My general rule has always been to craft a password of at least 8 characters, & with at least one Numerical and non-Alpha character and one Capitalized letter.
e.g
hommelite would be a very bad password
Hommelite would still be a very bad password
H0mm3l1te would be much ideal and better but similar to homelite which is a dictionary word
It's also preferred to not make a password off any dictionary based word, nor in any recognized language.
I have approx 7gigs of dictionary words, comprised of English, French, Spanish, Afrikkan and a few other languages such as klingon :) and these dictionaries have been modified with the simple unix "sed" substitution utility methods such as; changing "e"s to 3 or "i"s to 1 and so on. So if you use anything in that fashion in your WifI PSK or passwords, I can crack those passwords within 7-21days on my fastest machines.
So what's one to do?
Will the best passwords are sometimes the hardest to remember. And then password management of these passwords get to be tiresome and cumbersome. I have a hack that I've been using for the last 5+ years that has been faultless. All of my encrypted password vaults or FileSystems are done this way at bare minimum.
Here's how we do it; Take your password or passphrase and hash it. Yes convert a simple secured password into a hash. If your real paranoid, hash the hash again or with another hash utility.
e.g using the common md5 hash alogrithim
sh-3.2$ md5 -s "here's my password"
MD5 ("here's my password") = afc87cfc34e9c6ea28dd239f7343d08f
sh-3.2$
So a simple phrase is taken and hash and the result hash will be use for that user password. It's quite long, but it has no Capitalized characters of non-Alpha characters. If you believe you need this, then substitute the first and last characters or append a "salt" if you will like, to the hash.
So now afc87cfc34e9c6ea28dd239f7343d08f becomes Afc87cfc34e9c6ea28dd239f7343d08f! for example.
Note: a true Salt is a random string append before the hashing operation, so you can do it this before or after.
e.g using a salt of ^7yUkJ and the same passcode, or above would net me the following depending if I did it infront or behind the text to hash;
sh-3.2$ md5 -s "here's my password^7yUkJ"
MD5 ("here's my password^7yUkJ") = 3123ceebddaac4cb13fbb1aea0670935
sh-3.2$ md5 -s "^7yUkJhere's my password"MD5 ("here's my password^7yUkJ") = 3123ceebddaac4cb13fbb1aea0670935
MD5 ("^7yUkJhere's my password") = 6ad22c1b4474abfdfc1986b259a11551
sh-3.2$
So no one will remember the Afc87cfc34e9c6ea28dd239f7343d08f! but they can easily remember the phrase that created the password.
A few hash utilities that I like and have used;
md5
ripemd160
sha1 or sha256
Play around with this concept and approach and you can come up with some very simple, but yet effective password strategies that would be very hard to break. A 33 character password would take on average......Will go here and see it for your self https://www.grc.com/haystack.htm
Also a few key things to think about;
- you still need to change your password , and manage some type of life-cycle-expiration
- A strong password that's not secured, is no good to the user
- use common sense with the execution and security of the passphrase ( i.e don't send it in the email or via regular HTTPs or FTP,etc...
Ken Felix
Your Security and Network Engineer
kfelix at hyperfeed.com
No comments:
Post a Comment