6 replies to this topic

[BlaineSch]

Successful Password Creation by BlaineSch

First of all we should all understand why we need good passwords. Which is really easy to explain actually. Lets say for instance you use the same easy to guess password everywhere. Lets say you register at ebay and at some teenagers website with really low security. All is fine and dandy in the world until some dude comes along and realizes the teenagers site has potential mysql vulnerability - so hes injects it and gets all the encrypted or nonencrypted passwords. If your password is encrypted and easy to guess he will probably get it cracked in a few minutes. Now why would he get on your account at that teenagers site? Probably not too useful. But since most people use the same password everywhere he could log onto your ebay or paypal accounts and buy things, use your credit card, and really hurt you.

As we can see a good password is a good thing, but everybody hates making new passwords all the time, and they are so hard to memorize right?

Wrong!

With this method I will show you, you can create easy to remember passwords that are hard to guess. I will assume most of you are familiar with the term "1337 Speak?". I will obviously be showing you this.

So to start with get a word you like a few examples being: codecall, program, yourface, etc. I will use these words for examples. Now lets 1337 them!

• C0d3c@l7
  
• Pr0gR@|v|
  
• y()U|2Fa<3

A good thing to remember - use your own method for this dont do something exeactly - upper case, lower case, numbers, and symbols. Dont do the same thing to all of them. But using a common word will make it really easy to remember this password.

But wait there's more!

Second step is - we cant use the same password in every site so we need to make sure it changes for each site - so basically were going to use a "salt method" which basically means use a base word and put excess things around it. For this our "salt" is going to be the random password we generated before. But were going to add bits of information to the sites and possible the middle of the password. Lets say you registered the same account at yahoo, ebay, and paypal. Basically you are going to get the same set of letters out of the names and use that as the excess to the base password like if your password is "base" and your registering at yahoo - you decide for all the sites you wish to use use the first letter and second to last letter "y" and "o" you would simply add that to the begenning, end , and or middle. This is pattern you do the exeact same thing for every site you register for but because each site has a different name it would make each password different. You can also "1337" these letters to make it more complicated - but id use the same method for each site so its still easy to remember.

Yahoo:

• yC0d3c@l7o
  
• yPr0gR@|v|o
  
• yy()U|2Fa<3o

Ebay:

• eC0d3c@l7a
  
• ePr0gR@|v|a
  
• ey()U|2Fa<3a

CodeCall:

• cC0d3c@l7l
  
• cPr0gR@|v|l
  
• cy()U|2Fa<3l

Now we also know we must change our password every now and then too right? And just to make it a bit more complicated lets say we should change it every month or every season right? Well that makes it easy - why dont we do the same thing we did with the site name with the season (Spring, Summer, Autumn, Winter) or the months (January, February, March...) so we can keep updating our password:

Yahoo && January:

• JyC0d3c@l7or
  
• JyPr0gR@|v|or
  
• Jyy()U|2Fa<3or

Ebay && Spring:

• SeC0d3c@l7an
  
• SePr0gR@|v|an
  
• Sey()U|2Fa<3an

One last piece of advice - dont choose the first and second to last letters since I did it - make up your own unique way of doing this. Do third and last letters or first and second letters - you are not even limited to 2 letters take the first two and second two... use your imagination. You are not even limited to placing these at the beginning you can put the letter after your first letter, in the middle, before your last letter, etc. Again be creative.

Feel free to distribute with or without credit to me. The idea is to give people an easier way to become safer. Not for me to be famous so write it on the moon for all I care. :thumbup1:

[Pro]

I store my passwords in a text file saved in a truecrypt container on a USB drive. The passwords should be pseudo-random then changed just slightly to make them truly random. You should also use different passwords for everything. That way should one of the sites you visit be compromised they wont be able to start going threw your email of other accounts scattered across the internet.

The method you speak of is nice but it's kinda like using base64 in the 1980s (before it was released) as a encryption. Seems safe because no one else uses it but in reality the only safe encryption is one that everyone can have a "crack" at. The same goes for your method. Should everyone use this it would make a malicious persons job allot easier.

[BlaineSch]

They would have to have multiple passwords that you own before they realize how your using it tho. If you did it based on the month or season or your job and the site, and appended or insert the characters at a random part in the password and possibly even used shorthand for "spring" to be "spr" or "$p4" or something it might take a while for them to realize how you actually used it.

Knowing that even if everybody was using it they would have to do more work than copy and paste! Unless you did this literally by textbook and did exeactly what I wrote. I posted this as a pattern tho the possibilities on it are endless!

[fishsticks]

Wow I never thought about that. I'll go change all my passwords now.

[Overkill]

Recently I have been thinking about changing some of my passwords and the season/site combo is a very good idea, though for securtiy reasons I can't tell you if I am gonna use it or not :P

[Alexander]

Overkill said:

though for securtiy reasons I can't tell you if I am gonna use it or not :P

Two of eight positions can represent less than 0.02% of the given key space, and would not really matter.

If your password used most of the characters available, and it were even six characters long, you could:

• Make over one hundred million password requests to a website, to guess the correct one (infeasible)
  
• Find a way to get the representation of your password, such as a hash, and perform the attacks locally
  
• Or obtain full access and simply change your password to a known hash, and bypass it (much more likely than the first)