Tsl24*apH or how to make a password that won’t get you pwned

 

The following helpful password advice is written by Wil Knoll. Wil Knoll (GCIA Gold) is a Network Security Analyst in Calgary, and a founding member of Protospace. He likes to pick locks, take in the arts scene in Calgary, and sandwiches. You can follow his exploits on twitter.

Passwords

You can almost always tell when it’s new password day around the office based on how many people are cursing at their computer. Arguments happen in IT around what the policy should be for password turn over and complexity. End users break policy and write them down anyways because sometimes they are just too hard to remember. About once a month I get asked if there are simple ways of securing passwords, and depending on the individual there are varying levels of complexity that can be achieved. I thought I’d write down my thoughts so I can just point people at a link the next time they ask.

I’m not going to talk about using password managers, or how to use dropbox to synch your passwords between different locations inside of a password manager. Take a quick look over at 1password or keypass. I’m just going to be talking about how I create passwords. Other security geeks will probably hate or love this method. Remember, it’s just how I do it. If you have a problem with that, write your own post.

Things to do

You are all probably familiar with the password policies at work or enforced by some of the websites that you use. If they are good, they will follow these three basic rules:

  1. Must be longer than 6 characters
  2. Must contain a capital
  3. Must contain a number
  4. But for me, that’s not enough. We need to throw in a little bit more:

  5. Do not use dictionary words (No words, just letters)
  6. Must contain symbols

It’s possible to just use an online secure password generator that meets these requirements, or the iPhone or Android app, but a long string of characters may not be the easiest to remember.

A formula

A favourite method of mine includes a passphrase. Take a line from a favourite song, or as I do, lines from a play or a movie:

“Thou speakest like a physician Helecanius.”

And only use the first letter of every word maintaining capitalisation:

TslapH

Now we’ve got a start, but we’re short the numbers and a symbol. We could swap out the ‘a’ for a 4, and the ‘l’ for a ‘!’, and you would have a six character password that’s not half bad. But swapping letters for numbers is so 1989.

Instead, I look at the clock right before I start creating a password to get the numbers. Say it’s 2:48 in the afternoon. I use either the first or last digit (middle digit will never go past 5) digit as a reminder on the keyboard about which symbol I’m going to put in.

8 maps to *, so I have 2:4*. Take out the :, and we have 24*. Drop that in after the ‘l’ in our password, we get:

Tsl24*apH

That looks pretty gross, but it’s a pretty solid password in my books.

Practice

I then take some time to think about the phrase I’ve used and the time on the clock while practicing typing in the password in the terminal or on notepad. It becomes easy to link the phrase to the time, and once I’ve done that, it’s easy to remember how to put it together, even if the numbers and the quote are unrelated to each other originally. It’s impossible to profile them.

Every time I use that system or website that day, I’ll log in and out about two or three times. Memory is like a muscle. The more you use it the stronger and more agile it gets. That’s it. Simple. But every security geek has their own method, so look at the method I’ve used to see if there are ideas you can use to create your own. New password day takes a bit more time for me then others, but the password is that much stronger for it.

 

Secure Password Generators

http://www.pctools.com/guides/password/

http://www.goodpassword.com/

Password Managers

1password – http://agilewebsolutions.com/

Keepass – http://keepass.info/

Dropbox to sync password managers – http://lifehacker.com/5063176/how-to-use-dropbox-as-the-ultimate-password-syncer