About Me

Jimmy Kuo

Jimmy Kuo

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

I Hate the Password Policy!

Friday, June 30, 2006 at 3:46pm by Jimmy Kuo
Jimmy Kuo

Every XX days (I'm sure if I actually told you the exact number, I'd be breaking some kind of rule), the system tells me that my password has expired and I have to change it.  I will manage to change it without problems.  But, as I log into the various corporate assets from each of my many machines, or one of my machines stayed online while I changed the password from a different machine, it's a given that within the next few days, our HelpDesk would have to enable my account, because the system has locked me out due to too many accesses with the old password.

There are many components to password policies.  Most people probably do not have this same problem.  But just the same, most people hate their own password policy just as much as I do!

As I understand it, most objections revolve around the myriad standards to create a password that passes the "strong password" test.  They include a length requirement, a mix to include lower and upper-case letters, numbers, and/or punctuation, and the need to change it every so often, without being allowed to write it down.  So, new passwords need to be invented that must be complex yet easy to remember.

Well, I can help you with that.  It's called pattern passwords.

How to Create Easy-to-Remember Strong Passwords Using Patterns

What would you say about a password such as

7ujmnbg%TGB

Easy to remember, isn't it?  Well, to remind me, I'm going to scribble a "75" on a Post-It and put it on my monitor.

It has 11 characters, has upper and lower-case, even a punctuation mark.  Certainly, it would pass any corporate policy on strong passwords.  (And if not, just adjust it after I finish teaching you the concept.)  And I could never forget this password, because, frankly, you can't forget what you never knew!  ;-)  But "75" reminds me.

Here's the password:

That's the letter "J" starting at the position of "7" (7ujmnbg).  Followed by the letter "I" but using [Shift], starting at the position of "5" (%TGB).  And so "75" reminds me that this month, "my password" uses the character positions of "7" and "5" to instantiate the password.

What is my password?  No, not "7ujmnbg%TGB"!  I told you I don't even know my password.  ;-)  My password is the keyboard pattern for the letters "J" and "I"!

Keyboard pattern passwords.  You can decide to use the pattern for letters, numerics, geometric figures (circle, triangle, dash), symbols (plus, equals, star [yhnuhbghj]), and for the cultured linguists, symbols and characters from other languages, like parts of Chinese characters, Russian, Greek, Arab, Hebrew alphabets…  Pick anything that you can identify with (not something that can identify you!), or is easy to type, or easy to remember, or all of the above.  And pick two patterns or a long pattern, to give you enough characters to satisfy your corporate password policy.  And remember to include use of the Shift-key at appropriate points or the pattern will be too easy for others to notice and crack.  This is very important.  The use of the Shift at strategic locations within your pattern is what distinguishes your password from others, and makes it difficult for a new version of password crackers that could be programmed to look for pattern passwords.

Now that you know what pattern passwords are, let's discuss how to use them to satisfy the different aspects of your corporate password policy.

Length.  Design your pattern so it has enough characters to fulfill the password length requirement.  If the first pattern you like is short, add a second pattern, or even a third.  Or append a numeric sequence.  It simply becomes an additional pattern that you add.  Only perhaps the additional characters are chosen to not change.

Upper and lower case, numbers, punctuation.  Judiciously choose where and when to apply the [Shift] key to create the special characters.

Changing the password from month to month.  Move your pattern around the keyboard.  This month, my password location is "75".  Next month, it will be "64".  The following month, it is "53".  And so on.  After I finish with "31", the following month, it can be "08".  Or by then, I could decide to employ a different pattern.  And if I should forget what it is this month, there will only be a select few to try, with a very high likelihood that the first couple I try will be successful.

Multiple passwords for multiple accounts.  Let's say I need to create a new Yahoo email address.  I choose the account name of "Jimmy46".  The password I would use with this account would be my "46" pattern password.  (Notice it's not exactly the same as I was using before.  But all the same, "J" will be at "4" and the "shifted-I" will be at "6".)

I urge you to play around with this.  Have some fun.  Get comfortable with it.  Also, when you decide on a pattern you like, try out your new password at:

http://www.microsoft.com/athome/security/privacy/password_checker.mspx

This page will give you a scoring on your password and tell you if it is "strong" enough.

Oh, and the next time they try to enforce the password policy, respond "can I use dollar sign, hash, seventeen?"  "Too short," they'll say.  So you walk away… with a smirk… You know you can easily fulfill the policy now, but you still hate password policies.

PS.  No, 7ujmnbg%TGB is not really my password.  Besides, I have to change it every month.  (Oops)

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (13)

  • Steve January 19, 2010 9:46AM

    ..but this only works as long as you always log from the same type of keyboard. If you switch between US and UK or other keyboard layouts (for example if you travel), the results of the pattern will differ with each keyboard. Even PC and Mac for the same region keyboards are slightly different from each other.

