Pages in topic:   [1 2] >
How to invent a password
Thread poster: Oliver Walter

Oliver Walter  Identity Verified
United Kingdom
Local time: 05:33
Member (2005)
German to English
+ ...
Aug 13, 2010

If you use a password as part of your procedure to use some service on a computer or the Internet, it is important for the password to be a character string that is in fact not a word, so that so-called dictionary attacks cannot discover it. It should also not be a word that names anything that other people know about you.
I have a simple method that you can use to invent passwords that are probably not crackable (except by "brute force" attack) and are fairly easy to remember.
This method gives passwords of 8 or 9 characters and you can easily see how to extend them by multiples of 2 or 3 characters.
The 8 characters consist of two 3-letter words and a 2-digit number; one of the words is in upper case and one in lower case; the number can be at the start, middle or end of the password.
Examples of 3-character words: one, two, six, ten, sky, sun, sea, his, our, its, ear, eye, toe, lip. The number is, of course, one of 00, 01, ... 98, 99.
Examples of passwords: ONE00one, tenTEN99.
I have calculated that using one of the 4 "number" words, this gives a total of 19200 possible 8-character passwords. You could use a 3-digit number (000-999), giving ten times as many possible passwords.
I hope this is useful, or at least of interest, to somebody.
(P.S. my Proz password is not one of these!)

Oliver


Direct link Reply with quote
 

Sergei Leshchinsky  Identity Verified
Ukraine
Local time: 07:33
Member (2008)
English to Russian
+ ...
creative approach Aug 13, 2010

Opnet Notepad and let your cat walk over the keyboard.

Direct link Reply with quote
 

Gudrun Wolfrath  Identity Verified
Germany
Local time: 06:33
English to German
+ ...
Good idea, Sergei. Aug 13, 2010

Cats are ever so creative.

Direct link Reply with quote
 

Oliver Walter  Identity Verified
United Kingdom
Local time: 05:33
Member (2005)
German to English
+ ...
TOPIC STARTER
That would be too long Aug 13, 2010

Sergei Leshchinsky wrote:
Opnet Notepad and let your cat walk over the keyboard.

1. I don't have a cat (nor a dog or parrot),
2. such a password would be too long (I suppose I could take the first n characters),
3. it would be just a little more difficult to remember than the type I have described.
Oliver


Direct link Reply with quote
 

Erik Freitag  Identity Verified
Germany
Local time: 06:33
Member (2006)
Dutch to German
+ ...
You've just burnt your system Aug 13, 2010

Oliver Walter wrote:

Sergei Leshchinsky wrote:
Opnet Notepad and let your cat walk over the keyboard.

1. I don't have a cat (nor a dog or parrot),
2. such a password would be too long (I suppose I could take the first n characters),
3. it would be just a little more difficult to remember than the type I have described.
Oliver


Dear Olivier,

I hope you know that you've just "burnt" your system? If I were a criminal, I'd have an easy way of breaking into your password protected accounts (banking, mail, with the additional chance of getting further personal information from the latter) now.

Not a good idea ... Time to change your system, I'm afraid.

Best regards,
Erik



[Bearbeitet am 2010-08-13 15:46 GMT]


Direct link Reply with quote
 

Oliver Walter  Identity Verified
United Kingdom
Local time: 05:33
Member (2005)
German to English
+ ...
TOPIC STARTER
I did wonder about that Aug 13, 2010

efreitag wrote:
Dear Olivier,

I hope you know that you've just "burnt" your system? If I were a criminal, I'd have an easy way of breaking into your password protected accounts (banking, mail, with the additional chance of getting further personal information from the latter) now.

Not a good idea ... Time to change your system, I'm afraid.

When I was writing my post, I did wonder whether that would "burn" it.
I think that password-protected accounts would not permit even a few hundred attempts at breaking in; they would suspend the account either for a set period or until the owner takes some other action to contact the institution in question. In my experience, login attempts will not be permitted after about 3 failures.
The situation where my system would not be so good is to use such passwords for encrypting the contents of files (e.g. with Word, Excel or Winzip; to do this with Word or Excel, use Save As... and then select General Options from Tools) because a "password-recovery" program can then try as many times as it likes.
And, if anybody is interested, I do not use this system at present for online banking or email accounts.

