This is an idea I’ve been rolling around in my head for some time. Now that I have a blog, I can finally share it with you:
For years, system administrators and savvy users have needed to create long passwords to thwart password guessing attacks. However, those passwords are complicated and hard to remember. Is there a way to create strong, easy to remember passwords that are impervious to most attacks?
Yes, thanks to something I call the compound password. It’s very simple, but also incredibly powerful. Essentially, the compound password is a juxtaposition of two simple words, with their letters alternating.
For example, dcoagt is a compound password.
Can you see the two words in there? How about now: dcoagt .
The two words in the compound password are “cat” and “dog”. To generate the password, “cat” is “inserted” into “dog”. But what of memorability? To the unenlightened, this looks like randomly generated, hard to remember ASCII text. But, remember, this is nothing more than the juxtaposition of two words. A simple entry trick means that all you will need to remember is your two words any time you need to type in that password.
Here’s how:
(The represents the flashing entry thingie doh, cursor that shows where you are in any text entry field, and should not be typed in):
- Enter the first keyword cat
- Hold down the left arrow to move to the beginning of the line cat
- Enter the first letter of the second keyword and press the right arrow once dcat
- Enter the next letter of the second keyword and press the right arrow once dcoat
- Repeat step 4 until the second keyword is fully entered. dcoagt
That’s it! You now have yourself an impregnable compound password! Now a look at some of the most common password grabbing techniques, and how compound passwords thwart all of them:
Brute Force The most common reason administrators urge users to choose long passwords with letters and numbers is to thwart brute force attacks, which try every possible combination of letters and numbers to guess the password. As the length of a password increases, the computing power required to guess every combination increases exponentially. Sure, dcoagt may be easy to bruteforce, but what about bguesohrgew (georgew bush)?
Dictionary A variation on brute force is guessing passwords from a predefined dictionary/wordlist, often appending single or double digit numbers to the end. This improvement on brute force still can’t guess compound passwords though, as they are not found in any dicitonary.Guessing Same as dictionary. If someone randomy decides to try dcoagt, they should skip hacking and go straight for the Randi Prize .
With a couple more tricks, even more advanced password grabbers can be foiled.
Keyloggers Malicious trojans and keyloggers have the capacity to record every keystroke you make at your computer. However, they do not record mouse clicks. If you are afraid of keyloggers, simple replace each keyboard arrow press with a mouse click- enter your first keyword, click at the beginning of the entry field, etc. The keylogger will only capture the keys you press which will look like this: catdog , not even close to your actual password. Great for public computers.
Shoulder Surfing Shoulder surfing is simply when an attacker stands behind you, watching the keys you press on your keyboard. However, 99% of the time, he will not observe the keyboard arrows you are pressing. Simply put one hand over the arrows and covertly press them as needed while you enter the password with your other hand.
Compound passwords are not a magical solution to everything. They will not protect from phishing attacks or database compromises. But they are an easy way to generate strong, memorable passwords.
People! dcoagt is just an example! I picked three letter words to combine for ease of demonstration! A real password would have longer words and special characters thrown in there, and would be more like edfifgegc!t (digg! effect). Better?
No comments:
Post a Comment