PDA

View Full Version : Making Up Passwords - Is There a Method to Your Madness?



chessnerd
January 7th, 2010, 06:00 AM
Changed up my passwords as a New Year's resolution, so I was thinking about passwords recently. I have a method to making passwords that involves a logical, if weird, process. I was wondering if anyone else has a method to their passwords, and, if so, what is it?

My method:

I think of a phrase, like:

For goodness sake, it's as easy as one, two, three

Then convert it to letters

fgsiaeaott

Then I alternate upper and lower case

FgSiAeAoTt

Then I replace letters with numbers if it makes sense and I never repeat the number

Fg514eAo23

Then I convert some of the numbers to symbols

Fg%1$eAo@3

Then I do some extra housekeeping (like convert the % to a $ because that's more like an "s")

Fg$1Ae4o@3

And, voila, all done.

Complicated, but it gets the job done and it's relatively easy to remember the new password, but pretty hard to guess/crack.

Any possible improvements you can see on my current method wouldn't be bad. (So, does this mean that I open-sourced my password algorithm? :P)

Important: No, I don't use that as a password. Also, if you share a method, don't give an actual password that you use.

user1397
January 7th, 2010, 06:06 AM
I would share mine except in doing so you could probably hack into all of my accounts. :popcorn:

Gizenshya
January 7th, 2010, 06:06 AM
Mine is simple. My password is always "dumbass."

RiceMonster
January 7th, 2010, 06:08 AM
I usually set my password to hunter2

FuturePilot
January 7th, 2010, 06:11 AM
If you can call random a method.

chessnerd
January 7th, 2010, 06:12 AM
If you can call random a method.

Does this mean that you use a random password generator, that you randomly come up with passwords, or are you saying that my method is random?

FuturePilot
January 7th, 2010, 06:13 AM
Does this mean that you use a random password generator, that you randomly come up with passwords, or are you saying that my method is random?

Generate random passwords.

Gizenshya
January 7th, 2010, 06:16 AM
... or are you saying that my method is random?

I hope he wasn't implying that. If he was, then he would be a great example of what my password represents.

Just to be clear, your method is not random in any sense of the word.

chessnerd
January 7th, 2010, 06:18 AM
I hope he wasn't implying that. If he was, then he would be a great example of what my password represents.

Just to be clear, your method is not random in any sense of the word.

The phrase I come up with is random (to a point) but otherwise, yeah, it's not very random. Not sure if that is good or bad. It's bad in that it's probably easier to crack, but it also makes it easier for me to remember so I don't forget it after I just came up with it (which is what happened when I first tried using a password from a random generator).

MooPi
January 7th, 2010, 06:19 AM
I work with this guy that uses xxxx. Why even have one ?

schauerlich
January 7th, 2010, 06:22 AM
I have a random string that I've committed to memory, and I insert various tidbits relating to the particular site/thing i'm logging into in the middle of it.

chessnerd
January 7th, 2010, 06:28 AM
I have a random string that I've committed to memory, and I insert various tidbits relating to the particular site/thing i'm logging into in the middle of it.

For the longest time I did a nearly identical thing in that I had a random string (it was sl7ap (Spock, live long and prosper)) that I would then add letters and digits to the end of (for my Gmail I added gwc4 (Google will conquer all)). It was a decent system that seemed safe, but was easy to remember.

ticopelp
January 7th, 2010, 06:29 AM
In the past, a random proper name with some of the letters changed to numbers or symbols, plus a random four-digit number, then a three-letter abbreviation. Helps me remember. Every once in a while I shake up the formula to keep things fresh. I'm not using this exact method now, for example.

Gizenshya
January 7th, 2010, 06:30 AM
The phrase I come up with is random (to a point) but otherwise, yeah, it's not very random. Not sure if that is good or bad. It's bad in that it's probably easier to crack, but it also makes it easier for me to remember so I don't forget it after I just came up with it (which is what happened when I first tried using a password from a random generator).

If it's good enough for you, then that's fine. After a certain point, the law of diminishing returns comes into effect. If it is so hard to remember for you that you forget it, then that con probably outweighs the pros. As long as you havea pass at least a dozen or so characters and good password ettiquette, you're probably fine.

