Building Ultra Secure And Memorable Passwords
In this tutorial I will walk you through a password creation process and discuss it's complexity and crack-ability.
image source
Security matters
In these days of digital endeavors it is important that you, my dear reader, have got all your accounts and crypto coins secured against all sorts of malicious people. One of the most important aspects of your account security is the password. Too often we choose convenience over security, even though we do know better. When we settle for passwords that are easy to remember or common choices, we make our accounts susceptible to attacks. These kinds of combinations are ones that hackers will almost certainly try out first.
But passwords don't have to be completely random in order to be secure. Let me show you how you can turn easy phrases into robust passwords.
Build your password
Let's start with an easy password and evolve it into something more complex. We shall increase the strength until we find an optimal passphrase that you can still memorize.
We begin with a random word:
house
Not good enough. Any password below 8 characters from a simple alphabet can be cracked instantly.
thehouse
8 characters! That's cool, however, since attacker can use dictionary attacks, all simple words can be cracked instantly.
th3hous3
Very clever: Replacing the 'e' with a '3'. Actually...it isn't - modern cracking software will try all of these obvious replacement attempts.
thehousejack
Much better! Since the length has increased to 12 characters, it will take more time for a computer to solve the password. However, since these are still simple words, a dictionary attack will be effective.
Let's evaluate the complexity of this passphrase. Password complexity can be evaluated with NL where N is the number of possible inputs (alphabet) and L is the number of characters (length).
This password is 12 characters long and draws form a 26-letter alphabet, therefore the amount of possible combinations is 2612 = 9.5 x1016 . It would take a computer about 4 weeks to brute-force this password.
thehousethatjackbuilt
Alright, we have now increased our password to 22 characters. It is recommended to use passwords with more than 16 characters to protect against brute-force attempts. However, our password is still (somewhat) vulnerable to dictionary attacks. Let's expand our alphabet by adding some symbols into the mix and making out letters case sensitive.
Th3hoU5etHatJ@ckbuilt
We have now moved on to a case sensitive alphanumeric (a–z, A–Z, 0–9) alphabet that gives us 62 input possibilities instead of 26! Good stuff. However, as described in step 3. dictionary smart algorithms will try these kind of replacements out.
th3_hoU5e#t/at}J@ck=buiIT?
We have increased our passphrase length to 26 characters and we have placed symbols in between words and further random places. This is a great way to protect against brute-force and dictionary attacks.
Success! The complexity of this password equates to 6226 = 4.0 x1046 combinations. It would take a computer 3 decillion years to brute-force this password - I think we're good.
How secure is my password?
In this tutorial I have walked you through the methodology of creating secure and memorable passwords.
To test your own creations you can use this website, which will determine how long it would take a computer to crack it using brute-force.
https://howsecureismypassword.net
Warning: Please DO NOT actually use any real passwords on this website, use a SIMILAR one in terms of complexity.
More Articles like this:
Do you want know about Google alternatives?(Read article)
Do you want to know more about free and open software? (Read article)
- Nick ( @cryptonik ) -
Really excellent Nik, such a tutorial is essential learning in these unsure times. Over the holiday I spent some time with my nephew who knows much about hacking - he goes on hackerthons apparently. Anyways he reckoned that if a hacker specifically targets you then there is actually very little you can do - other than go off line. It is a scary world we live in online these days.
Recently saw and interview with John McAfee, he was asked which was the most secure smartphone - he said it was the Samsung Galaxy S7- His team of hackers tried to hack it of rover a year unsuccessfully. He even asked hackers to try and hack is phone. It still has not been hacked. However. you probably saw that a few days ago he got hacked. Not it was not his phone, but his phone company. They hacked in and accessed his phone number on their system and then rerouted it to another phone. That meant that anyone who called him the called was sent out to another phone- From there the hackers contacted Twitter and other media accounts. When they saw that it came from his phone they gave out the password. In this case did to make any difference how long or complex the password was. Social engineering and security weaknesses in phones companies are definitely the weakest link IMO-
Very true dear Arthur, social engineering is indeed the weakest point, the human flaws make it happen. I am really not sure what to think of McAffee at the moment, since he started blatentely shilling shitcoins no one has ever heard of before. It was a pretty bizarre week cause he managed to pump quite a few of them...
I heard that McAfee said his twitter account was hacked and it was the hackers who were doing the shilling. Makes you realise that is difficult to know what is the truth these days.
That's right. Arthur do you use any other messaging system like discord or steemit.chat or something where we can connect?
He did shill before and after the hack too tho ;)
Hi Nik,Im still a bit paranoid lol - but Im getting there. I miss our chats too.
All I can ask is if it is possible that you can be patient with me. I will probably join steemit.chat but I am also going to open another FB account too. I will let you know.
Cant make my mind up about McAfee - still trying to figure out if is is genuine or not.
That's alright Arthur. I understand. Take all the time you need. As long as you're coming back :) Don't get me wrong, I like McAffee. He is a winner, and achiever and a crazy ass person - in the good way. But I don't like his recent crypto calling.
What do we lack in the crypto world? Developers. What do we have an abundance of? Speculators and memes.
Thanks for being understanding Nik, that is a sign of a ture friend.
Totally agree on what you say about the world needing developers. In my blog about be being hacked I wrote about how the only thing that could destroy cryptocurency was hackers. I suggested that wee either needed a new type of vault or new technology otherwise no ones crytpo is safe. Some of the comments I got were not nice and that my thoughts were silly.
