How to (Not) Pick a Password

Trustwave’s announcement of the Pony botnet and key logger’s capture of 2 million passwords, is by itself, worthy of mention because it reveals the nature of password choice in the wild (see this blog post).

However, Trustwave’s blog recommended using “randomly” selected words such as “correcthorsebatterystaple” as shown in the following image detail (originally from

Common Words as Passwords?

But, are four random common words a good strong password?

In reality, as pointed out by many, no modern attacker would randomly attack a password, but would use a dictionary-based attack (which would certainly contain these four common words).

So what is a user to do? One option is to select a phrase from text that is neither a saying or an idiom, and make it better if adding a capital letter and a number (say “selectaphrasefromtextQ7”). Another option is to use two or three words from three languages, say separated by numbers (“turkey1enchilada2chevalier”). Using three languages makes it much harder for a dictionary attack to break a password. Of course, these passwords can be improved (yet the trade off is to make them less memorable) by using uncommon terms unlikely to be in a dictionary, avoiding nouns, and by using, ‘unlikely’ languages –for example “CitochromicNiseyaAkanthos!144!” where “Citochromic” is unlikely to be in a cracker’s dictionary (it is both an adjective and uncommon), Niseya is “to return” in Dinee/Navajo, Akanthos (“throned plant”) is Old Greek, and “!144!” is a bit of salt (the first three digit Fibonacci number, in decimal notation, at least).

It generally is enough to just have your password be significantly harder to crack than that of other users. To outrun a lion, it is not necessary to run faster than the lion, but just faster than somebody else. Once the lion gets someone, they will stop chasing you.

[box type=”shadow”]
To test passwords, try Strength Test, or Password Meter.

Comments are closed