a fleeting second I thought I saw panic in his eyes. Then he recovered. "Bull cuz. There was no camera that day." The stroke - smile again. It was true of course. There were no cameras and I did not have photo's. I was betting his alcohol impaired memory would count in my favor. Pitty. I did not want to go to defcon one and nuke his ass.

"Ok," I said and stepped away from the gate. "You brought this on yourself." I took out my cell phone and started dialling. "There is still time to stop this...", I said, phone to the ear.

He looked confused. He does that rather well. He is often confused.

The only way my nuclear weapon was going to work was if I delivered it with no warning. A Pre-emptive strike as it were...smack him out of his id book photo.

"Hi sweetie!" I said to the phone in my best up-beat voice. "Listen, please do me a favour - please ask your husband to open the gate for me - he does not want me to come in."

I made eye contact. There was naked fear in his eyes. His mouth fell open.

Roboticaly he buzzed the gate and I stepped in. I stopped right next to him and, in my best menacing Godfather voice, said: "Kurt, my cuzzy," I waited a few seconds for a pregnant pause: "next time," another pause: "I'll REALLY call her."

Before he could recover I (very) quickly walked to the braai where all the wives were sitting: Switzerland. I was going to need asylum for a while.

Guessing a password in an offline system (where you have to wait for the reply) is very difficult. In an online system on the other hand, it can be a trivial process: There are several password recovery software programs that can perform hundreds of thousands of guesses per minute - if the software used to secure the data enables it.

For instance, about 24% of all passwords can be correctly guessed within about 100 000 attempts. If the software (let's say a password on an MS Word file) can process the attempts quickly enough, a relatively brute force attack is practical. MS Word for instance will allow several hundred thousand password guesses - per second. That is a few million password guesses every 5 minutes!

Consider for a second how much damage a malicious person or program with knowledge of your password(s) can cause. Such a person will be able to read all your email, send emails impersonating you, access your bank accounts, change your web site, wipe all data from your computer and even deny you entry to a braai.

Having a secure and secret password is absolutely essential to protect your digital assets and privacy - yet many people do not know how to choose a strong (good) password. Take Kurt for example. I know the password he wanted to hear was "Double" because that was what he was thinking about at the time. The problem was that if I guessed it correctly, he would not have admitted it. He was in the position to change his password on the fly. You and I on the other hand will not have the opportunity to change your password when someone tries to crack it...because we will generally be unaware of the attack. It is therefore important to pick passwords that you can not only remember, but passwords that are very difficult to guess.

Coming back to brute force attacks: Don't think password crackers will start with "aaaaaa", working to "abaaaa" and ending at "zzzzzz" as a brute force all-out attack. Hu-uh. Research has shown that about 24% of passwords can be cracked with a 1000 word dictionary testing for common passwords like "letmein", "secret", "password1" and so on, followed by prefixes like "+" or "?" or a number... and /or sufixes. This relatively simple 1000 word dictionary yields less than 100 000 passwords - and will correctly guess 24% of passwords...in seconds.

The most effective way to make your password more difficult to guess is to make it difficult to pronounce...because virtually all cracking dictionaries are phonetic. So here are the top 10 things you can do (use them all) to make your password difficult to guess...and to keep the philistines on the other side of the gate:

1. Make your password 8 characters or longer.

2. Drop the vowels from your password: "password" becomes "psswrd".

3. Add numbers or symbols to your password, but not in the end or at the beginning - but rather randomly inside the password. For instance, you can add the last 4 digits of your phone number like this "psswrd4673", but a stronger password will put the digits inside the word, so: "pss4673wrd" and insert a #&!^% in somewhere, like this: "pss4673wr!d". In fact, instead of typing "4673" keep the shift key in on the "73" and it becomes "&#"

4. Use a "pass phrase" instead of a word: For instance take a line from one of your favourite songs: "Living next door to Alice". Now using only the first letter in every word, it becomes "lndta" to which we can add 4 digits of a phone number, so: "ln4673dta" and a nice simbol #, so: "ln#4673dta". (Or just use the whole sentence - very long passwords are very secure). For an email password you might use something like "this is my personal email don't read it" which yields the password "timpedri"

5. Do not use the same password for all your sytems / services. This is the biggest mistake you can make. If you use website xyz to access your email and they are hacked your password becomes available to hackers who can use it to target other online services you use.

6. Change your passwords every few months. The longer you use a password, the higher the probability that someone will guess or steal it.

7. Write your password down if you are worried you might forget. Now don't write "my password = password" on a post it and stick it to your computer. No, write your password down as a code and file the paper somewhere: Let's say you used the password "ln4673dta" as in point 4. You could write this down to jog your memory: "Who is Allice and who did she call?" or even "living next door to alice". Unless someone KNOWS that is a password hint - your secret is perfectly safe. (See Password Safe later in the blog)

8. Never, ever, ever type your password on a computer you do not trust 100%. It takes a criminal only a few seconds to install key recording software on a computer in a public location to harvest and send passwords to him.

9. Do not use your login name as password. A password that is the same as the login name is the simplest to guess. The same holds for personal information about you - like wife/husband/children/pet names. If you have to use a loved one's name as password, then miss spell it. For instance, Peter can become "petarr"

10. Watch the eyeballs. If someone is watching you type your password, enter a few dummy characters. For instance, slip a wrong letter in somewhere and hit the backspace button. If you do that twice or three times during the process the peeping tom will find it difficult to keep track. Add two letters at the end, press the back arrow twice and the delete key twice. You get the idea.

You can test the "strenght" (ie how difficult it is to crack) with the Microsoft password checker here...

If you have a dodgy memory like mine, it can be a real disincentive to use long and complicated passwords. In fact, it can be downright painful if you forget the passwords, so let me introduce to you Password Safe:

It is free software you download and install on your computer.

Password Safe is locked and unlocked with one master password and then securely stores all your other passwords.

The software takes a few minutes to get used to but is really worth it to have separate, strong and secure passwords for each of the services you use.

Think of it as free insurance. You can download it here...