Naked Science Forum
General Science => Question of the Week => Topic started by: thedoc on 16/09/2014 12:25:08
-
What makes a good password that is hard to hack?
Asked by Antony Bagott
Find out more on our podcast page (http://www.thenakedscientists.com/HTML/podcasts/naked-scientists/show/1000853/)
-
We answered this question on the show...
Amelia - With the amount of personal information people put online, keeping our data protected is clearly important. But some of the most common [img float=right]/forum/copies/RTEmagicC_800px-QWERTY_keyboard_03.jpg.jpg[/img]passwords used by people include
-
Good password is like this:rhyh&6+6f%FS. Seen chaotic.
-
One thing that makes good passwords is not being expected to change them regularly.
Far too many organisations don't seem to understand this.
-
Passwords including Greek letters.
-
There is an optimum degree of complexity for passwords if you make them to simple for easy recall and do not frequently change them they can easily be cracked by brute force methods with modern computers.
If you make them to complex you have to record them somewhere which defeats the object and you forget them and get locked out of your bank account etc.
-
There is an optimum degree of complexity for passwords if you make them to simple for easy recall and do not frequently change them they can easily be cracked by brute force methods with modern computers.
If you make them to complex you have to record them somewhere which defeats the object and you forget them and get locked out of your bank account etc.
Yep, been a victim on both counts in my more naive years...
-
Password Hashing (https://en.wikipedia.org/wiki/Salt_(cryptography)#Example_usage) is one solution, e.g.
password = MD5 (https://en.wikipedia.org/wiki/MD5)(Easy2Remember+MemorizedGobbledygook)
e.g.
bank password = MD5(bank+isalsoamSSwydtf) = 05e0e09198193b12df5eb96ce75616e5
email password = MD5(email+isalsoamSSwydtf) = a5d49fb25411938f4dfd5467eab21036
You'll need a MD5 calculator app, (your computer probably has one built-in).
Don't use an online MD5 calculator, as that could give the game away if someone is eavesdropping.
You can even write down the Easy2Remember parts and let anyone see them,
but never write down the MemorizedGobbledygook.
-
What makes a good password that is hard to hack?
The best that I know of is one generated by a random number generator which includes not just numbers but all possible characters allowed in a password.
Jeff - My keyboard doesn't have keys for Greek letters.
-
...
Jeff - My keyboard doesn't have keys for Greek letters.
What happens if you hold down the alt key and type 230?
However, I'm not sure that most password systems would thank you for that
-
What happens if you hold down the alt key and type 230?
Nothing.
-
A tip for a good password: use a multi-word phrase and include a SPACE or two in between the words; surprisingly few people do this.
-
Chris is demonstrably correct. This is how I formulate my passwords.
An example of an excellent password might be something like:
"Tunnel attitude forty-five"
There are a few reasons for this:
A) many devices/apps use the password in an encryption routine (or at least they used to, I think this is going out in favor of pki) and a longer key is better. Even in hashing a longer source material produces more random results.
B) length does more to increase complexity of a key than varying the types of symbols you use.
For example, if I can choose only one symbol there are only 26 possibilities if I use lower case letters only. Adding uppercase doubles that. Symbols and numbers can add around 50-60 possibilities, potentially doubling it again. So we've increased our complexity by a factor of four over just using only lower case letters.
If we chose instead to use a second character, we've increased the complexity not by a factor of 4, but by a factor of 26. There are now 26*26, or 676 different possible permutations.
You may be thinking, "ah... well if i choose two characters AND include capital letters, numbers, and symbols... there would be more than 676 possibilities". You'd be right... but your password would be difficult to remember, and you might be tempted to write it down somewhere (which would be a big risk). Even then you're only increasing the number of permutations to around 10,000. If I added only one more lower-case character, my simple lower-case password is up to 17,576 permutations.
The key thing to take away from this is that making them longer increases complexity faster than adding additional symbol types, and an effective password must be easy enough to remember.
-
Password Hashing (https://en.wikipedia.org/wiki/Salt_(cryptography)#Example_usage) is one solution, e.g.
password = MD5 (https://en.wikipedia.org/wiki/MD5)(Easy2Remember+MemorizedGobbledygook)
e.g.
bank password = MD5(bank+isalsoamSSwydtf) = 05e0e09198193b12df5eb96ce75616e5
email password = MD5(email+isalsoamSSwydtf) = a5d49fb25411938f4dfd5467eab21036
You'll need a MD5 calculator app, (your computer probably has one built-in).
Don't use an online MD5 calculator, as that could give the game away if someone is eavesdropping.
You can even write down the Easy2Remember parts and let anyone see them,
but never write down the MemorizedGobbledygook.
Slight problem here.
Some forums (and maybe your bank) store your password as an MD5 hash.
So if your password is 05e0e09198193b12df5eb96ce75616e5, just try entering bank+isalsoamSSwydtf and the site software may do the hash for you and log you in.
-
Slight problem here.
Some forums (and maybe your bank) store your password as an MD5 hash ...
Stored as MD5(password+salt (https://en.wikipedia.org/wiki/Salt_(cryptography))), if they're competent, as different people will choose the same password.
... So if your password is 05e0e09198193b12df5eb96ce75616e5, just try entering bank+isalsoamSSwydtf and the site software may do the hash for you and log you in.
I can't see that happening : if the password doesn't match you're not getting in.
( also the gobbledygook bit "isalsoamSSwydtf" is supposed to be committed to memory, never written down (https://www.thenakedscientists.com/forum/index.php?topic=52363.msg516653#msg516653)).
-
Something random I guess. With combination of upper and lower case letters, numbers, and symbol
-
A combination of the character you love and yourself.
-
Common things you can remember with subtle changes I eat at Mcdonald I3at@Mcd0nald, of course key loggers make any password complexity useless.
-
Include hieroglyph to complicate the thing
-
One that nobody else knows.
-
One you can remember it is much worse to go abroad and find you can't access your money than to take the slight risk someone is going to try to break a 56 bit random key
-
What happens if you hold down the alt key and type 230?
Nothing.
Although you might upset the person in the room with you ...
-
The one that's easiest to remember & hardest to forget.
🐒
Trust Mee!
🔐