Vedant Misra



Passwords

September 07, 2007

Look at you, you elite haxx0r with your uber-secure internet passwords. "madmax80" is your email password, eh? Who could've guessed!

Well, you see, no person might be able to straight-up guess your passwords, but "mad" is in the dictionary" and "max" is in the dictionary, and I'm sure it's common knowledge by now that "80" is a number, so a computer running a brute-force attack could easily put those three elements together and render your 1337 computer security useless.

That is to say, passwords with dictionary words in them are bad. Something like "pengu1nsx" is a step up, but pengu1ns is still just an obvious variant of a dictionary word. This isn't good enough, because modern password crackers consider common substitutions like that.

As frustrating as it might be to type, a real password looks something like "y73xFsjdlep3FJsldSZv99".

Having good passwords is important. Some people happily dismiss the notion that password security is of utmost importance in this age with specious arguments like "I don't really need a secure password for my e-mail account because there's nothing in there any hacker could use: no credit card numbers or passwords or anything." Sure, but if you have an online bank account, it must be tied to an e-mail account, and I can tell your bank to reset your password, use your e-mail account to get the new password, and all of a sudden your bank account is compromised. People tend to use similar passwords (or the exact same password, in many cases) for every online account they have. While this may be convenient, it's a pretty bad idea. If I have your e-mail password, I'll probably suddenly also have access to your Blogger account, your Facebook account, your work or school's shell account, etc.

So how does one go about generating many secure, memorable passwords? This site's pretty useful. A good idea is to take something you can remember - such as the lyrics to a song, or a sentence from a book - and generate a password by taking the first letter of each word. Then maybe do letter-number substitutions, or invert the order of the letters, or something like that. By using this method you can always compute the password if you forget it.

Take for example my current Blogger password: "I fought the law but the law won" becomes iftlbtlw, which in turn becoms Ift1bt1w, with the "L"s replaced with "1"s. I mean, that's pretty hard to guess, and I think my Blogger account will be safe for a while. Or my GMail password: I took the first letter of each word from a line of one my favorite poems. The line is, "Proud Americans! See, see, what only revolution does!" Take the first letter of each word and you get "password." No way that can be brute-forced, and it's almost impossible to guess that I used a poem, much less which poem and which line.