References‎ > ‎

Easy Passwords

Thank you for attending Longer is Stronger: Strong Passwords Made Easy.  Here is the data from which the presentation was built.  If you've reached this page without having seen the presentation, please email me to set up a time!  It all makes more sense when we've walked through the material together.  Much of this material can also be found on the Passwords resource page.


Password cracking chart from IT World

Steve Gibson's password strength assessment tool.  There are a lot of caveats about the accuracy of this tool; and of course, anyone wanting to gather passwords into a guessing dictionary would want to try to hack in and monitor what people are typing.  I suggest just using this for demonstration purposes only.
Another password strength tool; same caveats. 

Ars Technica article on the state of password cracking.  The part about Markov chains on the second page is what is nudging me towards recommending password managers.

Another Ars Technica article on password cracking
Bruce Schneier on password cracking (he's probably written more since; this was part of the original research for this presentation.)
Password challenges and tips from Schneier
The XKCD "correct horse" comic.  There is some debate about whether this is really useful anymore.
LifeHacker on why you should use password managers.  They don't mention the puzzle of what password to use for the password manager itself.

University of Cambridge analysis (part 1, part 2) of the Ars Technica article above, explaining the theory of password cracking.

Hashing a Phrase

Hashing is the process of transforming something you can easily remember into something that looks like complete alphabet-soup random garbage.  It makes passwords that are much harder to crack, because they aren't dictionary words.  This particular hash process is something I learned from Mat Neufield at a SANS conference, probably over ten years ago:
  • Pick a phrase, such as "This is a demo which I shouldn't really use"
  • Eliminate spaces, and all but the first and last letters of the words:  "This is a demo which I shouldn't really use" becomes "TsisadowhIstryue"
  • Do some substitutions.  Pick any substitutions that you can remember, and BE CONSISTENT, so that you do remember.  For example only:  "T515@d0whI5tryu3" -- this substitutes 5 for s, 1 for lower case i, @ for a, 0 for lower case o, and 3 for lower case e.  You could also preserve the apostrophe if you wanted, and if you would remember it later.
  • Place a before-and-after character around the phrase.  In the presentation, I have sometimes used ! and sometimes #.  It can be almost anything, and is a good opportunity to put punctuation in a password that might not otherwise have it.  Example:  ~T515@d0whI5tryu3~
Remember that you can pick your own substitutions, your own before-and-after symbol, your own process -- this is provided solely as an example of hashing.  Jumbled hashes are stronger than passwords!

A different take on hashing from MS-ISAC.  This is a PDF, meant to be printed 2-sided and folded up into a brochure.  Note that "to be or not to be" and "four score and seven years ago" are probably the most common (and therefore weakest) phrases you could hash, no matter what your process is.

Supporting articles

In Defense of Passwords from Dark Reading

Password Managers

This list is not complete;  I have not done an exhaustive comparison.  Please do not think that because a password manager is absent from this list, it must mean that I have found fault with it.

LastPass - This is the one that's online, backed up for you, but you have to have Internet access to use it
KeePass - This is the one you keep on a thumb drive and have to religiously back up
DataVault (for smart phones):
InfoWorld review of password managers from 2012