Abs.Net web Page

Share Your Knowledge, Build your Network..

How Strong Is Your Password?

Posted by Hari Saryono on 5 March 2009


Password now is become a very critical and private thing we have. When we dealing with security, password is just like a key to open our secure property. But wait, what password is?

(a secret word or phrase known only to a restricted group) “he forgot the password”1

A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (Example: An access code is a type of password). The password must be kept secret from those not allowed access2

Suddenly, the security matter comes into my mind, when I visit some secure site which need us to create a good password. Almost all of the mail service give us a clue about how strong our password is. This is very interesting of course, when I think further about how this program work.

You can try to measure your password strong by visiting Microsoft site here. I think this is a good password checker strength to start

Let’s try some sentence:

  • Iloveyousomuch –> weak
  • when a man loves a woman –> weak
  • my favourite film is batman begins –> weak

so this program is checking that we only have a combination of letters, no matter how long your word is, the program will return weak. I try using spaces, and it keeps return weak. (In real world, actually a password with more than 8 character is fair difficult to crack)

Now, let’s try some combination of letters and numbers

  • 1l0v3y0umuch –>medium
  • wh3n 4 m4n l0v3s 4 w0m4n –> medium
  • my f4v0ur1t3 f1lm 1s b4tm4n b3g1ns –> medium

I try to change i to 1, o to number 0, e to 3, a to 4 etc. It returns medium. Actually this is the reason I write this post. In my case, the password checker return strong for the password I enter by doing so. Well, I think this is wrong, because programmer will try this very easily, changing common letter to number. So, it’s very wrong if you think that a combination of letters and number will make your password very secure.

Now, try a little harder combination

  • *388#01012009 –> medium
  • *388#112009#john —> best
  • *388#b4tm4nb3g1ns –> best

See, I got the best combination. Actually this combination is very difficult. I can tell you what the number means to me

*388# is my dial number to check my remaining phone account

  • 01012009, that’s my first internet cafe opening day
  • john, my arbitrary name
  • b4tm4nb3g1ns of course my favorite film

If I’m a cracker, it will be difficult to blind guess this password, but think again if the cracker understand a little thing about you, their guess will be narrower. Say you have a password like #my#name#is#harry#, it’s security only medium (changing space to #). I think this easily cracked by special cracker using modified dictionary attack.

How to construct secure password

There’s a good guidelines to construct your strong password

  • Make it lengthy. Each character that you add to your password increases the protection that it provides many times over. Your passwords should be 8 or more characters in length; 14 characters or longer is ideal.
  • Many systems also support use of the space bar in passwords, so you can create a phrase made of many words (a “pass phrase”). A pass phrase is often easier to remember than a simple password, as well as longer and harder to guess.
  • Combine letters, numbers, and symbols. The greater variety of characters that you have in your password, the harder it is to guess. Other important specifics include:
  • The fewer types of characters in your password, the longer it must be. A 15-character password composed only of random letters and numbers is about 33,000 times stronger than an 8-character password composed of characters from the entire keyboard. If you cannot create a password that contains symbols, you need to make it considerably longer to get the same degree of protection. An ideal password combines both length and different types of symbols.
  • Use the entire keyboard, not just the most common characters. Symbols typed by holding down the “Shift” key and typing a number are very common in passwords. Your password will be much stronger if you choose from all the symbols on the keyboard, including punctuation marks not on the upper row of the keyboard, and any symbols unique to your language.
  • Use words and phrases that are easy for you to remember, but difficult for others to guess. The easiest way to remember your passwords and pass phrases is to write them down. Contrary to popular belief, there is nothing wrong with writing passwords down, but they need to be adequately protected in order to remain secure and effective.


Password strategies to avoid

Some common methods used to create passwords are easy to guess by criminals. To avoid weak, easy-to-guess passwords:

  • Avoid sequences or repeated characters. “12345678,” “222222,” “abcdefg,” or adjacent letters on your keyboard do not help make secure passwords.
  • Avoid using only look-alike substitutions of numbers or symbols. Criminals and other malicious users who know enough to try and crack your password will not be fooled by common look-alike replacements, such as to replace an ‘i’ with a ‘1’ or an ‘a’ with ‘@’ as in “M1cr0$0ft” or “P@ssw0rd”. But these substitutions can be effective when combined with other measures, such as length, misspellings, or variations in case, to improve the strength of your password.
  • Avoid your login name. Any part of your name, birthday, social security number, or similar information for your loved ones constitutes a bad password choice. This is one of the first things criminals will try.
  • Avoid dictionary words in any language. Criminals use sophisticated tools that can rapidly guess passwords that are based on words in multiple dictionaries, including words spelled backwards, common misspellings, and substitutions. This includes all sorts of profanity and any word you would not say in front of your children.
  • Use more than one password everywhere. If any one of the computers or online systems using this password is compromised, all of your other information protected by that password should be considered compromised as well. It is critical to use different passwords for different systems.
  • Avoid using online storage. If malicious users find these passwords stored online or on a networked computer, they have access to all your information.