However, I saw an article today in the cointelegraph talking about this very thing - here is a section of it:-
"We used to ask ourselves: Where is it better to keep your money, at home in a safe or in the bank? None of these options is ever completely safe. Cryptocurrency is no different: the safety issue is very complex, because there are lots of ways to break into accounts, or to force people to give over their holdings. There needs to be a mechanism ensuring complete safety, because the current options are all lacking. A new technology is needed to protect cryptocurrency."
It seems my thoughts were not so silly after all.
Here is the entire article if you want to read it:
https://cointelegraph.com/news/life-savings-stolen-from-second-hand-ledger-hardware-wallet
Thanks for that article Niko
I still need to improve some of my passwords too, so far I work with only numbers and letters. Maybe some symbols will help strengthen them
Get them symbols into the mix and make those phrases long too :)
Here is a question I have been wondering about lately. You might know. I know it is recommended to use caps, numbers, symbols but if your password is long enough and not some common saying or phrase how do those trying to brute force know if you did or didn't use any of the above? Wouldn't they have to try every possible combination no matter what?
Good point. The attacker actually doesn't think anything, he will just try out passwords and start with simplest combinations because they require less computing power.
First, He tries the really simple stuff: password, password123, 123456, 123456!, secret!, admin...
Then he will move on to test alphabetic algorithms. He will assume that you are one of the majority, and therefore use a only-letter-alphabet. That means he only has to test for 26 letters. If you add numbers and symbols you increase to alphabet 62 characters - it is much more computational effort AND you are a minority who uses complex passwords, the attacker might skip on you. Symbols are uncommon and hard to guess.
This is how to make a password more robust without a crazy length.
But you totally can totally win by just making your phrase super long. After a certain length it becomes unbeatable (lowest threshold is around 16 chars, I believe). I suggest a phrase above 23 characters.
e.g.:
afrogbrownarejumpyesterdaybefore
32 chars. Pretty much un-crackable.
Good post, upvoted! Many people these days still use very simple passwords.
The method you wrote is a good way to create memorable passwords.
Sometimes attackers make a cracking algorithm that also scans for replaced characters together with dictionary (3,0,5).
I found if you use very long passwords (128+ characters), the user interface often doesn't accept it.
In fact, the Windows 10 passwords cannot even be longer than about 12 characters.
Thanks mate. 128 - LOL, that is just an overkill. If you go above 32 characters you can be damn sure it is un- crackable ;)
Hammer Beitrag! Passwörter sind bei mir immer so eine Sache oft möchte ich es mir möglichst einfach halten damit ich schnell einloggen kann aber gleichzeitig muss es auch super geschützt sein.
Das ist echt ein super Weg den du mir jetzt hier aufgezeigt hast weil einfach so irgendwelche Zahlen und Buchstaben als Passwort zu benutzen wollte ich nie machen weil ich dann immer nach schauen müsste zum mich einloggen. Aber so kann man es sich gut merken.
Haha klasse! Genau darauf zielte ich ab. Man kann ein sicheres Passwort haben, was sich trotzdem merken laesst. Lass dich von den 26 characters nicht abschrecken. Du musst es halt ueben, und die ersten Male wirst du immer 5 Anlaefe brauchen....aber nach dem 10-15 Mal hast du es raus und kannst dich muehelos, sofort einloggen. (Hat auch was mit Fingergedaechnis zu tun :)
Fingergedächnis echt interessant mir ist das eben erst vor zwei Wochen aufgefallen. Ich hatte früher echt oft ein online Game gezockt und als ich nach zwei Jahren Pause wieder einmal mich einloggen wollte tippte ich mein Passwort ein als ob ich erst gestern gezockt hätte.
Wie siehst du eigentlich die Sicherheit der Exchanges? Würde jetzt zum Beispiel jemand in mein Bittrex oder Bincance Account reinhacken (halte die meisten Kryptos sowieso nicht auf der Exchange) wären dann dem Hacker ja trotzdem die Hände gebundenwenn ich Google Authenticater, E-mail verifizierung oder auch eine Smartphone Verifizierung drinn habe
Was denkst du könnte ein Hacker trotzdem noch einen Weg finden zum erfolgreich meine Wallet leeren?
Ich verweise dich jetzt ganz frech auf meine artikel eins und zwei dazu.
Geht alles. Social engineering und handy sind die schwachstellen. Ich wuerde raten Authenticatior auf separaten Geraet aufbewahren. Momentan is binance am sichersten. Es besteht das Risiko das sich jederzeit ein Mt.Gox(lese mal darueber) wiederholt, daher nie grosse Mengen dort lassen.
Sicheres Passwort. Verschiedene Emails fuer Exchanges. Separates Device mit 2FA. Dann faehrst du schonmal ganz gut. Und bitte keine SMS autentifikation verwenden.
really good tutorial too many ppl just use like 1234 as pw and then wonder how they got hacked, the problem is that these ppl wont read this post i think xD
Haha that is so true. You won't believe how many systems get hacked because the technician was too lazy to change "admin" or "guest" as password.
That’s an amazing analytical view of the security of passwords. Unfortunately you didn’t mention how to memorize them. That is my biggest problem.
Cheers @dbzfan4awhile but you can memorize them cause it's made of words, yes? no? Well, it's better than just a random string of symbols and letters :P
I have a horrible memory, so I'd end up having to write it down and hope to remember where I wrote it down as well, lol. It's my curse. But yeah, I agree completely that it's way better than just a completely randomized string of letters, numbers & symbols.