Ask Slashdot: How Do You Create A Highly-Secure Password?

An anonymous reader writes: A security lab at Carnegie Mellon performed a study on password security recently, and issued a warning about common user misconceptions. For example, 'ieatkale88' would require 4 billion more guesses than 'iloveyou', because 'iloveyou' is one of the most common strings in passwords. And the word 'pAsswOrd' would take 4,000 times more guesses than 'p@ssw0rd', simply because "In modern day password-cracking tools, replacing letters with numbers or symbols is predictable."

But then what passwords are secure in the face of these modern password-cracking tools? As professionals in the IT industry, what advice would you give?
Leave your answers in the comments. How do you create a highly-secure password?

Generators

[Anonymous Coward]

https://www.random.org/passwords/

With a length of at least 10, preferably 20 or more.

Re:Generators

[Anonymous Coward]

Everyone knows that hunter2 is the best password

Re:Generators

[FatdogHaiku]

No, it's correcthorsebatterystaple...
https://xkcd.com/936/ [xkcd.com]
No one would ever guess that.

Re:

[thegarbz]

We're assuming too much. We're assuming that password crackers are doing dictionary attacks, dictionary attacks using multiple words, dictionary attacks using multiple words with capital substitutions, dictionary attacks using multiple words with numeric substitutions, and now dictionary attacks to md5 conversions.

We're very quickly getting to the point where your dictionary attacking password list is longer than the brute force for a typical 8 character password. With all these scenarios at some point we n

Leet speak is not pattern recognition. Non-diction

[raymorris]

> Our ability to remember long passwords is limited without context or patterns.

Certainly true.

> A computer's ability to recognize patterns is however insanely difficult.

"pOs5IbL3" is not pattern recognition, and it is used by common cracking tools. The rules are well known - 3 is interchangeable with E, 0 for O, and 5 for S. Bad guys do those substitutions.

Mainly what it comes down to when choosing passwords is length. Add a few extra characters to the alphabet, using 0,3, and 5 as letters, is fine and all, but you get more bits of entropy by making your password a character or two longer.

To create long passwords that one can remember, a sequence of words is good, but of course attackers have dictionaries. One option to improve it, therefore, is non-dictionary words like unjoyfully, runnableness, or happify (make happy). A sequence of such non-words can be easy to remember and hard to crack.

Re:

[nasch]

Those sorts of things are the most commonly used passwords.

https://www.skyhighnetworks.co... [skyhighnetworks.com]

Re:Generators

[stealth_finger]

Everyone got, it stopped being amusing years ago.

Re:Generators

[Anonymous Coward]

Being strictly paranoid, how can I be sure that all passwords generated on the above site are not logged and added to lists checked by password crackers?

Re: Generators

[Lije Baley]

If you wrap your fingers in tin foil before you type, you will be safe.

Re:Generators

[marcansoft]

Length doesn't matter. What matters is that you use a unique password for everything.

Using a unique password for everything is impractical without making your passwords random (for a secure definition of unique, i.e. you can't guess one password given another one). But once you make them random, it doesn't matter how long they are as long as they're at least 6 (if fully random), preferably 8 (if constrained) characters or so.

Why? Because your password doesn't have to withstand an offline brute-force attack. It has to withstand an online, over-the-network brute-force attack. If the attacker gets your password hash such that they can use an offline attack, they have already broken into that service and have all your data anyway. And, since you use different password everywhere, cracking your password on that service gets them nothing.

Passphrases used to directly generate or wrap encryption keys are the exception to this, of course. Those had better be long.

Me? I use a pwgen-generated password on all sites/services, with the defaults (8 characters, pronounceable), and write them down in an encrypted password file. It's great, because I end up easily remembering the ones I use often, and the rest I look up as I need them. Can you crack those offline? Absolutely. But I couldn't care less; if you already have the hash, there's nothing more you get by cracking it.

Re:Generators

[bigdavex]

Length doesn't matter

Right, password girth is the key.

Re:

[dpidcoe]

actually don't generate a unique password for everything. managing them is difficult time consuming, and ultimately useless.

It doesn't have to be. Use a random password generator to generate something of sufficient length (let's say 6 characters since 8 character minimum is generally a requirement and the next step will put it over the limit). Memorize that random password, use it as the base for everything, but mix in something unique to the website or service using a rule that you can apply consistently.

