Blogs
- Consumer (531)
- Corporate (162)
- Enterprise (518)
- McAfee Labs (1030)
Feeds & Podcasts
Meet the Bloggers
- Aditya Kapoor
- Anindita Mishra
- Archive
- Arun Sabapathy
- Brenda Moretto
- Brian Contos
- Carlos Castillo
- Chintan Shah
- Cindy Chen
- Consumer Threat Alerts
- Craig Schmugar
- Cybermum Australia
- Dan Wolff
- David Marcus
- David Small
- Doug McLean
- Dr. Phyllis Schneck
- DThakkar
- Ed Metcalf
- Eric Knapp
- Eric Peterson
- Eric Schou
- Fernando Ruiz
- Francisca Moreno
- Francois Paget
- Gabriel Acevedo
- Gary Davis
- Gavin Struthers
- Gert Jan Schenk
- Guilherme Venere
- Haowei Ren
- Hardik Shah
- Itai Liba
- Jan Volzke
- Jim Walter
- Jimmy Shah
- Kevin Beets
- Kim Eichorn
- Lang Tibbils
- Lianne Caetano
- Madhurima Pawar
- Martin Pivetta
- Martin Ward
- Michelle Dennedy
- MihwaLee
- Oliver Devane
- Paras Gupta
- Pat Calhoun
- Paula Greve
- Peter Szor
- Rachit Mathur
- Raj Samani
- Robert Siciliano
- Ryan Permeh
- Sean Roth
- Shinsuke Honjo
- Simon Cooper
- Simon Hunt
- Stuart McClure
- Tad Heppner
- Tim Roddy
- Todd Gebhart
- Toralv Dirro
- Tracy Ross
- Umesh Wanve
Archive
- May 2012 (32)
- April 2012 (38)
- March 2012 (48)
- February 2012 (46)
- January 2012 (47)
- 2011 (477)
- 2010 (429)
- 2009 (378)
- 2008 (271)
- 2007 (354)
- 2006 (143)
Tags
I Hate the Password Policy!
|
|
Every XX days (I'm sure if I actually told you the exact number, I'd be breaking some kind of rule), the system tells me that my password has expired and I have to change it. I will manage to change it without problems. But, as I log into the various corporate assets from each of my many machines, or one of my machines stayed online while I changed the password from a different machine, it's a given that within the next few days, our HelpDesk would have to enable my account, because the system has locked me out due to too many accesses with the old password.
There are many components to password policies. Most people probably do not have this same problem. But just the same, most people hate their own password policy just as much as I do!
As I understand it, most objections revolve around the myriad standards to create a password that passes the "strong password" test. They include a length requirement, a mix to include lower and upper-case letters, numbers, and/or punctuation, and the need to change it every so often, without being allowed to write it down. So, new passwords need to be invented that must be complex yet easy to remember.
Well, I can help you with that. It's called pattern passwords.
How to Create Easy-to-Remember Strong Passwords Using Patterns
What would you say about a password such as
7ujmnbg%TGB
Easy to remember, isn't it? Well, to remind me, I'm going to scribble a "75" on a Post-It and put it on my monitor.
It has 11 characters, has upper and lower-case, even a punctuation mark. Certainly, it would pass any corporate policy on strong passwords. (And if not, just adjust it after I finish teaching you the concept.) And I could never forget this password, because, frankly, you can't forget what you never knew! ;-) But "75" reminds me.
Here's the password:
That's the letter "J" starting at the position of "7" (7ujmnbg). Followed by the letter "I" but using [Shift], starting at the position of "5" (%TGB). And so "75" reminds me that this month, "my password" uses the character positions of "7" and "5" to instantiate the password.
What is my password? No, not "7ujmnbg%TGB"! I told you I don't even know my password. ;-) My password is the keyboard pattern for the letters "J" and "I"!
Keyboard pattern passwords. You can decide to use the pattern for letters, numerics, geometric figures (circle, triangle, dash), symbols (plus, equals, star [yhnuhbghj]), and for the cultured linguists, symbols and characters from other languages, like parts of Chinese characters, Russian, Greek, Arab, Hebrew alphabets… Pick anything that you can identify with (not something that can identify you!), or is easy to type, or easy to remember, or all of the above. And pick two patterns or a long pattern, to give you enough characters to satisfy your corporate password policy. And remember to include use of the Shift-key at appropriate points or the pattern will be too easy for others to notice and crack. This is very important. The use of the Shift at strategic locations within your pattern is what distinguishes your password from others, and makes it difficult for a new version of password crackers that could be programmed to look for pattern passwords.
Now that you know what pattern passwords are, let's discuss how to use them to satisfy the different aspects of your corporate password policy.
Length. Design your pattern so it has enough characters to fulfill the password length requirement. If the first pattern you like is short, add a second pattern, or even a third. Or append a numeric sequence. It simply becomes an additional pattern that you add. Only perhaps the additional characters are chosen to not change.
Upper and lower case, numbers, punctuation. Judiciously choose where and when to apply the [Shift] key to create the special characters.
Changing the password from month to month. Move your pattern around the keyboard. This month, my password location is "75". Next month, it will be "64". The following month, it is "53". And so on. After I finish with "31", the following month, it can be "08". Or by then, I could decide to employ a different pattern. And if I should forget what it is this month, there will only be a select few to try, with a very high likelihood that the first couple I try will be successful.
