geek internet security

how to create a password that takes thousands of years to crack


I see a lot of guides about this online, but a lot of them are using tricks that don’t really add any real extra protection when choosing a good complex password.

You make a password hard to crack by combining upper & lower case letters, numbers and a few special characters to increase the passwords strength. Replacing letters with numbers is a common trick, so cracking tools use it too. Using a few dictionary words renders long passwords but doesn’t make them that much safer due to dictionary attacks. Pass phrases are often too long as some online service still enforce ridiculously short password lengths.

The best idea that I’ve run into so far is described as follows on Wikipedia:

mnemonic passwords: Some users develop mnemonic phrases and use them to generate high-entropy (more or less random) passwords which are nevertheless relatively easy for the user to remember. For instance, the first letter of each word in a memorable phrase. Silly ones are possibly more memorable.[32] Another way to make random-appearing passwords more memorable is to use random words (see diceware) or syllables instead of randomly chosen letters.

There’s a few variations on this one, but if you pick yourself an easy to remember phrase and:

  • use every first letter of each word.
  • use every first letter of each syllable of each word.
  • drop the vowels in each word.

You come up with something that looks quite randomly picked, yet easy to remember. Depending on the chosen method you phrase can be a long one, or shorter to ensure a nice and lengthy strong password.

For example:

  • Ymwahayfsoe: Your mother was a hamster and your father smelt of elderberries.
  • Imgntimipttkl: Imagination is more important than knowledge. (*)
  • llyrbsrblts: All your base are belong to us.

If you play with that a little by adding some numbers, capitalizing here and there and inserting a few special characters, you have something that ends up being pretty safe. #Ymwahayfso3 for example has 73 bits of entropy, which should take about 344 thousand years to crack if you’re try all combinations on a desktop PC. Take that humongous timespan with a grain of sale though. Proper hackers might use multiple machines using multiple GPU’s to crack passwords, shortening that time-frame considerably.

(*) Since English isn’t my native tongue that might not be 100% correct, but you get the idea right?

Photo by marc falardeau, cc-licensed

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.