As a simple example, say I generate uYc2!c as my base password. I might decide to apply the first initial of the site to

just find the hackers' passwords, use them

[swschrad]

oh, wait, you said how do "I" create a secure password. never mind. I just use CowboyNeal's.

Re:

[cyclomedia]

Why is writing it down so bad? Specifically if these are your personal logins and they're in a little black book in a drawer in your house. Aren't they MORE secure, because no amount of remote hacking can read ink off a piece of paper? And if $thief has broken into your house, they're not going to go looking for said little black book - they're going to grab a laptop and a DSLR and get out.

Re:Generators

[njnnja]

I was actually just speaking with a police officer the other day who said criminals don't care much about electronics nowadays because the stuff depreciates so fast if you have a 4 year old laptop it's not worth much after depreciation and the black market discount. Even dumb thieves know to go straight for the bedroom and take the women's jewelry and the men's watches. They also check the top drawer for cash. But yeah, unless you are a high value target for information, nobody is rummaging through your desk for sticky notes.

Re:

[mlts]

Next to keyfile hashes, I am personally partial to KeePass's generator, as it allows you to have custom password formatting and rules, as well as to allow keyboard/mouse input to be added to the randomness pool. This definitely cannot hurt when it comes to unpredictability.

Password Generator

[CastrTroy]

20 character random password generated by KeePass. I have a fairly long 20+ character master password for my password file. Generate a new password for every site in case of a breach. Use 2-Factor authentication wherever possible, especially your email address is this is basically a master key to all your other accounts due to the password reset feature.

Re:

[tepples]

Use 2-Factor authentication wherever possible, especially your email address

What's a good way to do that in countries where it is common practice for cellular carriers to charge per received text message?

Re:

[retchdog]

just pay for the text message? set up an authentication company and negotiate with the carrier to bring sms rates down for auth messages? just use a second website (or even an email) to re-authenticate?

Re:

[tepples]

just pay for the text message?

That can cost hundreds of dollars per year.

just use a second website (or even an email) to re-authenticate?

The context was authenticating to email.

Re:

[tepples]

Legal emigration is far more expensive than an unmetered SMS rider.

Re:

[tepples]

The USA doesn't charge to receive text messages if you pay extra per month for an unmetered text message plan. But not everyone uses text messages heavily enough outside 2FA to justify paying for such a plan.

Re:

[ravenshrike]

Yet pretty much every plan does come with a couple of hundred texts. If you're hitting the limit often enough that 2FA for new devices will kick you over the limit, either you have WAYYYYY too many devices requiring a password or you should probably pony up the $10 extra a month for unlimited texts. If you need the security of 2FA for every login, what the fuck are you doing that doesn't make you enough money to get a proper phone plan?

Re:Password Generator

[AmiMoJo]

No need for SMS messages any more. 2FA via an app is a much better option. There is even an open standard for it (RFC 6238). I use Google Authenticator, but others are available. It doesn't even need internet access, it's time based. Every 30 seconds it generates a new code for each service you add to it.

Re:Password Generator

[thegarbz]

Dear god!

How about use a common easy password for things you don't give a shit about, use a more complicated password for things you do, and reserve your super complicated passwords for things like your banking / email.

We're slowly getting to the stage where a typical day will be spent managing passwords rather than accessing content with them.

Re:

[jafiwam]

20 character random password generated by KeePass. I have a fairly long 20+ character master password for my password file. Generate a new password for every site in case of a breach. Use 2-Factor authentication wherever possible, especially your email address is this is basically a master key to all your other accounts due to the password reset feature.

Why bother? Just make it 20 characters you make up.

Because, you are going to run into "helpful password strength monitors" that want "at least one capital, one lower case, one number and one punctuation character". But which ALSO have a bunch of non-stated rules like "must not have three of the same characters in a row" and "must not begin with punctuation or ";" " and so on.... and you'll still have to search your generated password to remove or change it to suit the dumb JavaScript applet. Or worse, "

ch@nge0ften

[turkeydance]

& d0n't repe@t

GUID

[Frosty Piss]

All of my passwords are 32 char random strings using all the available chars.

The only drawback is that I have to write them down on a yellow sticky.

Fortunately, none of the hackers have physical access to my collection of yellow stickies...

Re:GUID

[NotInHere]

Just don't get a household robot, otherwise it will turn itself on when you sleep and the hacker will guide it to your sticky collection.

Re:

[wonkey_monkey]

the hacker will guide it to your sticky collection.

Wait, what are we talking about?

Re:

[dywolf]

Rule 34.

