Evolution of a password.

A friend of mine once said that the best password would look like line noise. I have aspired to keep with that idea. I have decided to post how I came up with a password for some systems. Needless to say, I have already gone through all steps to remove any traces of this password from those systems, including:

  • there are no backups in rotation that would restore a system to the old password
  • all machines that are even close to a network, or power, plug have been checked to make sure the old password will not work
  • no other accounts used that password

The reason I am showing this, is to show how I came up with a password that is believe is FAIRLY secure, but still could be remembered.

In making this password, I started with a pass phrase. I like to use phrases, because it gives the user something that can be easily remembered. So, I started with the phrase:

and they all lived happily ever after

Then, I took the first letter of each word to get:

atalhea

Now, we want to mix it up with upper case along with the lower case alpha characters:

AtaLhea

Next, we want to throw some non-alpha characters into the mix:

At@Lh3a

The strengths of this password is that:

  1. it is not a dictionary word
  2. it uses a mixture of upper and lower alpha characters
  3. it uses non-alpha characters
  4. it is easier to remember than many auto-generated passwords

The weaknesses of this password is that:

  1. it is a known phrase
  2. the use of non-alpha characters, along with upper alpha characters, match “normal” replacement characters
  3. it is still confusing enough to invite users to write it down in conspicuous locations

Honestly, there are no perfect passwords. The best you can hope for is something that looks like line noise, that the users will not write down on a post-it and put on their monitor.

One final note; you may feel that keeping passwords hidden from everyone else is perfect job security, but don’t but up with that crap from anyone else. The last thing you want is them leaving, or just forgetting what the password was. Don’t let it happen to you, especially if you live outside of Texas. At least in Texas, you could argue justifiable homicide.

Advertisements

2 Responses

  1. Heh… my job has this nifty little program that measures the ‘strength’ of a password. I decided to test out a few things.

    ‘a’ – very poor
    ‘alpha’ – poor
    ‘alpha1’ – very good
    ‘1alpha1’ – excellent

    sigh…

  2. Hi,
    I found your blog via google by accident and have to admit that youve a really interesting blog :-)
    Just saved your feed in my reader, have a nice day :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: