Passwords - Two Practical Ways to Construct Them
Introduction
Passwords are everywhere. Every computer system, database, bank, school, and online shop, you name it, requires its users to create “strong” passwords that are usually 8-32 characters in length, comprising at least one uppercase letter, one lowercase letter, a number, and a special character (not any characters; the acceptable ones are usually those above the numbers on your keyboard). To make the level of annoyance one step further, some password policies forbid users from using their names, dates of birth, organization names, or slang as parts of their passwords.
Password Policy (Source: https://www.4me.com/blog/password-policy/)
Such a password policy is understandable when hackers constantly attempt to access your accounts and steal your money, information, or other valuable assets hiding beneath the username and password combination. Those hackers may get your password by phishing your information, dictionary attack, or brute force 1. The longer and more complex your passwords are, the harder they can be revealed to hackers.
Therefore, the most secure password should be a lengthy string consisting of random symbols, such as the one below:
oLR-tn$NhTUWZtGt+nOa#@7il2NN@$Z42_EjPDoCC^Oz7$&vxH
According to PasswordMonster.com, which will be introduced later, the password above needs "12 trillion trillion trillion trillion trillion trillion years"?to crack.
However, good luck with memorizing the 50-character long random string unless you are a memory master. Otherwise, you will have to write down those long passwords on your notebook or Post-it, which is an utterly insecure practice, or you need to click "I Forgot My Password" very often before any hackers attempt to crack them.
Even though many people are using various password managers such as the ones provided by your Chrome Explorer or your Apple devices, you still need to remember at least one “Master Password” to access the rest of your password.
Google Password Manager (Source:? https://linuxhint.com/use_password_manager_chrome/)
To make a password memorable, the string must be meaningful 2, such as one’s name, birthday, hometown, or a piece of lyrics, proverb, and poem.?
Suggestions from the Government of Canada Regarding Passwords?
According to the password guidance by the Government of Canada (GC) 3, an organization should:
1. Disable or reduce complexity policies (for example, allow all-lowercase passwords in which users can, if they like, include uppercase letters and other characters)
2. Require longer passwords (at least 12 characters) and have no limit on the length
3. System owners should permit passphrases, and users should use a phrase of at least 4 or 5 random words that meet the minimum 12-character length requirement.
4. In Windows environments, GC system owners should consider having a 15-character minimum to prevent weak LAN manager password storage.
The first item, disabling the requirements of complexity, is a good suggestion since it makes the passwords more memorable.
The second item that requires longer passwords is reasonable since the difficulty of cracking a password will grow exponentially as the length of the password grows linearly. However, practically speaking, there must be an upper limit on the password, or a malicious user put in a string with 1 billion characters, which takes up 1 gigabyte of space during data processing and renders the system inoperable.
The third item mentions passphrases. ”A passphrase is a sentence-like string of words used for authentication that is longer than a traditional password, easy to remember and difficult to crack. Typical passwords range, on average, from eight to 16 characters, while passphrases can reach up to 100 characters or more.” 4
Common Mistakes in Password Constructing
There are different tools to check the strengths of your passwords, such as security.org 5 and PasswordMonster 6. This article will use PasswordMonster as the tool to test the strength of the passwords generated for its convenience of demonstration. The results of different tools are slightly different at quantitative levels but are very consistent at qualitative levels.
According to PasswordMonster, there are three main mistakes that users need to avoid when setting up their passwords:
Your Passwords Are Too Common
As we can see from the password test result, common passwords, such as "qwerty", have been used repetitively and can be cracked instantly by hackers. According to Cybernews7, the 10 most common passwords are:
123456; 123456789; qwerty; password; 12345; qwerty123; 1q2w3e; 12345678; 111111; 1234567890
Make sure you don't use any passwords on the lists or their simple variations or combinations.
Your Passwords Are Sequences of Characters
Avoid using sequences like abcdef, zyxwvu, 123456 or 246810. They are too predictable.
Your Passwords Are Dictionary Words or Simple Variations of Words?
This is also a very common mistake in creating passwords and, frankly speaking, very hard to overcome. When hackers are attempting to crack your passwords, they usually use a "dictionary attack", which is essentially a trial-and-error with words in a dictionary.
As we can see, not only is the dictionary word like "Dictionary" a terrible password, their simple variations like S3cureP@ssword are prone to attack as well.
Two Practical Methods to Construct A Secure, Memorable and Compliant Password
Now here comes the most important part. This article will propose two different step-by-step methods to create secure but memorable passwords. Remember, the example passwords appearing in this article are no longer good passwords as they have been exposed to the public. As the quote from The Count of Monte Cristo goes, “You find your own tree!”?
Method 1: Vowel reduction?
This method is inspired by the passphrase idea. We first pick up a phrase and connect the phrase into a long “word”. After that, we replace some characters with numbers and special characters. Lastly, we get rid of all remaining vowels. In this way, the final passwords resemble randomly generated strings while still memorable for users knowing their original phrases. Moreover, the passwords generated in this way will have limited length but nevertheless very secure since taking some letters out of a word will reduce the likelihood of a successful dictionary attack.?