I was just saying your post wasn't random. Alternating every other character in any way, as in 0101010101, reduces possibilities. Ruling out consecutive characters or multiple of the same character rules out more possibilities. When it's all said and done after your method, the vast majority of possibilities have been ruled out, leaving a much smaller pool of possibilities to crack in the event of someone trying to crack it. That in-and-of-itself does not really matter... unless those cracking know that you've taken out those possibilities. Since you have, they can take out those possibilities from their pool and crack it many times faster (probably billions or trillions of times faster), whatever your password is. And no, that isn't an exaggeration. Assuming, of course, that that is the method you actually use, and 2. that you didn't make any mistakes in following your method.

And no, I won't calculate out the possibilities for you :p

chessnerd
January 7th, 2010, 07:03 AM
If it's good enough for you, then that's fine. After a certain point, the law of diminishing returns comes into effect. If it is so hard to remember for you that you forget it, then that con probably outweighs the pros. As long as you havea pass at least a dozen or so characters and good password ettiquette, you're probably fine.
Very true.


Alternating every other character in any way, as in 0101010101, reduces possibilities.
A fair point. In practice the method isn't that strict. I sometimes do lower case then upper case and in the final part where I do tweaking I often change it up again, but it's still a valid criticism. For instance, if this was a program that I was writing (which I might do with this) I would fix the code to make it more random after this suggestion.

Rashedul
January 7th, 2010, 07:12 AM
Ah the law of diminishing returns... About 6 years ago I decided to compress a valuable folder into password protected rar archive. After some time have passed I forgot about the rar file and the password was incredibly perfect that I completely forgot it too. I still have the file saved, in hopes that one day I will have a fast enough computer to brute force open that bank of lost memories in just few minutes. Here is to hoping.... Happy New Year!

As for the original topic... and then I ... and that is how I come up with my passwords.

magmon
January 7th, 2010, 07:15 AM
I get a randomly generated password, and if it is discovered, I turn it backwards.

schauerlich
January 7th, 2010, 07:28 AM
For the longest time I did a nearly identical thing in that I had a random string (it was sl7ap (Spock, live long and prosper)) that I would then add letters and digits to the end of (for my Gmail I added gwc4 (Google will conquer all)). It was a decent system that seemed safe, but was easy to remember.

My random string is much more random :)

Icehuck
January 7th, 2010, 07:30 AM
Depending on the machine I'm using I have a few ways of doing passwords. Home desktop that doesn't need security. I go by the month and the current year. So Jan2010, and Feb2010 and I have it set to cycle every 30 days.

Laptop passwords go by the name of the girl for the month on my calendar. This month is Kimberly2010. Cycles every 30 days.

For work it's a long password that usually is based on two words and mixed in with letters/symbols. Sometimes I base it on a sentence. For example, 1h@73myb0$$n0w (I hate my boss now). Cycles every 45 days.

Edit - When I have to reset a users password I try to make it as challenging to type as possible(e.g. 12kaK>3241$$ffo0a32H)

fromthehill
January 7th, 2010, 09:36 AM
1.make a sentence that has something to do with the thing it is for
faxserver which doen't work the way I want to = wax does not work

2. translate with google translate
fax doesn't work = ファックスは動作しません

3. romanize
ファックスは動作しません = fakkusuwadosashimasen

I don't know if it makes sense
I don't get why my colleagues are irritated when they have to log in to those servers with ssh :P

jwbrase
January 7th, 2010, 10:56 AM
Well, I've been known to use passwords that have been assigned to me in the past (such as high school network passwords). I have also been known to take personal data and "code talk" it.

For example, say my social security number were 123-456-7890 (not, of course, my SSN, and probably not a valid one either).

The first two numbers I might convert to a letter: l (the twelfth of the alphabet).

The second two I might convert into a hex number, which would then be converted into an opcode mnemonic from the x86 instruction set: 34 -> 22 -> AND.

The next three numbers (567), might get encoded in base 9: 700

For the next number, I might choose a random language from this list (http://www.zompist.com/numbers.htm), and translate the number into that language. I'll use Tocharian A for this example. 8 -> oka:t (turning the diaeresis into a colon for easier typing).

The last two digits I might convert to ASCII. 90(decimal) -> Z.

At the end, I have "lAND700oka:tZ". Then all I have to remember is something like "SSN, letter, instruction, octal, tocharian, ASCII", and I get a very random 13 character password out of the deal. None of the elements are at all secret (SSN is supposed to be), but the fact that I use them in that combination is. I could use any bit of personal data other than my SSN, and even my SSN I could encode in a million different ways.