"available chars"

[NotQuiteReal]

Available characters vary by site. Sometimes with absurdly stingy limits.

Re:GUID

[PopeRatzo]

All of my passwords are 32 char random strings using all the available chars.

I just use my dog's name. Fortunately, I named my dog, "x:65=;V@Y|Dg#OdJ!T"

Easy.

[khasim]

#1. No password re-use. Ever.

#2. Not formulaic.

#3. Not in a dictionary list.

#4. Long. I prefer 32 characters long.

Re:Easy.

[khasim]

#1. But I can't remember all those passwords.
  - use a password manager

#2. But I like the formula I use. It's my name + the website name.
  - no. Just use a password manager

#3. How will I know that my password isn't in a dictionary list?
  - use a password manager and have it generate random passwords

#4. But I cannot remember long passwords.
  - use a password manager

Also, "ieatkale88" can now be cracked in the same number of tries as "iloveyou" or "pAsswOrd" because they are now all added to common dictionaries.

Once you publish your "secure" password someone will add it to a dictionary.

http://arstechnica.com/security/2016/06/how-linkedins-password-sloppiness-hurts-us-all/ [arstechnica.com]

Re:Easy.

[bloodhawk]

unless you run your password manager on a non internet connected stand alone machine I would say this is pretty bad advise from the majority of users. Most users simply don't have the security awareness or safe computer use habits to make a password manager secure, with drive by exploits and malware infesting everything these days putting all your eggs in one basket would be tantamount to internet suicide for many people.

Re:Easy.

[AmiMoJo]

A password manager is the best advice for most people, because the risk of it being compromised is much smaller than the risk of them using poor passwords if they don't have one.

To get at the password manager, drive-by malware has to defeat the browser security, then defeat the OS security, and then defeat the password manager's security. That is assuming that the password manager happens to be open and the database decrypted at the time, if not then stealing that file still requires the cracker to find the master password.

On the other hand, major and minor web sites alike regularly leak user data and passwords. Realistically users to too lazy to come up with really good passwords for every site, or to remember them, or to look through their password book for them. And if malware does get onto their computer, there are easier targets like cookies for sites they are currently logged in to and account numbers stored in documents and spreadsheets, which typically are not encrypted.

I think you also vastly over-estimate the level of malware infestation. Chrome, the most popular browser, is actually extremely secure and so is Windows now. That's why malware has changed from mostly exploit based to mostly trojan based.

Re:

[Jason Levine]

I use Password Safe [pwsafe.org] as my password manager. It's mainly for Windows, but there's an Android app, and appear to be Max and Linux versions as well. There's a portable version so you could use it on a USB thumb drive. The password file can be local or synced with an online source.

Re:

[mark-t]

With regards to point #2, does I matter if it is formulaic if not only does nobody else know the formula you use, but the formula cannot be reverse engineered from the password, almost like a one-way hash? even a very formulaic password can look random when you don't know the formula.

Re:Easy.

[khasim]

Yeah, it matters. Unless you really are using a hash function you probably aren't as unique as you believe.

Remember, the crackers have hundreds of millions of passwords to dig through to find patterns.

Check haveibeenpwned.com to see if your email address has already been compromised. And if so, at how many sites.

Re:

[vux984]

I've been struggling with this for ages.

And the answer is yes it does matter; even if we assumed it's not reverse engineerable.

1) You WILL run into situations that require passwords that reject your formula. Your formula has a digit ... they don't allow a digit. Or your forumula is too long, or too short, or needs a capital letter, or can't contain a fraction of your user name or whatever.

2) You WILL run into situations that require password rotation. And some will be smart enough to reject last months pass

Re:Easy.

[Tom]

#1. No password re-use. Ever.

user-hostile

#2. Not formulaic.

memory-hostile (the mind loves patterns)

#3. Not in a dictionary list.

memory-hostile (the mind recalls the known better than the unfamiliar)

#4. Long. I prefer 32 characters long.

user-hostile

Thank you for explaining in just four points why normal users think that security dudes are assholes and sabotage the rules made by them wherever they can.

Use an application or OS that allows passphrases

[pjbgravely]

Using a very long passphrase rather than a password is the safest thing. How is anyone going to crack "Mydogateachickenandnowisi$ickwiththegout". It is very easy to remember. You have to make sure the app/OS uses the whole thing, not just silently truncates it.

Re: Use an application or OS that allows passphras

[ljw1004]

I would never remember the extra "I" before the $...