In general, passwords written on a piece of paper are more difficult to compromise across the Internet than a password manager, Web site, or other software-based storage tool, such as password managers.3

Choose a Strong Password

Passwords are the combination locks used to protect our computer accounts. It goes without saying that giving out our combination or leaving the lock unlatched (i.e. walking away from a logged on computer), compromises our security. However, technology provides ways for people to obtain our combination even if we aren’t careless. To thwart such misuse, we must choose complex combinations. There are three elements to a complex combination:

  1. It can’t be obvious. That is, it can’t exist in an attack dictionary.
    • Every word in an English language dictionary can be tried in minutes. Attack dictionaries also include names, common misspellings, words with numbers, and other commonly used passwords. You also don’t want the password to have any personal significance to you…your dog’s name for example. Using a dictionary word for a password is like using a locker number for a combination.
  2. It can’t be a short
    • A combination lock with a two number combination wouldn’t protect very well. Anything less than an eight character password is like having a such a combination. It simply won’t hold up for long. A minimum of ten characters is recommended.
  3. It can’t be made up of just a few characters
    • A combination lock with only ten numbers on the dial isn’t as effective as one with fifty. Using just lower case letters is like limiting a combination lock to ten numbers. On systems that support them, passwords should contain at least one of each of the following characters:
      • Uppercase letters ( A-Z )
      • Lowercase letters ( a-z )
      • Numbers ( 0-9 )
      • Punctuation marks ( !@#$%^&*()_+=- ) etc.

    Different systems have different capabilities. Some will not let you use all the strength features mentioned here. When you get an account or change your password on a system, you should be given instructions on any limitations.

How, you may ask, am I ever going to remember such a complicated password?

  • Pick a sentence that reminds you of the password. For example:
    • if my car makes it through 2 semesters, I’ll be lucky (imcmit2s,Ibl)
    • only Bill Gates could afford this $70.00 textbook (oBGcat$7t)
    • What time is my accounting class in Showker 240? (WtimaciS2?)
  • If you absolutely have to, record it in a secure location. It’s probably safer to store a strong password in a place where someone would have to physically break in than to expose a weak password to 600 million people on the Internet.

Accounts that are not accessible from the network, or that can be disabled if too many unsuccessful attempts are detected, are not as susceptible to high-speed guessing attacks. However, some systems have network accessible accounts you may not know about. Passwords for Windows NT, 2000, and XP Professional Administrator accounts and accounts included in the Administrator, Backup Operator, and Server Operator groups must be as strong as possible as these accounts have full, remote access to the entire file system through hidden shares.4

References :

[1] : http://wordnetweb.princeton.edu/perl/webwn?s=password

[2] : http://en.wikipedia.org/wiki/Password

[3] : Microsoft articles

[4] : http://www.jmu.edu/computing/runsafe/safeguard.shtml

Another Resources to Check

  1. http://www.goodpassword.com/ – Password Generator to create good, secure passwords ….
  2. http://strongpasswordgenerator.com/ – Every company and every computer user should have a strong, random password. This strong password generator will generate secure, random password examples for you to use
  3. http://www.makeuseof.com/dir/brute-force-calculator-find-long-brake-password/ –How long to brute force your password?
  4. http://www.makeuseof.com/dir/passwordmeter-check-create-passwords/ – Password Meter is a web-based password checker that can help you test your existing password for strength and also provide guidelines for creating stronger passwords. It calculates positive and negative factors using its own weighting algorithms and comes up with the number that corresponds to potential strength of your password.

You Might Need this

  1. Security Software
  2. Security Books

3 Responses to “How Strong Is Your Password?”

  1. rapidshare said

    Bener boss….password emang kudu kuat….trims yaa…

  2. […] Change your password to be more secure. See Guideline here […]

  3. […] Change your password to be more secure. See Guideline here […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: