The Open-Source Classroom

The Secret Password Is...

Shawn Powers

Issue #225, January 2013

If your password is as easy as 123, we need to talk.

The first password I ever remember using when I started in system administration was “.redruM” (no quotes). It was by far the craftiest, most-impossible-to-guess password ever conceived by a sentient being. Sadly, a mere 17 years later (wow, it's been a long time!) that password probably could be brute-force compromised in ten minutes—with a cell phone.

Since retinal scans still mainly are used in the movies to set the scene for gruesome eyeball-stealing, for the foreseeable future (pun intended), we're stuck with passwords. In this article, I want to take some time to discuss best practices and give some thoughts on cool software designed to help you keep your private affairs private. Before getting into the how-to section, let me openly discuss the how-not-to.

The Things You Shall Not Do

It's a bad idea to write your password on a sticky note and affix it to your monitor.

Yes, it sounds like a joke, but this happens every day—in almost every business. In fact, sometimes tech folks are guilty of this cardinal sin because they've changed passwords for users and need to let them know their new passwords. Seeing your password written or typed out should cause you physical pain and distress. Displaying it on your monitor is just wrong.

It's a bad idea to use any of the following as your password, or at least as your entire password:

  • Your pet's name, current or past.

  • Your child's name or nickname.

  • Your car's name, model or a car you want.

  • Birth dates of any people you know.

  • Name of your college/high-school mascot.

  • Anything related to your hobbies.

  • Your address in any form.

  • Your telephone number, past or present.

  • Your mother's maiden name (this is less secure than .redruM).

  • Any of the following: password, 123456, abc123, letmein, love, iloveyou, sex, god, trustno1, master, asdfjkl;, qwerty, password123, secret, jesus or ninja.

If I've just described your password or, heaven forbid, actually listed it in the last bullet point (some of the most common passwords), you need to keep reading. Don't change your password yet though, as I'm going to discuss best practices next, but even if you don't read another word, you can't leave your password like it is—really.

The Things You Shall Try to Do

When it comes to passwords, the longer and more complex, the better. Unfortunately, there is an inverse relationship between the quality of a password and a person's ability to remember it. Logically, one would find the balance between easy to remember and sufficiently complex, but because some people forget how to spell their own names, using some tricks of the trade is necessary—preferably, combining the tricks.

The Sentence-Mnemonic Method

if I were to tell you my password is “sipmnwnoilbinetb” and that I can remember it every time, you'd probably be impressed. Watch, I'll type it again without looking back: sipmnwnoilbinetb.

Am I really a cyborg with an eidetic memory? Maybe, but in this case, I've just used the sentence-mnemonic method to remember my password. In reality, when I type that password, I'm saying in my head, “Sometimes I pick my nose when no one is looking, but I never eat the boogers.”

This particular mnemonic is good for a couple reasons. One, it's easy to remember. Two, it's a horrible lie, so no one would ever guess that's what I'm typing. And three, because it's embarrassing, it's unlikely that I'd say it out loud while typing. For most people, just using this method for passwords would be an improvement over their current practice. For the best security, however, it's important to add other complexity.

Substitutionary Complexication

Anyone who was a geek in the 1990s knows that all the cool kids would use numbers in their user names. Whether it was l33th@ck3r or z3r0c00l (or shawnp0wers), substituting numbers and characters for letters does add a layer of complexity. It's certainly not enough on its own—don't think the crafty use of an @ symbol or a few “3”s for “e”s will keep you safe—but if you add that to the mnemonic method, it certainly will help. “sIpmnwn1il,bInetb” looks similar to the eye to my password above, but it is much more resistant to a brute-force attack.

Compound Words

In addition to the above-mentioned methods for increasing complexity, a great way to make your password even more secure basically is to have two passwords separated by a string of numbers or characters. Continuing with our booger-picking example above, what if instead of using a comma to separate the phrases, I used a short string of numbers? On its own, something like 6229 is horribly insecure, but if you do something like “sIpmnwn1il6229bInetb”, it becomes a really impressive password that is simple to remember. Because I'm talking about the middle of a character string, using an easy-to-remember number is acceptable here.

Based on just a few tricks, I've managed to come up with an excellent password that is easy to remember and not terribly difficult to type. Yay! I'm done! Well, yes and no.

Hey, That's My Luggage Combination!

