Most people choose bad passwords. That's life. What do I mean by ``bad passwords''? I mean passwords that are easily guessed. How easily guessed? Very.
To throw some numbers into this: Left to their own devices, most people choose a word from their own language as a password. Most people have a vocabulary of around 40,000 words, but being generous by an order of magnitude let's say they are choosing from a range of 400,000 words. People who crack passwords know this, of course, and they have programs which check for word-based passwords. I have a program that can check 100,000 UNIX passwords per second, running on an ordinary desktop PC current as of July 2000. If you have a word based password, it can find it in about 4 seconds, max, or in 2 seconds on average. That's how bad dictionary based passwords are. If your password is on a Windows system, I have another program that will check over 1,000,000 Windows passwords per second if run on the same machine. You may be thinking about choosing your password from another language. Don't. I have dictionaries for all European languages and most other major languages in the world - any cracker will too.
``But not all passwords are like this'', I hear you say. ``It only takes one'' is my answer. One bad password and an account has been compromised. Once inside a system it is much easier for an attacker to do damage to the whole system. Your bad password could affect everyone on the system. Be nice to your colleagues - choose good passwords.
For passwords on a UNIX system:
The program for Windows NT passwords can crack a password based on any combination of upper and lowercase letters and numbers in 24 hours on a Pentium III at 500 MHz. On a slightly faster machine the same program can find any allowable NT password in (on average) 20 days. Note: these numbers come from benchmarks that I did not run myself.
The best suggestion for passwords is to think of a phrase or sentence (or get one from the middle of a book). Take the first letter of each word until you have 8 letters. Now, substitute 2 or more of these with numbers or special characters (use at least one character which is not a number or letter).
As an example, let us say I chose the sentence: ``As if by magic, the shopkeeper appeared''. After taking the first letters I have: ``aibmtsa''. This only has 7 letters, but I'll use this fact later to add another character. This is easy enough to remember but is not based on a word. This is still not a very secure password, however, since it is only based on letters (crackable on average in 5 days for a UNIX password and 5.5 hours for a Windows one - based on the best of my knowledge so far). To make the password tougher, I'll capitalise some letters and put some symbols in where I can remember them. In this password, I will use the number 8 instead of m for magic since 8 is a number assosciated with magic in Terry Pratchet's Discworld novels. This may seem a little obscure, but consider: I will remember it and it is an obscure link for others to make - this is perfect for passwords. I will also change the last ``a'' to ``@'' (because they look like each other), capitalise the ``s'' (since the Shopkeeper was a person), and use a ``,'' where the comma is in the original sentence (I wouldn't just use a period at the end of your password - this is too easily guessed). All told, I end up with: ``aib8,tS@'' - a password which I can remember, but should be difficult to crack.
This document was generated using the LaTeX2HTML translator Version 98.1p1 release (March 2nd, 1998)
Copyright © 1993, 1994, 1995, 1996, 1997, Nikos Drakos, Computer Based Learning Unit, University of Leeds.
The command line arguments were: latex2html -split +0 -local_icons passwords.tex.
The translation was initiated by Colin Higgs on 2000-07-14
Colin Higgs 2000-07-14