Re:

[pjbgravely]

Sorry, typo.

Re:

[Wycliffe]

Using a very long passphrase rather than a password is the safest thing. How is anyone going to crack "Mydogateachickenandnowisi$ickwiththegout". It is very easy to remember. You have to make sure the app/OS uses the whole thing, not just silently truncates it.

Even if an application or OS doesn't support long passphrases, you can still use an abbreviated passphrase. The common one is the first letter of each word in your passphrase but there is no reason that you can't use the 2nd letter, the last letter, or some memorized sequence like "first-last-second". Using your passphrase above: "My dog ate a chicken and now is $ick with the gout" and "first-last-second", your passphrase becomes: "Mgtannnsiweo" Throw in a few number and symbols and uppercase letters

Re:

[NotQuiteReal]

"sorry spaces not allowed"

Song lyrics

[Okian Warrior]

I like to use the 1st letters of song lyrics and other phrases that are easy to remember.

For instance, the wireless password for my home is "luitsiabiapis". Which is an acronym of "look, up in the sky... it's a bird, it's a plane, it's superman".

Take any song lyric that you like and that matches the format. The geneaology website login might be "iodagos", which is "in olden days a glimpse of stocking".

I have pretty-much no problem remembering my passwords.

Re:

[DES]

I like to use the 1st letters of song lyrics and other phrases that are easy to remember.

inb4 someone scrapes IMDB, LibraryThing and AZLyrics and creates a passphrase dictionary.

http://www.jbonneau.com/doc/BS... [jbonneau.com]

Make up a phrase

[Archfeld]

I use or make up a phrase that I can remember and use the first or last letters in each word for the password.
example not in use :

This is my #1 bank password phrase choice.

Tim#1bppc. or ssy#1kdee.

Relevant xkcd comic

[suupaabaka]

xkcd covered this a while ago. [xkcd.com]

I use this now. Not the actual passphrase, but the principle.

Re:

[Selivanow]

The only problem being sites that don't support passwords over X amount of characters. They suck.

Re:

[jargonburn]

AhX87P! is far more secure than "Little jack horner played in the corner eating his" will ever be, even if the second one is much longer.

I disagree with you on that point, AC.
In the almost worst case, "Little jack horner..." (where the attacker had a LOT of specific information about how you selected your password), figure something like 30k possibilities. Again, I'm talking about your roommate or family member; someone who knows you very well.
Truly, that's a poor contrast with the ~22 trillion possibilities of an 7-printable-characters-long password.
On the other hand, if we're just doing a dictionary attack based on a 2,000 word (assume

Simple CGI script

[DRichardHipp]

https://sqlite.org/random-pass... [sqlite.org] shows example output with a link to the source code.

SHA256.

[0100010001010011]

echo -n "<mypassword>|<username>+example.org" | sha256sum | cut -c1-20

Need to change all my passwords? Change the cut or my password.

Re:

[Cassini2]

Go truly random:

head -c 80 /dev/random | base64

Grab a random sequence of characters that you think you can type reliably.

Re:

[PPH]

The down side to this (compared to the simple string | sha256sum | cut) is that I can't reproduce it if I forget it. I can remember my simple string and cut points.

Re:

[0100010001010011]

That's exactly why I use it. I don't need a password keeper, I can just make my password on any device that can do a hash. If it comes to it I could do it by hand.

It's unique to both every site and every username I use at the site. And I can use to use the full hash if a site will allow it.

Even if it gets leaked as plain text it'll never work for another site short of someone cracking sha256. If you want to protect against rainbow tables switch to a different delimiter to add entropy.

Just changing the "-n"

Use a sentence

[manu0601]

Use a sentence. This is easier to remember and way much longer than random-characters. For improved security against dictionary attacks, you can add typos.

Example: "Little pyg, little pig, let me in!"

morse code

[Anonymous Coward]

It's simple. I come up with a short word. Then I translate the word into morse code, with SHIT as the the dot and FUCK as the dash. For example, HORSE becomes SHITSHITSHITSHITFUCKFUCKFUCKSHITFUCKSHITSHITSHITSHITSHIT. That's actually a very strong password.

Use lots of non-standard characters with accents

[sandbagger]

In addition to using a random string generator (easy enough to find on-line), add accented characters.

Re:

[DES]

Don't use accented characters, or anything outside ASCII. You don't know how they will be encoded and transmitted.

