Thursday, March 18, 2010

Passwords, Passphrases and Pass-acronyms

It may come as a surprise to you that I, a Certified Information Systems Security Professional, hate passwords as much as the average person does.  On the other hand, I like passphrases.  A phrase is stronger than a single word.  Before computers, magic phrases like “Open Sesame” opened caves full of treasure and “Alla Peanut Butter Sandwiches” & “Meeska, Mooska, Mickey Mouse” entertained children watching TV.  Sure, a few words that have magic power, Abracadabra, Alakazam and Shazam, are the only ones I can find.  However, there are more example of magic phrases, “Hocus pocus,” “Presto change” and of course “uh eh uh ah ah ting tang walla walla bing bang.”

As security professionals, we should stop using word and use phrase or acronym if there are technical limitations on the allowed length.  Because words are short and relatively simple, saying “password” sends the wrong message.  Maybe we should call them “authorization-expressions” so people stop thinking “word” and thinking about using filenames, fake email addresses, fake dates or times, fake web address, fake phone numbers, titles, places, addresses even baby talk is better than thinking of an eight character word with a number appended to it.  Here are some examples:


Fake email addresses
Fake dates or times

H.G.Wells 12, 802701 @ 42:00 AP
Fake web address

Fake phone numbers


Mr. Roast Beef Sandwich, III

Booting Up Hard Drive Blvd

6765 O. MorrisonAvenue St.
Baby talk

boogo, boogo Ophoov

7 is VII = 3+4

X-Ray x-ray India Victor
(the number XXIV or 24)
Combinations of the above  

XXIV boogo Hard 2 Drive St.

You can start with a line from a movie, song, book, poem, quote or or idioms but please do not use it word for word.  The password crackers already have them.  Mix them up like:
Don't beat a dead gift horse in the mouth.
The 22-character phrase has uppercase, lowercase and symbols.

If you want more ideas for passphrases, check out by Perfect Passwords by Mark Burnett.

If you cannot use the full passphrase, you can make a pass-acronym out of it.  Pass-acronyms are weaker than passphrases but some old systems will not let you use more than eight characters.
Here are some examples:


I hate passwords, they make me crazy

This year I will lose 10 pounds

My wife and kids are the best!

I love my dogs, Max and Spot
I will quit smoking before it kills me

No comments:

Post a Comment