How to create and remember a secure password

Most hackers do not bother with the sophisticated methods of stealing passwords. They take the easy to guess combinations. About 1% of all the currently existing password, you can choose from four attempts.

How is this possible? Very simple. You try four most common in the world combined: password, 123456, 12345678, qwerty. After such passage opens on average 1% of "caskets".

Say you find yourself in those 99% of users whose password is not so simple. Even in such a case it is necessary to reckon with the performance of modern software for hacking.

Free program John the Ripper, which is in the public domain, allows you to check millions of passwords per second. Individual samples of specialized commercial software declare the power of 2.8 billion passwords per second.

Initially, the program for breaking drive off a list of statistically the most common combinations, and then turn to the full dictionary. With these taken into account in updating the list of trends over time, people are choosing passwords may vary slightly, and these changes.

Over time, all kinds of web services and applications that have decided to forcibly complicate passwords created by users. Added requirement that the password must have a certain minimum length, include numbers, uppercase and special characters. Some services took this so seriously that coming up with a password that would take the system, we have really long and tedious.

The key problem is that almost any user is not really generate resistant password selection, but only trying to meet the minimum system requirements to the composition of the password.

The result is a password-style password1, password123, Password, PaSsWoRd, password! and incredibly unpredictable p @ ssword.

Imagine that you need to alter your password spiderman. With a high probability it will look like a $ pider_Man1. Original? Thousands of people will change it to the same or a very similar algorithm.

If an attacker knows these minimum requirements, the situation is only getting worse. It is for this reason are not always imposed a requirement complicates the passwords provides better securityAnd often creates a false sense of increased security of.

The easier it is to remember the password, the more likely it is to get into cracking programs dictionaries. In the end, it turns out that is really secure password is simply impossible to remember, and therefore, it should be somewhere fix.

According to experts, even in this era of digital technology people are still able to rely on a piece of paper with passwords written on it. Such a sheet which is kept in a hidden place from prying eyes, for example in a purse or wallet.

However, passwords list does not solve the problem. Long passwords hard to not only remember, but also to enter. The situation is aggravated virtual keyboard mobile devices.

Interacting with dozens of services and websites, many people leave a trail of identical passwords. They are trying to use the same password for every site, completely ignoring the risks.

In this case, some sites act as a nurse, leading to complicate combination. As a result, the user simply can not recallHow he had to modify its standard single password for that site.

The scale of the problem turned out to fully understand in 2009. Then, because of security holes hackers managed to steal logins and database passwords RockYou.com - the company publishes games on Facebook. The attacker has put the base in open access. All it contained 32.5 million records with user names and passwords to the accounts. Leaks have occurred in the past, but the scale of this event is shown the whole picture.

The most popular password was a combination of at RockYou.com 123456. It was used almost 291 000 people. Men up to 30 years most preferred sexual themes and vulgarity. Older people of both sexes often turned to a particular area in the selection culture password. For example, Epsilon793 seems not such a bad option, only this combination was in Star Trek. 8675309 seven-digit met many times, because this number appeared in one of the songs of Tommy Tutone.

In fact, the creation of strong passwords - a simple task, it is sufficient to make a combination of random characters.

You can not create a perfect combination of random in the mathematical sense in my head, but of you it is required. There are special services, generating truly random combinations. For instance, random.org can create such passwords:

• mvAWzbvf;
• 83cpzBgA;
• tn6kDB4T;
• 2T9UPPd4;
• BLJbsf6r.

This is a simple and elegant solution, especially for those who use the manager to store passwords.

Unfortunately, most users continue to use simple passwords are unreliable, even ignoring the rule of "a different password for each site." For them, the convenience is worth higher than safety.

Situations in which safety the password can be compromised, it can be divided into 3 broad categories:

• RandomIn which the password is trying to find someone you know, based on known information about you to him. Often, such an attacker wants only to make fun, learn something about you or play a dirty trick.
• massive attackWhen the victim could be absolutely any user of certain services. In this case, use specialized software. For the attacker chooses the least-protected sites that allow multiple options to enter a password for a short period of time.
• targetedCombining reception suggestive hints (in the first case) and the use of specialized software (as in the mass attack). Here we are talking about trying to get really valuable information. Only help protect a sufficiently long random password, the selection of which will take time, comparable to the duration of your life.