(And don't say “UTF-8”, because a *shitload* of software still doesn't handle character encodings correctly. You can rely on your browser to do so, and maybe on the site's HTTP server, but you have no idea what sort of yahoo wrote the backend.)

Apply an easy to remember algorithm.

[willy_me]

Apply something specific to you - such as the first 3 letters of 4 pets you have / grew up with. Take "Rufus, Hobbs, Chipper, Stinky" and turn it into "RufHobChiSti". Or how about the different street names you have to walk along to go from home to school. Lots of combinations are possible, the point is to figure out something you can remember. In order to remember it has to have some personal meaning otherwise you would just use random numbers.

What I do is I have a common password which is then twea

Am I the only one who uses Lastpass?

[mark_reh]

The thing I don't understand is the variation in password acceptiblilty from one site to another. Some sites don't allow special characters, or only certain ones, some limit passwords to 12 characters, some 16, etc. Why on earth are there any limits to usable characters and why are any limited to less than 64 characters?

No One Else Uses This One.

[Pauldow]

I use eight asterisks as my password so I can see it when I'm typing it in.

A bit of an essay...

[Sarten-X]

In an offline cracking scenario, the number of possibilities is what counts, not which possibility you used. That means users should have the option of simple or short passwords, but should use long ones. For ease of use (more on this later), a passphrase of several words and punctuation is appropriate. Don't mandate the use or exclusion of any particular symbols, because that reduces the search space, and similarly reduces the time to break the password. In a famous example [xkcd.com], "correct horse battery staple" is far more resistant to brute-force attacks than something complex like "Tr0ub4dor&3".

In an online cracking scenario, uniqueness is what counts. If an attacker has harvested your password from one location, they will try to use it to access another. Make sure every password you use is unique. Dumb tricks like appending the site name to a common password are easily caught by attackers, so they don't improve security much. The best way to mitigate the risk of an online attack, then, is use a trusted password manager to create and store your passwords, so every location has a long unique password. This is the approach I use, and most of my passwords are 24+ characters, randomly generated, and all unique.

For universal access, I keep my password manager's encrypted database files in a cloud storage service that my phone can access. Even if that storage is compromised and my file is stolen, it's useless without my master password, which is of course different from every other password for any other purpose.

If you're ever designing a system to handle authentication, the best solution is to not do it. Thanks to standards like OpenID and OAuth, you can connect your services to someone else's authentication, because they're far more likely to handle it correctly.

If you must do your own authentication, use sane policies. Require long (10+ characters) passwords, but don't force numbers or symbols. Requiring a number in a password cuts the password's resistance to brute-forcing by about half (very roughly speaking, and noted in TFS). Make sure nothing in your application interferes with the use of password managers, which often use the system clipboard to copy/paste passwords. To improve user experience, avoid asking for the password at all, instead using an expiring authentication token to reinstate a previous session. The less often a user has to type their password, the less averse they'll be to having a long and secure one.

On the back end, if you must store passwords, make sure they are hashed using a modern secure algorithm (AES-256, SHA-2 or SHA-3) and salted, and do that as soon as possible in your back-end processes. No, your users do not need a way to recover their old passwords. They need a way to reset their password to a new value, and that should only happen by using two separate forms of ID (like a phone call to customer support verbally confirming security questions and an email to the address on file). Those security questions should also be as unrestricted as passwords. Allowing the user to enter open-ended prompts allow the user to use prompts that are only meaningful to them, and are thus much more difficult to find an answer on social media.

Above all else, do not take advice from others, including me and this post, without understanding the reasoning behind it. Computer security is steeped in several decades of little more than superstition, relying on "common knowledge" that often turns out to be incorrect. It may start out well-intentioned, but the implementation is usually missing a key detail, undermining the security of the whole system.

Re:

[Sarten-X]

You're not really wrong. In fact you're technically correct, which I have on good authority to be the best kind of correct.

TL;DR: Using passphrases is an easy way to get a secure password, but the benefit is mostly for the human user. As long as the service doesn't require words, a word-based brute-force attack isn't really more feasible. Use a password manager, and life is easy.

For consistency and clarity, let's first define the problem space: a fast (but not infinitely fast) offline brute-force attack aga

Re:

[serviscope_minor]

Another nice trick is (if it's a website):

Load the page in firefox.
Open about:config in a new tab
Search for "clipboard"
Disable clipboard events.

