Crafting The Perfect Password

Nearly all the Password Crackers are salted with almost all words, so they will relatively easily crack any password that utilizes words and just one or two special or Capital Letters. The far better methodology is to take a couple of unrelated phrases that are memorable to you but does not necessarily mean anything to someone else and use the first or last letter of each word in the phrase split by a 4-6 digit numeric with a special character at either end of the numeric.

Someone suggested a taking the first letter of each word of a song lyric phrase which is also a good idea although again combine two unrelated ones and put a short memorable to you numeric (not related to your address, birthday, or former addresses and preferably not a numeric you are using for pin numbers for credit cards. These kinds of combinations actually require the true brute force type cracking you discussed earlier.

Again anything using whole words or phrases of whole words will run into the already salted databases of password crackers and will be broken relatively quickly and are really no easier to remember than utilizing the first letter of each word of two or more phrases with a numeric thrown in between.

I use a translation table to save my passwords in plain text hints.

eg.
a = vector
d = train
f = tool
t = xray
e = 637

so if the real password is vectoraxraytoolxray
then my password hint is aftf
yes I have to remember the translated values but 5 or 6 words are achievable.

Combine this with capitalization and a reference to the specific website (say always the first 2 characters of the website name in capitals)
you can have a unique PSW for each website without much effort and best of all I can have the hint in plain text

eg. for askbobrankin.com
my hint would be DaE which I know to be
ASTrainvector^#&

if the hint were Dae then
ASTrainvector637

and dae = ASTrainvector637

and so on

mix and match at will and even if you mess up the capitals in the hint you have the base to work with

works for me :)

Bob
if spelling counts "Managing Your Paswords"
s/b Managing Your Passwords

@monte
I'm mildly offended by your ageism (n.b. I'm 60+)
and and could retort that the let's leave at there people in all age categories who are challenged by different things

I'm computer savvy and realize that every little bit helps. I do appreciate your insightful articles, but tell me: what good are incredibly strong, secure passwords when hackers break into a company and steal them (for mischief or ransom)?

That's happened to me at least five times this year: my bank, websites where I shop, sensitive data storage sites like credit card companies, little businesses, big businesses--ominous emails inform me that these businesses themselves have been hacked!

I'm told I need to change my password, I may receive a year's worth of free account monitoring (in some cases) and the police have been notified. Really!? Isn't it a bit late for all that, when my unhackable password has still been hijacked by those responsible for keeping it secure?

Yes, I could change my password every day---but I have literally dozens of typed pages of passwords. Let's discuss this larger problem, if you please.

No one has mentioned typing a run on the keyboard; are hackers programs looking for those? IE- 2wsxcde3

You say: "You might be thinking "Okay, a botnet can send millions of passwords per second. But can the receiving server process (either accept or reject) more than 100 password attempts per second?" Here's the answer: it doesn't have to. These brute force password cracking tools are used when hackers break into a web server, thereby gaining access to the encrypted password database. Once inside, they can transfer that cache of usernames and passwords to another location and attack it at will."

I don't really get your reasoning here. The bad guys have got hold of an encrypted password database. In that case, what difference does it make how secure my personal password is or isn't?
The critical thing would be how secure is the encryption, or the password that unlocks it, which is not under my control but rather under the control of the site the password database was stolen from. What am I missing?

You almost have it. You forgot those who can't choose their password(s). Also, while users are coming up to speed with developing a "good" password it may be hard for them to remember it. My suggestion for those two scenarios is to use the draft option in the email program normally used at least on a daily basis. This way the password is protected by a password used at least daily by them. This would be a way to store related info such as url, username, security responses etc. for that account.

I use and recommend Keepass for storing my passwords which currently number in the hundreds. My password database is stored in the cloud (Dropbox) and syncs to all my computing platforms. On Android I recommend the Keepass2Android app.

Any decent website will allow only a very limited trials (3-5), after which will not allow any more entries. So, how in the world a hacker can try to decipher the password?! Don't try to worry about complicated passwords. A hacker will have other means to get it, by fishing or other means. So, long or complicated passwords have no security advantages. Please elaborate on this in future.

Check out Safe In Cloud. Simple and very effective across all platforms.

Am I understanding correctly that using your recipe I can create one password for all of the sites I log on?

Using Bob's formula and my own on-shelf book title (20+ characters), I got: Your password will be bruteforced with an average home computer in approximately 10,000+ centuries... and an added comment on the test web site: "Bender Rodriguez would steal everything valuable in the Universe in that time. Including your password." Cute. Some sites I use won't accept that large a PW, tho. A shorter 12+char PW: Your password will be bruteforced with an average home computer in approximately 43 centuries. Seems good to me. Do you agree?

Reply to Steph: Using one PW on all sites is not recommended. You especially want to use different PWs on sites where you are more concerned about security, such as checking account, credit cards, home security or any sites where you would worry if someone got your PW by any means (watching you type it, etc.). You could use a little black book that you keep hidden away... or one of the PW managers mentioned above. I like Roboform, myself.

I use my own encription method, aplying several rules. Of course, I shall not tell anybody what are my rules, but they work. I don´t like password managers, because they create ugly passwords tha must be written for no forget.....

I use a similar approach to that outlined by Annette above. I use a strong base passphrase (LoveVanillaIceCream, say) and customize it slightly on a per-site basis (LoveVanillaIceCreamBank, say). This enables me to create strong and unique passwords - which avoids the risk of cross-site password attacks in the case of a credential database being compromised - without the need for a password manager.

The problem with password managers - and especially online password managers - is that, sooner or later, somebody will work out how to exploit them. LastPass has already had a couple of scares.

Strength and complexity aren't as important as people think. The chances of somebody attempting to brute-force their way into one of your accounts are somewhere between slim and none. It's not how things happen.

Passwords mainly get compromised in one of three ways:

1. Credential database theft;
2. Phishing.
3. Guessed or otherwise discovered by a dishonest friend/family member/co-worker.

A strong password provides absolutely zero protection against #1 or #2, but does, to some extent, provide protection against #3 – however, so would a simple, non-complex random password that can't be guessed/discovered.

This isn't to say that people shouldn't use strong passwords - they obviously should.

By the way, I somewhat disagree with your comment about not writing passwords down. It'd obviously be a bad idea to do it in a work environment, but at home - depending on who's coming and going - it may not be a bad way of managing your passwords. Especially if your list is securely tucked away.

I am not even sure I should put this out for general consumption. I am a scientist. I tried several simple two scientific word passwords with a space between at the Kaspersky site. Simple does not mean the words are easy, just that they are in my frequent thinking. One of them (one term is outdated) would take the Tianhe-2 supercomputer 10,000 centuries to crack. Most two word technical terms I used with a space in between - and no special characters - would take the Tianhe-2 several months to a few years.

Good grief, thanks so much for the wake-up call, Bob. Kaspersky says my password can be broken in 26 seconds! And that one was for my bank account! My new one says it will take a few hundred centuries. Using very few more characters and just as easy to remember. Am now using just 4 passwords for 4 different classes of online transactions (from junk sites to financial). Anything is far better than before! Being a stubborn ornery 80 year old fossil, I prefer to manage myself without relying on any password management software. Same with web-site writing software, I prefer a pencil, paper and html. Thanks again, Bob, many thanks.

Forgot to mention, Bob, that I stored my new stronger passwords in a text file than took a "screen shot" of them and then deleted the text file. Do you think that an image.jpg is secure storage on my pc for my passwords? (I used to use hexadecimal and java but switched to images do similar to cloak email addresses from harvesting bots on my web-sites.) Thanks again for this article, Bob.