Saturday, November 10, 2012

How to Devise Passwords That Drive Hackers Crazy

By Nicole Perloth

Not long after I began writing about cybersecurity, I became a paranoid caricature of my former self. It’s hard to maintain peace of mind when hackers remind me every day, all day, just how easy it is to steal my personal data.

Within weeks, I set up unique, complex passwords for every Web site, enabled two-step authentication for my e-mail accounts, and even covered up my computer’s Web camera with a piece of masking tape — a precaution that invited ridicule from friends and co-workers who suggested it was time to get my head checked.
But recent episodes offered vindication. I removed the webcam tape — after a friend convinced me that it was a little much — only to see its light turn green a few days later, suggesting someone was in my computer and watching. More recently, I received a text message from Google with the two-step verification code for my Gmail account. That’s the string of numbers Google sends after you correctly enter the password to your Gmail account, and it serves as a second password. (Do sign up for it.) The only problem was that I was not trying to get into my Gmail account. I was nowhere near a computer. Apparently, somebody else was.
It is absurdly easy to get hacked. All it takes is clicking on one malicious link or attachment. Companies’ computer systems are attacked every day by hackers looking for passwords to sell on auctionlike black market sites where a single password can fetch $20. Hackers regularly exploit tools like John the Ripper, a free password-cracking program that use lists of commonly used passwords from breached sites and can test millions of passwords per second.
Chances are, most people will get hacked at some point in their lifetime. The best they can do is delay the inevitable by avoiding suspicious links, even from friends, and manage their passwords. Unfortunately, good password hygiene is like flossing — you know it’s important, but it takes effort. How do you possibly come up with different, hard-to-crack passwords for every single news, social network, e-commerce, banking, corporate and e-mail account and still remember them all?
To answer that question, I called two of the most (justifiably) paranoid people I know, Jeremiah Grossman and Paul Kocher, to find out how they keep their information safe. Mr. Grossman was the first hacker to demonstrate how easily somebody can break into a computer’s webcam and microphone through a Web browser. He is now chief technology officer at WhiteHat Security, an Internet and network security firm, where he is frequently targeted by cybercriminals. Mr. Kocher, a well-known cryptographer, gained notice for clever hacks on security systems. He now runs Cryptography Research, a security firm that specializes in keeping systems hacker-resistant. Here were their tips:
FORGET THE DICTIONARY If your password can be found in a dictionary, you might as well not have one. “The worst passwords are dictionary words or a small number of insertions or changes to words that are in the dictionary,” said Mr. Kocher. Hackers will often test passwords from a dictionary or aggregated from breaches. If your password is not in that set, hackers will typically move on.


  1. While complex and different passwords for web sites are obviously needed, I find the specific recommendations in this article to be poor, especially those involving storing a password list on a thumb drive (encrypted or not).

    An obvious problem with this is the need to always have the thumb drive with you. It also requires opening it and copying/pasting credentials. If it's open and you are hacked, they get access to everything you have everywhere. Such difficulty and exposure do not lead to good security.

    A far better alternative is to create complex passwords using a highly-personal heuristic/algorithm. For example, you can use a base string along with something you personally associate with a web site, e.g., xX!1W3ndyA for a shopping site where xX!1 is a base string and Wendy is the name of an shopaholic ex-girlfriend (where you take the additional step of replacing the e with a 3) and A is the first letter of the site's domain name.

    Whatever your password-generation process is, the key is to make it algorithmic, highly personal, non-reversible (cannot easily discover your full algorithm by having several passwords), and, most importantly, easily remembered. This eliminates the difficulty and exposure associated with maintaining password files, carrying thumb drives, etc.

  2. The first tip is absolutely horrible. If the password doesn't use dictionary words, who will remember it?

    The important thing with secure passwords is length. Because most websites hash the password(turn any length password into a fixed length), the length of your actual password is unknown to an attacker. Here are examples of absolutely secure passwords.


    Not that I recommend using any of those but the idea should be simple. Just make it long.

  3. Picking a non-crackable password is easy. For example: Fg23!aP7w will keep all hackers out of your system. The only remaining danger is if you are so stupid you accidentally give it away... Oops. Oh crap!

    1. absolutely not. when it comes to cracking passwords, it's all about time.

      Sure you might need bruteforce to accomplish this, but it's very much possible.

      40 or 80 character passwords on the other hand are different.

  4. If the website permits, start or end the password with a 'space' character.

  5. #1 computer security rule: Never Use Microsoft Windows.

    That'll take care of 99% of potential security issues. Not that the other operating systems are very secure, but Windows has so many serious design flaws that it simply cannot be secured.

  6. This:

    1. So, is this accurate, or just a "comic"? If accurate, I just had an "Ah Haa" moment...

  7. I don’t know what type of wake-up call people need to kick this complacent attitude to authentication and passwords. There continues to remain the need for more preventative measures put in place. For example many of the leading companies in their respective verticals are giving users the perfect balance between security and user experience by implementing 2FA which allows us to telesign into our accounts using a One Time Passwords (OTP). I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. I'm hoping that more companies start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure. But almost everything is still only password protected. The fact is passwords (strong or not) do not replace the need for other effective security control.