After that, firefox won't pass clipboard events to Javascript to fuck with, so copy/paste is restored to input fields. You'll need to re-enable it though if you want to use something like google docs, since that does rely on overriding copy/paste for legitimate reasons.

secure passowrd? stop using 1 factor

[DaEMoN128]

The longer the password req, the harder it is for normal users to remember them. I keep a 30 ish character password for my real accounts. I see folks having trouble with 14 characters.. writing down hints, doing keyboard runs, reusing passwords all over the place. How bout we stop using 1 factor authentication (something you know, 2x in normal logins) and kick it up to 2 or 3.. Say go to a smart card with identity certs on them and a pin, or a token, pin, biometric combo?

Childhood memories

[T1girl]

Perhaps include the house number or phone number of a place where you lived years ago, or a scrambled version of an imaginary name you had for yourself, or a candy brand that is no longer made? The older you are, and the more secretive, the more material you might have to work with.

McDonalds

[Jarik C-Bol]

String together a couple of the 'play online' codes from McDonalds monopoly game pieces. Random numbers and letters, just capitolize at your discression. You can even keep them in your wallet for refrence without much risk of giving away your password, because everyone has a few of the damn things floating around for months after the promotion ends.

PasswordSafe

[Todd Knarr]

I delegate creating passwords to PasswordSafe. The current standard policy is 15 characters, requires at least 2 lowercase letters, 1 uppercase letters, at least 1 symbol. The password database is backed up and available to my devices via a server I control. I've been steadily increasing the password length as hardware improves.

A long random string... but you have to store it.

[FlyHelicopters]

e4kss$$%Jjsov..>32\][[wDGAPz0.qpaWW=-nveke

That would be a shocking secure password... but it isn't something you can remember, or type easily.

A password manager works, but now you have moved the vulnerability to a new place.

Song Lyrics?

[Vegan Cyclist]

If you don't mind a slightly longer password, lyrics to a song are a good way to go. Best choose something a bit more obscure.

How long? Well, that depends...

[geekmux]

...on how big the rainbow tables have gotten.

Also, regardless of the low-sodium health push these days, it would be nice if more vendors used a little salt.

I mean, it's not like that's a new concept or anything...

Poetry

[Space cowboy]

So one of the (at the time) drawbacks of my UK education was that we had to learn poems off by heart for the English Lit. exam. At the time I thought it was just about the most boring part of the curriculum, but now they're a treasure trove of password sources...

Example (no, I don't use this one). One of the poems we had to learn was "Dulce Et Decorum Est"...

Bent double, like old beggars under sacks,
Knock-kneed, coughing like hags, we cursed through sludge,
Till on the haunting flares we turned our backs
And towards our distant rest began to trudge.
Men marched asleep. Many had lost their boots
But limped on, blood-shod. All went lame; all blind;
Drunk with fatigue; deaf even to the hoots
Of tired, outstripped Five-Nines that dropped behind.
Gas! Gas! Quick, boys! – An ecstasy of fumbling,
Fitting the clumsy helmets just in time;
But someone still was yelling out and stumbling,
And flound'ring like a man in fire or lime . . .
Dim, through the misty panes and thick green light,
As under a green sea, I saw him drowning.
In all my dreams, before my helpless sight,
He plunges at me, guttering, choking, drowning.
If in some smothering dreams you too could pace
Behind the wagon that we flung him in,
And watch the white eyes writhing in his face,
His hanging face, like a devil's sick of sin;
If you could hear, at every jolt, the blood
Come gargling from the froth-corrupted lungs,
Obscene as cancer, bitter as the cud
Of vile, incurable sores on innocent tongues,
My friend, you would not tell with such high zest
To children ardent for some desperate glory,
The old Lie; Dulce et Decorum est
Pro patria mori.

"The old lie" being "It is a great and glorious thing to die in the service of one's country". Anyway, take the N'th character of every line - easiest is the first, until you get the number of characters you need. It's easy to remember if you know the poem, it gives you a completely unintelligible password, and it's easy to make a password hint that's opaque to pretty much everyone but you.

Has worked for me for ages. (I'm very old, compared to you yound whippersnappers hanging around /. recently).

