Saturday, August 1, 2009

I'm jumping on the band wagon...

...I'm just late that's all.

So I'm thinking about passwords lately. With Black Hat and Defcon this week, the report that some big name Infosec people had their accounts broke into, a friend's tweet on getting 400 followers, and me having to change my FB password today, I thought I'd share how I come up with passwords.

Now for fun the other night, driving back from Tang Soo Do on a long and lonesome highway east of Omaha... I came up with about 15 or so passwords based off a tv show I liked. They were between 8 to 10 characters each.

So there are a few ways I do it. There are 2 examples in each.

Method One:
I'll take a phrase, the longer the better, and modify it.
The quick red fox jumps over the lazy brown dog (a well known pangram , ie uses all the characters in the English language) or I'm here to chew bubble gum and kick arse and I'm all out of bubble gum (mainly because I'm fond of quotes).
I'll take the phrase, and use camel case (mixed case), with numbers, special characters (anything over the number keys), and letters. I'll then mix them up like below:



I can mix them other ways too. For example, I swapped brown and red, just to make it a little different.

Method Two:
I'll take a song lyric or a line from a movie, tv show, or whatever and I'll modify it by using just the first letter of each word, and the some of the other steps above. Examples I'll uses are Seger's Turn the Page, and a line from Cool Hand Luke.

"On an long and lonesome highway east of Omaha" becomes:


"What we've got here is... failure to communicate. Some men you just can't reach. So you get what we had here last week, which is the way he wants it... well, he gets it"

Wwgh!F2c.SmUjcr=SugWwhHlw,W!twhWi_whg!! (to be honest, I'd modify it a little more, and weighing in around 30 characters, I'd use that for a pass phrase for my encrypted hard drive).

There are some other rules I use, if you notice, I have 2 characters side by side, 1 will be cap, 1 will not be. I tend to use the 2 interchangeably at home and at work, so we have phrase on some boxes, and the vegitable soup on others.

Lastly Method 3, which I only use on rare occasions is:
pwgen (password generator) from the linux command line. I'll add options like at least 1 special character, 1 upper case, 1 number and set it to be 10 to 12 characters long.

and finally...
I tend to use password safes, with things divided in them. Keepass and Password Safe.

I have had a few users complain when I give them a 10 to 12 character password based on something they said in the conversation. 1 about being long, and 2 about being so random, but when I tell them I use 24 to 26 character passwords regularly they tend to think it's not that bad and they seem to remember what they got fairly well.

There are other ways to make passwords too, and if you google them, I suggest googling

Have fun, be safe online and for extra credit, figure out why I think this is a bad password. BwDn$b! (there are 2 reasons I don't like it).


Anonymous said...

Very similar to how I do mine. Might I also recommend:

Chris J said...

I think it's a fairly standard way of doing it. I don't remember where I came up with the 3 ways.

I've seen pwdhash before, but for some reason haven't bothered with it.

Jennifer said...

How do you keep up with what password goes to what thing?

Jennifer said...

Oh, and it's not enough characters and has no numbers would be my guess.

Chris J said...


Yep, too short and no numbers.

That's where the password safes come in to play. I only have to remember 3 passwords, and use the safes for the rest.

However after using a site for a while, I usually remember it.