The problem is that most people log in to more than one computer system or Web site. Some Web site designers have started to adopt an OpenID sort of authentication system, which allows authentication without actually using a separate password, but that isn't the case everywhere. At least in the near future, we'll be stuck with logins and passwords for multiple Web sites. In a perfect world where Web sites store only well-encrypted passwords, and bad guys never steal password databases, a single well-made password would suffice. That is not the world we live in.

It seems every day there's a company whose Web site has been compromised, and passwords have been leaked. Granted, it's often fun to see what sorts of passwords other people use, but it's a sinking feeling to find your password on the list of compromised—especially if it's the same password you use everywhere. The problem is, coming up with a new password for every Web site is difficult to manage.

If you're consistent and sneaky enough, you might be able to have a “pattern” that only you know. For example:

  • wIvljdc_Iapmn = when I visit Linux Journal dot com, I always pick my nose.

  • wIvadc_Iapmn = when I visit Apple dot com, I always pick my nose.

  • wIvwpdo_Iapmn = when I visit Wikipedia dot org, I always pick my nose.

Yes, looking at them side by side, it's easy to tell what the pattern is, but if only one is compromised, it's not terribly clear. Also, in the above examples, I used what letters made sense to me, but they don't line up with syllables, rather with how the word separation occurs in my head.

One Ring to Rule Them All

For many security-conscious readers, possibly even you, these lessons in good password practice may make you angry. For you, if a password isn't 128-characters long, with a combination of letters, symbols, numbers and fairy spells, it's not good enough. I understand—really, I do. Sadly, I also understand that most of the world still thinks “abc123” is a perfectly cromulent password. For you, my cyborg friend, there are password management tools.

When every site has a password like “af&6fw^faew^@f88*hlDSLjfe8wlsfyy&&8s0##~”, it goes beyond simple mnemonics to remember. Thankfully, there are tools like KeePassX, which is an excellent password manager for Linux, discussed at length by Anthony Dean in the May 2010 issue (www.linuxjournal.com/content/keepassx-keeping-your-passwords-safe).

The idea behind programs like KeePassX, or the popular browser-based LastPass, is that you can keep your passwords as complex, and even as random, as you like. The programs keep your passwords encrypted and require a master password to unlock them. (When creating a master password, it's very important to follow some sort of complexity strategy, like I outlined earlier in this article.)

With a password manager, you can let your brain keep track of a single password, knowing you can retrieve whatever ultra-safe password you need for a site or computer at any time. Granted, this means relying on a program to keep track of your information, so you'll have to use the program to retrieve it, but with programs like LastPass, there are applications for pretty much every operating system, browser and smartphone in existence. It is usually the only practical way to keep truly random passwords in order. If you can train yourself to use a program or service to manage passwords, it can change the way you think of security. It also can keep you safe if a particular account is hacked. The system is only as secure as the master password, however, so be sure that's a good one!

Not Quite a Retina Scan...

Thankfully, some companies are taking an honest look at users and realizing password security isn't something they can force feed. Regardless of articles like this, people still will use the names of their dogs to secure their bank accounts. Some companies have begun to use two-step authentication, which adds a physical response to a password challenge.

Someone certainly can steal your password, but what if in order to log in to your e-mail account, you not only had to enter your password correctly, but also had to respond to a text message sent to your phone? It certainly would eliminate the long-distance hacks, because it's unlikely hackers even would know your cell-phone number, much less be able to respond to a text message sent to it.

Two-step, or two-factor, authentication isn't terribly popular yet, but the concept is powerful. If we can continue to come up with complex, yet convenient methods for proving authentication, we will make the world safer and safer. That doesn't mean we can become lax on how we create our passwords, however. Because at least for the near future, secure passwords are the only way to keep our data private.

So Class, What Did You Learn?

You all learned that Shawn apparently picks his nose—at every Web site he visits. Seriously though, hopefully this article has helped you figure out your own method for creating passwords. Please don't use my exact method, but rather use it to come up with your own. Until we can have retinal scanners on every laptop, we're going to have to secure our passwords the old-fashioned way, like barbarians. So remember, “Sdrphn,iwoae!” (Shawn doesn't really pick his nose, it was only an example.)

Shawn Powers is the Associate Editor for Linux Journal. He's also the Gadget Guy for LinuxJournal.com, and he has an interesting collection of vintage Garfield coffee mugs. Don't let his silly hairdo fool you, he's a pretty ordinary guy and can be reached via e-mail at info@linuxjournal.com. Or, swing by the #linuxjournal IRC channel on Freenode.net.