Monday, January 12, 2009

How can I generate safe passwords?


You can't. The key word here is GENERATE. Once an algorithm for


creating passwords is specified using upon some systematic method, it


merely becomes a matter of analysing your algorithm in order to find


every password on your system.


Unless the algorithm is very subtle, it will probably suffer from a very


low period (ie: it will soon start to repeat itself) so that either:


a) a cracker can try out every possible output of the password


generator on every user of the system, or


b) the cracker can analyse the output of the password program,


determine the algorithm being used, and apply the algorithm to other


users to determine their passwords.


A beautiful example of this (where it was disastrously assumed that a


random number generator could generate an infinite number of random


passwords) is detailed in [Morris & Thompson].


The only way to get a reasonable amount of variety in your passwords


(I'm afraid) is to make them up. Work out some flexible method of your


own which is NOT based upon:


1) modifying any part of your name or name+initials


2) modifying a dictionary word


3) acronyms


4) any systematic, well-adhered-to algorithm whatsoever


For instance, NEVER use passwords like:


alec7 - it's based on the users name (& it's too short anyway)


tteffum - based on the users name again


gillian - girlfiends name (in a dictionary)


naillig - ditto, backwards


PORSCHE911 - it's in a dictionary


12345678 - it's in a dictionary (& people can watch you type it easily)


qwertyui - ...ditto...


abcxyz - ...ditto...


0ooooooo - ...ditto...


Computer - just because it's capitalised doesn't make it safe


wombat6 - ditto for appending some random character


6wombat - ditto for prepending some random character


merde3 - even for french words...


mr.spock - it's in a sci-fi dictionary


zeolite - it's in a geological dictionary


ze0lite - corrupted version of a word in a geological dictionary


ze0l1te - ...ditto...


Z30L1T3 - ...ditto...


I hope that these examples emphasise that ANY password derived from ANY


dictionary word (or personal information), modified in ANY way,


constitutes a potentially guessable password.
Posted by NASBAR INFOTECH at 12:11 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)