Passwords - Common Attacks and Possible Solutions
by Dancho Danchev - Monday, 15 November 2004.
How to choose a secure password

Choosing secure passwords consists of knowing what their insecurities are, how passwords are cracked and what's behind the "at least 8 characters long, consisting of lower and capital letters, special characters and a number" requirement. Basically, the shorter the password, the more opportunities for observing, guessing and cracking it. A password cracker would try to guess all the possible combinations of letters, numbers and characters until he/she finds the right one. Given the number of letters in the alphabet and the amount of numbers (0/9), the second, namely a numbers' based password, will give the attacker less opportunities to crack. Another commonly used technique is the use of a dictionary file against the encrypted passwords database, so that the weakest and most obvious passwords in terms of words listed in a dictionary will get exposed; this is why a longer password consisting of letters, numbers and characters would make it a little bit time consuming for an attacker attempting to crack the stolen passwords file. Whenever you create a password, consider the following:

- make it at least 7 characters long, combination between small and capital letters, at least one number and special character like !@#$%^*()_+

- do not simply use a dictionary word or a logical sequence of characters like aaa555ccc, 1234567890 etc.

- try not to use a password you have already used on another system, ignore have the same password on all assets you have access to at any cost

A combination of the following strong, yet easy to remember passwords techniques you may use are:

- choose a dictionary word like success, then reverse it sseccus

- add numbers in front or at the end of it 146sseccus or sseccus953

- consider adding at least one special character like !@#$%^&*()_+ anywhere

- the use of at least one capital letter would increase the crackable possibilities even more

- replace certain characters with numbers that you associate with them, security

would be s3cur1ty where e stands for 3 and i stands for 1

- separate each letter with a number, security would be s1c3u2r4i6t5y

How to remember passwords

Remembering several passwords for different assets is a huge problem for the majority of users. That's why they either ignore remembering, thus writing them down, or create weak, but easy to remember passwords. Whereas, remembering passwords might not be such a difficult task if the majority of users stop thinking of them as a combination of bulk characters, but as a way to identify themselves the way the do when taking money from a cash machine. In this case, it's all their company's and personal data they should try to protect.

- Associate them

Association plays an important role in the memorizing process. Given a certain period of time, someone can teach you Japanese if he/she finds out the way you memorize and, most importantly, associate things. Visualization of the password is another important aspect of memorizing it, and within a short period of time you would be entering it even without thinking what you're entering - a temporary habit, given the fact that the majority of organizations require constant password change.

- Explain them to yourself

For instance the password Y13#tiruceC basically represents the word security backwards, where the first and the last letters are capital, and the first capital letter is followed by your best friend's birth date, plus a special character. Instead of representing a bulk of characters like it used to be, now your password is your own encrypted language.

Possible solutions


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th