First, let's explain why you need a secure password.
Imagine for a second that I'm a hacker. (I'm not.) I might be sitting in starbucks with a computer. Nowadays, I don't even need a laptop. With the growth of technology, I can steal someone's android phone and flash the memory to erase its identity. It's now useless as a phone, but if I tried to make a phone call I'd have been reported for theft anyway, so what do I care? I don't want it to make phonecalls anyway. I want it for hacking. I install a hacking package on the smartphone, and head out to do some grand larceny. It might look like I'm sitting in Starbucks texting away, when really, I'm downloading all of your information as you log into your bank account.
See, I've used what's called a packet sniffer to record the wireless transmissions being sent between your computer and Starbuck's wireless router. One of the things that people seem to think is that wireless communications work in a line. They think that when you connect to a router, it's somehow a private connection like a phone line connection. What's actually happening is that your laptop and the Starbucks router are screaming at each other at the top of their lungs.
"HI I'M JESSICA'S COMPUTER!"
"HI JESSICA'S COMPUTER, I'M STARBUCKS' ROUTER!"
"AWESOME, HEY SHE NEEDS TO LOG INTO HER BANK!"
"OKAY, GIVE ME THE LOGIN, IT LOOKS LIKE THE BANK WANTS TO USE ENCRYPTED HTTPS!"
"OH, OKAY. BLARGHALAHAL!"
"BLARAHAHADHAAHDLAHALALALAL!"
"OKAY, SHE'S DONE WITH THE BANK ACCOUNT NOW, NOW SHE WANTS TO ORDER UGLY SHOES FROM HIDEOUSHEELS.COM, BUT SHE'S NOT USING HTTPS!"
"THAT'S OKAY, WHAT THE FUCK DO WE CARE ABOUT HER PRIVACY?! WE'RE JUST LUMPS OF PLASTIC AND CABLE!"
"RIGHT! HER CREDIT CARD NUMBER IS-"
This is why the military uses microwave and satellite transmissions whenever they can instead of radio. Microwave transmissions move in a straight line, while radio transmissions go outward in every direction. I can't sniff a packet I can't hear. But if you're using wireless, you're using radio, and radio's don't whisper like satellite and microwave, they shout. If you're encrypting them, you're shouting in a language that's hard to understand, but you're still shouting.
And that's what happens when you buy stuff while sitting at Starbucks from a website that doesn't have adequate security. Never, ever check your bank account or buy stuff while at Starbucks. If I'm a hacker, my little packet sniffer picks it up. But lets say you didn't order anything, you just logged into your bank account.
I save the information where your computer says "BLARGHALAHAL!" because that's where you entered your username and password.
Password cracking is done in two ways. First, by assuming that people take the phrase "password" too literally and their password is an actual word. The first thing I do is load dictionaries into a program which checks literally every word in the dictionary against your password to see if your password is an actual word. That kind of hacking is fast and easy, and anyone who knows how to use a mouse can do it. It takes minutes if I have a fast enough computer. If that doesn't work, they'll turn to a decryption program.
This stuff is all difficult and time consuming, but luckily, there are people who've written programs and applications that do this kind of work to make my life easier. And I've downloaded all of them already, and installed them on my desktop. And no, I'm not going to tell you what they're called or where to find them. Ever. Don't ask. I've never done any of what I'm describing, and I'm way oversimplifying here, so don't assume that you can read this and understand how to be an uber-hacker. (Once again, I'm not a hacker.)
Anyway, if I put "BLARGHALAHAL!" into my decryption utility, I might find out that her bank Login is ShoeLover and her password is Shoes. She might even have used the same username and password for her HideousHeels.com account as she used for her bank. If so, I've already tried plugging that in. I'm also going to check ShoeLover@Gmail and Yahoo and Hotmail just to be sure. If she uses the same password there, I've got everything I need to steal her identity most of the time.
If, however, I put her info into my decryption system and 24 hours later, I still don't have a solution? I move on. Because I was sniffing packets while Bob signed up an account at BuxomBabes.com, and I think I can steal his credit card. Especially when his password for BuxomBabes.com is "BuxomBabes".
Password writing can be intimidating. People tend to think that a random string of letters and numbers is a super-secure password that nobody could guess. For example, people assume that the password "Ab13gU7" is super secure. No one's going to guess that password, but if someone's running a decryption utility, they'll crack that password in about three hours. In contrast, if your password was "Whirled Peas" it would take someone with your basic desktop PC about two million years to crack. If a website lets you use it, the space key is your best friend in the world.