Step One- Find a meaningful phrase
The string can be a piece of lyrics, poem, or proverb. In this case, we choose the proverb “Better Late Than Never” with the initial letter of each word capitalized.
Better Late Than Never
We then connect the words head to tail, or as computer jargon goes, concatenate.?
We can see the password “BetterLateThanNever” is not very bad, but it only consists of words from the dictionary, which is prone to dictionary attacks.
Step Two - Substitute some vowels for numbers and special characters
Usually, we change some letter characters to numbers and special characters with visual resemblances, such as “@” for “a”, “3” for “e”, “1” or “!” for “i”, “0” for “O” or “o”, “7” for “v”, “$” for “S” or “s”, and “2” for “z”. Since such a substitution pattern is predictable to hackers, it is important that we need at least two substitutions.
We substitute two characters. The password becomes moderately secure.
Step Three - Get rid of all remaining vowels
This step gets rid of all vowels in the string, except for those which have been replaced by other symbols. After this step, we have our final product like this:
BttrLtTh@nN3vr
It looks almost like a random string and has become very secure.
List of example passwords that are generated by vowel reduction
Now there are a few similar passwords generated from common phrases with the method of vowel reduction for your reference. However, make sure to create your personalized passwords.
?You Can’t Handle The Truth! (Notice the exclaimation mark!)
Becomes →
Y0Cn’tHndlThTrth!
领英推荐
Never Too Old To Learn?
Becomes →
NvrT0!dTL@rn
Je Pense Donc Je Suis?
Becomes →
JP3nsDncJ$s
El Tiempo Lo Cura Todo
?Becomes →
1TmpLCrT#d
?
Method 2: Insertion
?If remembering several words in a phrase and their modification procedures are still daunting for someone, we can use the method of insertion which only requires the memorization of as few as two words.?
Such a method inserts one word into another, with subsequent modifications similar to the previous method, so that the final password will not appear in dictionaries while highly memorable.
Step One - Find Two Words?
The first word must be relatively long, and the second word can be either long or short depending on the system’s length requirements.
Absolutely + Dam
In this case, we choose the long word “Absolutely” and the short word “Dam” and link them together. However, as we can see, the password “AbsolutelyDam” is horrible.
Step Two - Insert the second word into the first word
Break the first word into two parts, preferably in between syllables as per linguistic norms, and insert the second word into the point of the break.?
The password “AbsoDamlutely” is already very decent, though it lacks numbers and special characters.
Step Three - Substitute some vowels for numbers and special characters
Similar to what we have done above, we can substitute “@” for “a”, and replace “e” with “3”. Now the password becomes very secure.
List of example passwords that are generated by insertion
Now there are a few similar passwords generated from common words with the method of insertion for your reference. However, again, make sure to create your personalized passwords.
Catastrophe + Worth?
Becomes →
Cata$W0rthtrophe
Malheureux + Never
Becomes →
Ma!Ne7erheureu+
?Disculpa + Congratulate + 1972 (i.e. a memorable number)
Becomes →
DisCongra19&2tulateculpa
(it’s not hard to figure out why "7" becomes "&", right? Just look at an English keyboard!)
?
Wingardium Leviosa + Expecto Patronum (Yes, they are Harry Potter spells)
Becomes →
W!ngardiumExpect0Le7iosaP@tronum
Combination of Two Methods
We can actually combine those two methods together, especially when the passwords generated by Method 2 are too long.
For example, if we want to shorten the password generated above, we can apply vowel reduction from Method 1, so that the password:
Becomes →
W!ngrdmxpct0L7sP@trnm
Conconclusion
Constructing a secure and memorable password only solves half of the problem. The other half relies on how secure the servers are when handling and storing users' passwords, which will be a topic at another time.
Oh, there is an ultimate password, generated by a combination of the two methods, for you and all Harry Potter fans:
R1dd!@vdklsK3dvr?
From which spells is it constructed?
Riddikulus + Avada Kedavra?
References
1.? 7 ways hackers steal your passwords. SentinelOne. (2021, October 15). Retrieved June 16, 2022, from https://www.sentinelone.com/blog/7-ways-hackers-steal-your-passwords/?
2. ?Kissell, J., & Safari, an O'Reilly Media Company. (2021). Take control of your passwords, 3rd edition (3rd ed.). Take Control Books.
3. ?Secretariat, T. B. of C. (2020, July 28). Password Guidance - Government of Canada. Canada.ca. Retrieved June 16, 2022, from https://www.canada.ca/en/government/system/digital-government/online-security-privacy/password-guidance.html?
4.? Froehlich, A., & Fitzgibbons, L. (2022, February 25). What is a passphrase? SearchSecurity. Retrieved June 16, 2022, from https://www.techtarget.com/searchsecurity/definition/passphrase?
5.? How secure is my password?: Password strength checker. Security.org. (2022, March 28). Retrieved June 16, 2022, from https://www.security.org/how-secure-is-my-password/?
6.? Password strength meter. PasswordMonster. (2022, March 3). Retrieved June 16, 2022, from https://www.passwordmonster.com/
7.? Most common passwords 2022 - is yours on the list? CyberNews. (2022, May 27). Retrieved June 16, 2022, from https://cybernews.com/best-password-managers/most-common-passwords/