Simon

pass phrase

[bloodhawk]

If I left my Answer of how then it would not be a highly secure mechanism anymore. However for my moderately security sensitive passwords I usually use a pass phrase combined with capital's, numbers and non alpha numeric characters. e.g. Security thru Obscurity could become "5eCur!tythru0bsCur!ty" incredibly easy to remember and incredibly difficult to brute force or guess

Re:

[bloodhawk]

PS: the important rule with pass phrases is DON'T use something common. pick something that has some meaning to you and combine it with some rules about when to substitute letters/numbers/symbols. It isn't hard to come up with something that is easy to remember while being highly unpredictable.

pwgen

[PurpleAlien]

~ $ pwgen -y -s 20

Combo of Latin & Ebonics.

[zenlessyank]

There are many ways to make a password. Use your imagination. Also note that a lock-out policy on failed attempts means more than ANY fucking password. It is usually built into the system...USE IT!!!

/dev/random or /dev/urandom

[twistedcubic]

head -c 20 /dev/urandom | uuencode -

Replace 20 with whatever you desire, and if you're misinformed or paranoid, use /dev/random instead of /dev/urandom.

Re:

[twistedcubic]

If you want "regular characters", use a longer string with base 64 encoding:

head -c 30 /dev/urandom | uuencode -m -

Put it in your wallet, and use it until it is memorized. This may take months, but once you have it memorized, you can use it to encrypt more passwords for years to come.

dog and kids

[clovis]

What I find is the hardest part about changing passwords is getting my kids and dog to accept their new names.

Use a password manager and password generator.

[Chas]

I use a password manager and try to make passwords as long as the app or site will allow me.
The bitch is, a lot of sites and apps artificially limit password length at around 10 characters.

I have two methods

[TigerPlish]

1. Have my password vault spew out (hopefully) random noise made up of uppercase, lowercase, numbers and special characters and use that.

2. Just randomly swipe a finger across, up and down and diagonally across my keyboard, hitting this and that and that other thing, while being in my password vault's password field for whatever it is I'm creating.

3. A phrase from a book or film, further obfuscated in some way.

The idea is, however, that no two logins share a password. I don't even know my passwords, I'm

Re:

[TigerPlish]

OK, so that's 3 methods. Math hates me.

Use a Password Manager

[TechyImmigrant]

For all your passwords, use a password manager. Have the manager make 20+ character passwords. Make them different for each site.

The basic requirements are (1) Runs on your phone, PC and Mac. (2) Can use a shared password file on a network drive like dropbox or Google Drive. and (3) isn't a pain to use.

I get by with Keeppass2. It has clients that support the file format on all the platforms (E.G. I use KylePass on MacOS).

The Bigger Question

[ytene]

Is there a more interesting question to ask here?

Have we reached the point where the concept of the password itself is no longer either appropriate, or adequately secure? For example, should we be recommending use of multi-factor and/or multi-channel solutions?

A useful question to ask is, "Where do you have to place your trust?" For example, many respondents to this thread recommend using a password manager.cOK, but how many of those people are aware of the emergence of specific threats targeting password managers, or that some solutions have been found to be insecure? How many people come to rely more and more heavily on a smartphone or similar personal device - a single object that can give access to web, email and voice authentication vectors - yet which is one of the most heavily-targeted platforms from a threat perspective?

I am not trying to denigrate the many excellent answers given here, but I wish to point out the risk that we are taking by asking this as a closed question ("How do you create a highly-secure password?") when changing the question slightly (for example, to "What are the most pragmatic and reliable secure authentication mechanisms available?").

As technology consumers, maybe we should be a bit more demanding about the solutions we are offered. Maybe it would be nice if we had a trustworthy and independent third party that offered a security audit rating system for commonly used service providers, like banks? This alone would drive down a lot of the risk, because to so e extent breaches can be facilitated by bad practices on the part of the service providers...

But other options could consider available variation on the themes of something you have, something you are and something you know. Services should allow us to set our security based on a selection of two or more of that trinity, with a range of options for each... Here's a bad example... Suppose that the fingerprint reader on new Apple iDevices had an exposed API. Then suppose that a web site authentication engine integrated with this, over a secure SSL channel. You go to the site, you tap the option for fingerprint reader, then you put your pinky on the sensor.... What would it take to engineer that securely? In a combination with even the most basic of known passwords, wouldn't that be much more secure?

Or what about something you have? How many people drive a vehicle with a remote control unlock mechanism? One German manufacturer uses a supposedly very secure rotating key mechanism that never sends the same release code twice... What if we used the same principle and allowed people to connect their car key to their keyboard via Bluetooth, using the same or similar principle to integrate an everyday object like a car key as a "something you have" factor?