    Reply
  • TechnoMike October 17, 2008 6:14AM

    I am reminded that I once worked for an employer that did not allow 3 adjacent keys could to be used in consecutive order on the keyboard for a password!

    So ASD, 123, bnm, der and kij were not allowed.

    You are only limited by the parameters that dictate the “standards” for your system or organization.

    Reply
  • Lobna Abdelaziz January 30, 2008 4:15AM

    Hey Jimmy Kuo, you rocks!

    That was a great innovative way to generate passwords. Thanks man.

    Lobna M I Abdelaziz

    Reply
  • zohair January 29, 2008 9:05PM

    This method will most likely generate only a limited subset of passwords. Once the method catches on, people will know what to look for. Keyboard layouts usually don’t change. And once people know, this password will be very easy to crack.
    You might be able to fool corporate strength checks this way, but I don’t think this will fool dedicated crackers for long. There simply aren’t enough permutations.

    Reply
  • lindabonita January 29, 2008 12:26PM

    My husband uses children’s nursery rhymes; eg old king cole was a very merry old soul. Keep them long (14 -16 characters), sprinkle #, caps & symbols and–voila oodles of p_sswords=:)
    lb

    Reply
  • george January 29, 2008 1:01AM

    my password system

    I dont have a worry i tell every body what my password is

    yes everyone knows my password for the month and i can

    tell you what it is too if you wish :) what i wont tell you is what

    language dictionary i got the translation from or which language i am using that month

    same password always and switch languages this month

    is japanese..

    regards
    george

    Reply
  • Cat Allen January 29, 2008 12:25AM

    Sid, the picture is now missing, but if you use a standard American keyboard, you’ll see the pattern.

    Look at the number 7 on your keyboard. Now trace down the keyboard, the letter under 7 is u, then there’s j and then m.
    He’s said you’re using a J shape, so we need to go down the keyboard, then to the left two letters and up one. Try it on a US keyboard and you get 7ujm(downtrace)nb(two left)g(one up)

    Then he’s starting at 5, making a straight line down. Your keys are offset, so it won’t be vertical, it’ll be slightly right-leading. 5tgb

    If we use the same idea, but starting with 8 and then 2, we would have 8ik,mnh and 2wsx

    Another method would be to use a diamond shape. Say we start at x, the diamond would be xsedx. Clearer now?

    It’s a cool idea, as long as no one ever watches you type. As soon as they do, they have this and all future passwords.

    Reply
  • SirFrisco January 29, 2008 12:03AM

    Love the ideas on how to create (and remember) secure passwords. I have used the same passwords for years for every single account and I know that’s just asking for trouble. Now I have no excuse not to go in and change all them.

    Reply
  • Anne January 28, 2008 3:28PM

    Hey Sid, Go back and look at the article again. I found it very simple and creative. I am a newbie grandmother (over 65) and have wondered how to have unique passwords that I could remember. This is wonderful. Anne

    Reply
  • OnLooker January 28, 2008 11:32AM

    No, however there is a super easy solution to this issue.

    Micro Star International (motherboards) Password Keeper is the answer IMO and allows the user to store unlimited passwords and account information encrypted for safe keeping.

    The user only needs to remember one single password for access to Password Keeper itself, and because this is a personal client side password, it NEVER gets entered into any internet/web based applications.

    Of course the since this password only gets used for Password Keeper you could use a very simple one word password that is undeniably burned into your brain already:

    By choosing a super simple pre-burned in memory (in your head that is) password for the Password Keeper you will likely not even have to write it down.

    Or alternatively a more secure but still easy to remember pass could be constructed like this for Password Keeper.

    Example1: My Chocolate Lab Has 100 Fleas (MCLH100F)
    Example2: I Own A Black Chevy 4 Door (IOaBC4D)

    This is the same functionally as MSI’s Password Keeper found on Blackberry’s and other pda cell phones.

    http://download1.msi.com.tw/files/downloads/uti_exe/PasswordKeeper.zip

    Best Regards, OnLooker

    Reply
  • OnLooker January 28, 2008 11:12AM

    But all the same, “J” will be at “4″ and the “shifted-I” will be at “6

    Actually no, due to this sentence. However a workable concept based on this method could be implemented with a little creative thinking.

    I have found that PasswordKeeper 1.0 from MSI

    http://download1.msi.com.tw/files/downloads/uti_exe/PasswordKeeper.zip

    makes this problem/challenge/concern go away allowing the user to remeber just one personal password for the encrypted passwordkeeper application.

    Regards, OnLooker

    Reply
  • sid duncan June 13, 2007 11:42AM

    is there anyone out there who understands jimmy kuo’s password article? come on jimmy..most of us are not genii as you probably are.

    Reply
  • Tara December 31, 2006 8:34PM

    Hi. I find that using a sentence is the easiest, of course assuming that you can use spaces and punctuation: http://passpack.wordpress.com/2006/12/29/passpack-strong-passwords-times-three/

    Reply