Friday, April 24, 2009

Passwords - The Good, The Bad & The Ugly

OK, well I love twitter.  And I know that you're thinking, "WTF does twitter have to do with passwords".  The answer is simple... nothing.  However, someone I follow on twitter (ElaineEllis) sent out some tweets about passwords.  I doubt she cares, but I told her that as a former information security professional, I'd type something up  about good passwords.

What is a good password anyway?  Well, that's a tough question.... it's easier to say what a good password is not, rather than what a good password is.  A good password is a string of text that anyone other than you is unlikely to guess when thinking of you.  A good password is something that is difficult for a computer to guess using a dictionary, or brute force attack.

I hear crickets.

You're thinking, "WTF" again, aren't ya?  A dictionary attack is, simply put, using a simple computer program to try every word in the dictionary as your password.  Does this take long?  Not really.  Computers are pretty darn fast these days.  At this point, I'd like to insert some nifty statistic about exactly how darn fast computers can try every word in the dictionary, but I can't find that stat on the web right now.  Pretend I told you some astonishingly fast number, because in reality, it probably is.

"So what is a brute force attack then?", is probably something you're not asking, because you don't care.  Personally, I don't blame you.  Computer security is actually pretty boring stuff that most people don't care about.  But pretend you're me and that you do care.  A brute force attack is when someone uses a computer program to try every possible combination of letters, numbers and/or symbles.  Typically this can be a pain in the ass, because quiet frankly there's a crapload of possible eight plus digit combinations when you have to consider lower case letters, upper case letters, numbers AND symbols.

Since I'm such a good mind reader, I now realize you're thinking, "WTF is this guy rambling on about?  Why can't he just tell me how to make a decent password?"

Fine!  Be like that!  I'll make a stupidly long story a little shorter.

Here's how you make a decent password... one that is not impossible to remeber.

method #1 - I call this the Adlib password.
Select a random word, one that does not have ANYTHING to do with you or anyone you know.  I'll pick a random word right now -- chickens.  Now that we have the "base" word, we can add a symbol to the front and back of it.  Let's select "*", but it could be anything...  So now we have "*chickens*" as a password.  Now we can pick a number, or for all I care, another symbol.  I'm going to choose 84 as a random number.  I'll insert this into the middle of the word, making the password, "*chick84ens*".

Now that's a strong password.  Random word, random symbols and a random number.  But it's easy to remember.  That's about the perfect mix...

Method #2 - The Acronym
Anyone here ever hear the phrase, "The quick brown fox jumps over the lazy dog"?  It's a phrase used in typing classes because it has every letter in the alphabet in it.  We can easily turn this into a password. tqbfjotld See the link?  I used the first letter of each word in that phrase.  You can choose your own phrase and select the first letter...  But that leaves it suspetable to brute force hacking.   No problem, Throw in some of the adlib stuff into this password.  Maybe a symbol, maybe a number, maybe you want to do some caps.

The main thing you need to remember is that using a word found in the diction is bad.  Using a word found in the dictionary followed by,"1" is only slightly better.  There are many ways to make difficult to guess passwords that are easy to remember.  The key is to make a password that you will remember, is hard for a person or computer to guess, and isn't written down.

It's getting late, and I realize this should probably be longer, but I think I'm gonna end this blog entry.  I hope it's been helpful.

Matt

Thursday, April 23, 2009

Dawn of a new day!

I, Matt McMahon, do hearby claim the priveledge of being one of the first bloggers in existance! Yes, I keep up with things so much, that I've decided to jump onto this blog "thing" before everyone starts doing it!

Not much time today, because there is much to do in little time.  However, I envision this blog being a place where the masses (maybe 1 or 2 people) will be able to read about my amazing (or not so) adventures in life!

I would expect that I'll cover topics such as the iPhone, Twitter, my adventures in learning how to program, outdoor stuff (meaning stuff other than me looking out the window), and whatever other things grab my interest.

So as my first official adventure, I shall finish my second cup of coffee, wake my sleeping monster... I mean daughter and take my car to the mechanic so he can fix my car's emission problem.  I'm just hoping that fixing my car's emission problem doesn't mean I have to break my wallet.  I like my wallet, and even more so, I like my wallet with money in it.

OK, I'm off!  Have a good one folks.  Feel free to follow me on twitter.com/MatthewMcMahon