Both of these are spur-of-the-moment suggestions and likely flawed, but I just wanted to push us past the idea that the right solution is still a password. Respectfully, that's still only single-factor and thus still implicitly weak.

lies and statistics

[Tom]

The first thing you need to do is stop listening to statistics someone else faked.

Of all the various ways in which attackers can gain passwords, only two involve cracking them (brute-force and cracking a password database). One of them should be a non-issue, because any software or service that doesn't protect against brute-force is fundamentally broken and shouldn't be trusted with your password anyway. Make your password "a", save everyone the trouble. For a password database crack, firstly the security of the server already failed, and then you're at their mercy a second time because if the password is stored unencrypted, you're fucked. If the password is stored hashed but not salted, you are pretty much fucked. And if the password is properly hashed and salted, congratulations you have the one scenario where a good password actually matters.

In all other attacks on your password, from phishing to shoulder-surfing and keyloggers, it doesn't matter how good your password is, how long it is or how complex it is.

So, if you are really so concerned about the one scenario that you are ready to type V9AnKH5Crpfukuy5gAFB till the end of your days, go to https://www.random.org/passwor... [random.org] and fire it up. Because all the hints you find on making a "good" password are also known to the people writing password crackers and coded into the pertubation algorithms. True randomness is your best bet.

The one thing that matters, and there's an article about it but I'm too lazy to google it, is length. Length > Complexity. "aaaaaaaaaaaaaaa" is more secure than any variation of 8 characters ever will be, simply because, at least until this post, no password cracker would run the chain like a, aa, aaa, aaaa, ... to arbitrary length.

IMHO, and I am an expert in the field and given speeches about password security, forget all the "password complexity" rules, they are all bullshit. They're the safety net that makes sure that "password" is not a legal password on your system. But the world continuously invents better idiots, so "password1!" is and you're fucked anyway.

Re:

[Rick Zeman]

Darn it. Too slow. Oh well.

Re:Everyone knows

[Rick Zeman]

Rot13.

    For real security, use it twice.

I'm Swede (29 characters in the alphabet.)

ROT14.5?

Re:

[Skewray]

If it has to be something you can remember, then some examples are substitution cyphers (eg, rot13, but more complex substitutions work better), keyboard patterns, interleaving two words, spelling backwards, mixing two languages, &c. For example, a substitution cypher of the keyboard key up and to the left moves Password to ")qww294e". Tough choice for mobile, though. Interleave: mybank -> "m!y@b#a$n%k^". Now go make up your own.

Re:

[retchdog]

err, that would be 96^32, about half as "secure" as you claim, though still plenty strong (assuming you got the for loop right, which might be a generous assumption).

Re:

[zenlessyank]

Dammit!!. You stole my line. Kudos.

Re:

[harperska]

Have you actually ever tried an XKCD style password? I have used randomly generated ones and have found them far easier to remember than pure random character passwords. The trick, as shown in the last panel of the comic itself [xkcd.com], is to come up with a mnemonic story describing the random sequence of words. Rather than just trying to remember the sequence "correct", "horse", "battery", "staple", you imagine a scenario where the horse is correct about staples used on batteries. The scenario itself is easy to re

Re:

[fibonacci8]

Even better, just use Welsh, then no one will ever be able to guess your password.

Re:

[dgatwood]

Cool. I did the same thing. Mine's Papa Alfa Sierra Sierra Whiskey Oscar Romeo Delta.

Re:

[serviscope_minor]

Ugh no.

Sure if security matters then fine do things properly.

But probably 90% of my passwords are for things I have a very hard job caring about security for, for example the password that lets me get crappy support from Texas Instruments. I keep those passwords in an unencrypted file in my home directory. If someone (a) steals my computer, (b) starts opening obtusely named files and (c) doesn't die of utter boredom, they can use my password to post fake support queries about chips and then deal with the cr

Re:

[suso]

The first one is very bad, the second one is, well, kind of overkill.

Please switch %s on the first one (seconds from the epoch which is not very random) with %N, which is the nanosecond only part of the current time and is for all intents and purposes completely random if you run the command by hand.

Using %N is not much better as its only a billion possible values. The problem is that people try to be clever. I've seen countless "clever" ways of trying to generate seemingly random data, but the problem with most of them is that their set of possible values is not high enough. Set size is an important characteristic for the random input for password generation.

Password Safe

[ElizabethGreene]

Password Safe >> New Entry >> [type url] >> [Default Username] >> Generate Password >> Save

I never type it, not even once.