As you can see, the victim can be absolutely anyone. Statements such as "password will not steal, because I have no one I need" is not relevant, because you You can get into this situation by chance, by coincidence, without any visible reasons.

Even more serious is to treat the protection of passwords to those who have valuable information related to business or there is someone in the conflict on the basis of the financial (eg, division of property in divorce, competition business).

In 2009, Twitter (in the understanding of the entire service) has been compromised just because the administrator password is used as the word happiness. Hacker picked it up and placed on the website Digital Gangster, which led to the hijacking of accounts Obama, Britney Spears, Facebook, and Fox News.

acronyms

As in every other aspect of life, we always have to find a compromise between maximum security and maximum convenience. How to find a middle ground? What is the password generation strategy will create a robust combinations that you can easily remember?

At the moment, the best combination of reliability and convenience is the conversion of a phrase or phrases in your password.

Selected set of words that you will always remember, and acts as a password combination of the first letters of each word. For example, May the force be with you converted into Mtfbwy.

However, since an original phrases It will be used by the most famous, eventually the program will receive these acronyms in their lists. In fact, the acronym contains only letters, but because objectively less reliable than a random combination of characters.

Get rid of the first issue will help the right choice phrases. Why turn to the password-stands the world-famous expression? You might remember some jokes and statements which are relevant only among your close associates. Let's say you hear a very catchy phrase from a bartender at a local institution. Use it.

And yet hardly a password-generated acronym you will be unique. acronyms problem is that different phrases may consist of words beginning with the same letter, and arranged in the same sequence. Statistically different languages ​​there is an increased frequency of occurrence of certain letters in words as beginners. Program will take into account these factors and the effectiveness of acronyms in the original version will drop.

reverse the way

The solution may be a method for generating reverse. You create in random.org completely random password, and then turn it into meaningful characters in a memorable phrase.

Often, services and sites give users the temporary password, which are those most perfectly random combinations. You may want to change it, because it will not be able to remember, but it's worth a little closer look, and it becomes obvious: the password to remember and do not need. For example, take the next version with random.org - RPM8t4ka.

Although he does not make sense, but our brain is able to find some regularity and consistency even in such a mess. To begin with you will notice that the first three letters in it uppercase, and the next three - lowercase. 8 - a double (in English twice - t) 4. Look a little on the password, and you are sure to find their own associations with the proposed set of letters and numbers.

If you can memorize a meaningless set of words, then use it. Let Password turn into revolutions per minute 8 track 4 katty. Fit any conversion, which is better "locked up" your brain.

Random password - this is the gold standard in the information security. He is by definition better than any password invented by man.

acronyms downside is that over time, the spread of this technique will reduce its effectiveness and the return method will be as reliable, even if all the people of the world will use it for a thousand years.

Random password does not fall into the list of popular combinations, and the attacker using the method of mass attack, pick up a password only brute force.

Take a simple random password, considering uppercase and figures - it's 62 possible characters for each position. If you make a password is only an 8-digit, we obtain 62 ^ 8 = 218 trillion options.

Even if the number of times within a certain time period is not limited to, the most commercial specialized software with an output of 2.8 billion passwords per second on average, spend 22 hours on the selection of the desired combination. To make sure we add in a password only 1 additional character - and his hacking needed for many years.

Random password is not invulnerable, as it can be stolen. The options are many, ranging from reading keyboard input and ending with the camera of your shoulder.

A hacker could hit the service itself and to get data directly from its servers. In this scenario, the user does not depend on anything.

United reliable basis

So, we made it to the main. What tactics using a random password to use in real life? From the point of view of the balance Reliability and the convenience of a good show itself "philosophy of strong passwords."

The principle is that you are using the same basis - super stable password (its variations) to the most important to you services and websites.

Remember a long and complex combination of forces to everyone.

Nick Berry, Information Security Consultant, permits the use of such a principle, provided that the password is very well protected.