If_not,_use_underscores_instead.
That's why we need to stop thinking of passwords and start thinking of passphrases. Song lyrics or poetry snippets shot through with symbols and numbers are a great place to go. In contrast to whirled peas, the password "@11Uneedislove" would take about 32 billion years to crack. That's without spaces. When you type it as "@11 u need is love" it'd take a modern desktop about 560 sextillion years to crack it.
Don't use dictionary words, and don't use a long string of letters and numbers that you can't remember. Use a phrase.
Spaces are your friend, but so are symbols and numbers. Here are some ways to replace letters with symbols and numbers to help you write an easy to remember pass phrase:
!=I or L
@=A
#=H
$=S
%=oo
^=n
&=A
You can put your password in ( Parentheses ) if you want. Or [ Brackets ].
The password ( Parentheses ) would take 13 trillion years to crack, while [ Brackets ] would take about 2 million.
1=I or L
2=Q
3=E
4=A
5=S
6=G
7=F or T
8=B
If you don't like any of that, you can add a smiley to the end of Whirled Peas. Use creative ones like :-D or D-: or X-D or :b or :p or :B or ;-X or any other easy to remember smiley.
Want to add numbers? Add an important date to the password. "@11 u need is love 1776" would be a good password. It's got a phrase for a song and a totally unrelated date. No one will be able to guess it, and it will be hard for a computer to break through such a long password.
Wnat to be extar secuer? Misspell yuor passwird. (*Que asploding heads. Suck on it, Grammar Nazis.)
Making a passphrase secure and hard to guess is important. Equally important is having many passwords. That means that your passwords should be easy to remember. That's where the symbols and numbers and brackets and spaces come into play.
If we're talking about your home, It's okay to write down your passwords as long as you use pen and paper, and keep the paper in a secure place. Do not tape it to the bottom of your keyboard at work. I can't tell you how much trouble I caused in college knowing that everyone thinks they're being slick when they hide their passwords under their keyboards. Do not write down your passwords at the office. If someone has broken into your home, they're probably not going to sit down at your computer and try to break into your DailyKos account. Writing your logins and passwords down on the bottom of your keyboard in a semi-public place is the kind of behavior that trolls call "asking for it." Trolls are not nice people.
If someone really, really wants to crack your password or your encryption, and they've got the technology to do it, they'll find a way; possibly a backdoor, possibly a hole in the website, program, or operating system's security. If they're really dangerous they can get ahold of every username and password on the server. If they do that, there's a good chance that they're going to be entering those same usernames and passwords into every website they can find.
And that's why every single password needs to be different. Because at some point, there's a good chance that someone will get a hold of one of your passwords. And if that's your only password, you're boned.
A good resource to play around with and the place I'm getting my numbers is howsecureismypassword.net. This site is completely secure, in that none of your password information is getting collected. The way it works is by running a program on your web browser called a Java applet. I've checked the code. The only communication script is Google Analytics, and they're not collecting what you type into the box.
Play with that until you've got a head for passwords.
Remember, the best pass phrases make no sense and are easy to remember. "[ 0bfuscating 0ffisaur ]" sounds like Obfuscating Officer, and is easy to remember. It's also excessively hard to crack. Hell, "Obfuscating Officer" by itself is a pretty secure passphrase.
Now that you know the basics of passwords and pass phrases, I'm going to open up the thread for comments/questions. Treat this like a tech-themed open thread.
2:28 PM PT: This XKCD Comic posted by Azazello is absolutely perfect.
3:49 PM PT: Holeworm adds this on "All you need is love"
That's not a good password, I'm sorry to say... (2+ / 0-)
Mainly, because the individual words are all short and common. A password cracker with short lists of things like "is", "all", "you", etc, might try combining them with other words, since chaining words is a common method these days.
Just sticking at least one long/uncommon word in there would do wonders as far as resisting cracking. That removes the ability to just use very-small dictionaries to figure out your chained words.
Need uncommon words?
http://makemeapassword.net/ has some.
8:01 PM PT: Rescued? Reccomended? Thanks DailyKos. I'm going to work with some other Kossacks and make sure these security diaries keep coming.
8:37 PM PT: Thank you everyone who contributed in the comments section. It's time for me to head to bed.
If you want to write a security diary, send me a Kosmail. I'll get an open thread with a list set up tomorrow so that people can do signups. Should have posted that today. Just give me a topic and a date and we'll sign you up.
Comments are closed on this story.