Multiple passwords for multiple accounts. Let's say I need to create a new Yahoo email address. I choose the account name of "Jimmy46". The password I would use with this account would be my "46" pattern password. (Notice it's not exactly the same as I was using before. But all the same, "J" will be at "4" and the "shifted-I" will be at "6".)
I urge you to play around with this. Have some fun. Get comfortable with it. Also, when you decide on a pattern you like, try out your new password at:
http://www.microsoft.com/athome/security/privacy/password_checker.mspx
This page will give you a scoring on your password and tell you if it is "strong" enough.
Oh, and the next time they try to enforce the password policy, respond "can I use dollar sign, hash, seventeen?" "Too short," they'll say. So you walk away… with a smirk… You know you can easily fulfill the policy now, but you still hate password policies.
PS. No, 7ujmnbg%TGB is not really my password. Besides, I have to change it every month. (Oops)
|
|
Comments (13)
..but this only works as long as you always log from the same type of keyboard. If you switch between US and UK or other keyboard layouts (for example if you travel), the results of the pattern will differ with each keyboard. Even PC and Mac for the same region keyboards are slightly different from each other.
I am reminded that I once worked for an employer that did not allow 3 adjacent keys could to be used in consecutive order on the keyboard for a password!
So ASD, 123, bnm, der and kij were not allowed.
You are only limited by the parameters that dictate the “standards” for your system or organization.
Hey Jimmy Kuo, you rocks!
That was a great innovative way to generate passwords. Thanks man.
Lobna M I Abdelaziz
This method will most likely generate only a limited subset of passwords. Once the method catches on, people will know what to look for. Keyboard layouts usually don’t change. And once people know, this password will be very easy to crack.
You might be able to fool corporate strength checks this way, but I don’t think this will fool dedicated crackers for long. There simply aren’t enough permutations.
My husband uses children’s nursery rhymes; eg old king cole was a very merry old soul. Keep them long (14 -16 characters), sprinkle #, caps & symbols and–voila oodles of p_sswords=:)
lb
my password system
I dont have a worry i tell every body what my password is
yes everyone knows my password for the month and i can
tell you what it is too if you wish 
what i wont tell you is what
language dictionary i got the translation from or which language i am using that month
same password always and switch languages this month
is japanese..
regards
george
Sid, the picture is now missing, but if you use a standard American keyboard, you’ll see the pattern.
Look at the number 7 on your keyboard. Now trace down the keyboard, the letter under 7 is u, then there’s j and then m.
He’s said you’re using a J shape, so we need to go down the keyboard, then to the left two letters and up one. Try it on a US keyboard and you get 7ujm(downtrace)nb(two left)g(one up)
Then he’s starting at 5, making a straight line down. Your keys are offset, so it won’t be vertical, it’ll be slightly right-leading. 5tgb
If we use the same idea, but starting with 8 and then 2, we would have 8ik,mnh and 2wsx
Another method would be to use a diamond shape. Say we start at x, the diamond would be xsedx. Clearer now?
It’s a cool idea, as long as no one ever watches you type. As soon as they do, they have this and all future passwords.
Love the ideas on how to create (and remember) secure passwords. I have used the same passwords for years for every single account and I know that’s just asking for trouble. Now I have no excuse not to go in and change all them.
Hey Sid, Go back and look at the article again. I found it very simple and creative. I am a newbie grandmother (over 65) and have wondered how to have unique passwords that I could remember. This is wonderful. Anne
No, however there is a super easy solution to this issue.
Micro Star International (motherboards) Password Keeper is the answer IMO and allows the user to store unlimited passwords and account information encrypted for safe keeping.
The user only needs to remember one single password for access to Password Keeper itself, and because this is a personal client side password, it NEVER gets entered into any internet/web based applications.
Of course the since this password only gets used for Password Keeper you could use a very simple one word password that is undeniably burned into your brain already:
By choosing a super simple pre-burned in memory (in your head that is) password for the Password Keeper you will likely not even have to write it down.
Or alternatively a more secure but still easy to remember pass could be constructed like this for Password Keeper.
Example1: My Chocolate Lab Has 100 Fleas (MCLH100F)
Example2: I Own A Black Chevy 4 Door (IOaBC4D)
This is the same functionally as MSI’s Password Keeper found on Blackberry’s and other pda cell phones.
http://download1.msi.com.tw/files/downloads/uti_exe/PasswordKeeper.zip
Best Regards, OnLooker
But all the same, “J” will be at “4″ and the “shifted-I” will be at “6
Actually no, due to this sentence. However a workable concept based on this method could be implemented with a little creative thinking.
I have found that PasswordKeeper 1.0 from MSI
http://download1.msi.com.tw/files/downloads/uti_exe/PasswordKeeper.zip
makes this problem/challenge/concern go away allowing the user to remeber just one personal password for the encrypted passwordkeeper application.
Regards, OnLooker
is there anyone out there who understands jimmy kuo’s password article? come on jimmy..most of us are not genii as you probably are.
Hi. I find that using a sentence is the easiest, of course assuming that you can use spaces and punctuation: http://passpack.wordpress.com/2006/12/29/passpack-strong-passwords-times-three/
Submit your own comments / message for this post