It is not allowed the presence of malicious software on the computer from which you enter the password. Do not use the same password for less important sites and entertainment - they are quite enough for more than simple passwords as hacking your account here will not cause any fatal consequences.

It is understood that the solid foundation we have to somehow change for each site. As a simple option you can add to the top of one letter, which ends with the name of the site or service. If you go back to a random password RPM8t4ka, then log in to Facebook, he will turn into a kRPM8t4ka.

An attacker who saw a password will not be able to understand how the generated password to your banking account. Problems begin when someone gains access to two or more of your password generated in this way.

Secret Question

Some hijackers generally ignore passwords. They act on behalf of the account holder and simulate a situation where you have forgotten your password and want to restore his secret question. In such a scenario, he can change the password on their own, but the true owner will lose access to your account.

In 2008, someone got access to e-mail of Sarah Palin, the Alaska governor, and at that point yet, and US presidential candidate. An attacker answered the security question, which was: "Where did you meet your husband?".

After 4 years, Mitt Romney, is also a candidate for US president at the time, lost some of their accounts on different services. Someone answered a security question about how Mitt Romney pet name.

You guessed the essence.

It can not be used as a security question and answer and public data easy to guess.

The issue is not that this information can accurately extract the Internet or in person approximate. Answers to the questions in the style of "the nickname of the animal", "favorite hockey team," and so on perfectly matched from the corresponding dictionaries popular options.

As an interim option can use a strategy of absurdity response. If you simply, the answer should not have anything to do with the secret question. Mother's maiden name? Diphenhydramine. Your pet's name? 1991.

However, a similar technique, if it finds widespread, will be taken into account in the relevant programs. Absurd answers are often stereotyped, that is, some phrases will occur much more frequently than others.

In fact, there is nothing wrong to use the real answers, you only need to choose wisely the question. If the matter is unusual, and the answer is known only to you and not to guess from three attempts, then everything is in order. Plus truthful answer is that you do not forget it over time.

PIN

Personal Identification Number (PIN) - a cheap lock that trust our money. No one is worried about how to create a more reliable combination of at least four of these numbers.

Now stop. Right now. Now, without reading the next paragraph, try to guess the most popular PIN-code. Ready?

According to estimates of Nick Berry, 11% of the US population uses as a PIN-code (where you can change it to) a combination of 1234.

Hackers do not pay attention to PIN-codes because without the physical presence of the card code is useless (in part this can be justified and a small code length).

Berry took lists appearing on the network after the leakage of passwords, which are combinations of four digits. It is likely that the person using the password 1967 chose it for a reason. Second PIN popularity - is 1111, and 6% of people choose this code. At the third location 0000 (2%).

Let's say that knowing this information in the hands of a person someone bank card. Three attempts to block the card. Simple math makes it possible to calculate that this person has a 19% chance to guess the PIN, if it consistently will introduce in 1234, 1111 and 0000.

Probably for this reason, the vast majority of banks set the PIN-code to issuing plastic cards themselves.

However, many protected PIN-code smart phones, and then operates a popularity rating of 1234, 1111, 0000, 1212, 7777, 1004, 2000, 4444, 2222, 6969, 9999, 3333, 5555, 6666, 1313, 8888, 4321, 2001, 1010.

Often PIN is any year (the year of birth or historical date).

Many people like to make PIN in repeated pairs of numbers (and very popular pair, wherein the first and second digits differ by one).

Digital keyboard mobile output in the top draw like 2580 - to set its enough to make a direct passage from top to bottom in the middle.

In Korea, the number of 1004 is consonant with the word "angel", which makes this combination there is quite popular.

Total

1. Go to random.org and make it 5-10 candidates passwords.
2. Choose a password that you can turn into a memorable phrase.
3. Use this phrase to remember the password.

See also:

• How to put a password to BIOS, to protect your computer →
• How to put a password on a folder in Windows or MacOS →
• 5 programs that will help to put a password on the selected applications in the Android →
• This service will let you know how safe your new password →
• What you need to do right now in order to protect personal data on the Internet →