Question to anybody who really knows: are there in fact any systems that require a user to log in with a password, that permit an unlimited number of failed attempts without taking some action such as suspending the account?

Oliver


Direct link Reply with quote
 

Neil Coffey  Identity Verified
United Kingdom
Local time: 05:33
French to English
+ ...
Dictionary attacks... Aug 13, 2010

Oliver Walter wrote:
If you use a password as part of your procedure to use some service on a computer or the Internet, it is important for the password to be a character string that is in fact not a word, so that so-called dictionary attacks cannot discover it.


It's worth bearing in mind that dictionary attacks are a bit cleverer than you seem to be assuming, and do indeed look for sequences of words, sequences of words with numbers in between, sequences of words with "i" replaced by "1" etc...

Another common method you consider is to think of not a password but a pass *phrase*, and then make your password consist of the first (or second/last) letter of each word in the phrase.

You could also just created a string of random letters and write it down-- usually the threat you're trying to protect yourself against doesn't hinge around remembering your password or somebody physically having access to the piece of paper you wrote it on, just around somebody else in a remote place not knowing it.

(Still preferable: use something like TrueCrypt to have a virtual drive that contains all your passwords, and protected with just one strong passphrase that you can remember.)


Direct link Reply with quote
 

Neil Coffey  Identity Verified
United Kingdom
Local time: 05:33
French to English
+ ...
On-line vs off-line attacks Aug 13, 2010

Oliver Walter wrote:
Question to anybody who really knows: are there in fact any systems that require a user to log in with a password, that permit an unlimited number of failed attempts without taking some action such as suspending the account?


It's likely that a lot would, and would also look at the *frequency* of attempts as well as the number per se.

There's also another type of attack to be aware of, whereby the attacker gets hold of the hashed version of the password stored on the site, and can then do an "off-line attack"-- essentially they don't actually need to make login attempts to try and guess the password, they just take the data they've stolen and run a process at their leisure, making millions and millions of guesses if they want, until they find the password that matches the hash from the stolen data.

That said, I think criminals will tend to be more bothered about doing this for your Swiss bank account than your ProZ account...


Direct link Reply with quote
 

Drew MacFadyen
SITE STAFF
Password generators Aug 13, 2010

There are some good password generators online
http://strongpasswordgenerator.com/
http://www.goodpassword.com/
http://www.pctools.com/guides/password/

Most will let you set char length, whether to use alpha, numerical and punctuation as well.

If you are like me, and cannot remember passwords to save your life (and wish to update/change them every 3 months - a good practice) the a free opensource password safe like
http://passwordsafe.sourceforge.net/

is highly valuable.

Drew


Direct link Reply with quote
 

Oliver Walter  Identity Verified
United Kingdom
Local time: 05:33
Member (2005)
German to English
+ ...
TOPIC STARTER
Another password safe Aug 13, 2010

Drew MacFadyen wrote:
There are some good password generators online
http://strongpasswordgenerator.com/
http://www.goodpassword.com/
http://www.pctools.com/guides/password/

Most will let you set char length, whether to use alpha, numerical and punctuation as well.
Yes, I am aware that password generators exist, though I have never used one. The first one I encountered was, IIRC, part of VMS on the VAX computer (anybody remember them?). I used my own passwords because I thought the machine-generated ones would be too difficult to remember. I have never looked at the ones you have listed, so I have no idea whether their generated passwords are easy enough to remember.

If you are like me, and cannot remember passwords to save your life (and wish to update/change them every 3 months - a good practice) the a free opensource password safe like
http://passwordsafe.sourceforge.net/

is highly valuable.
Yes, such password safes are very valuable. I use this one:
http://keepass.info/
and my master "password" for it is more than 12 characters long and easy for me to remember, but not related to anything about me personally.

If, in the situation mentioned by Neil, someone manages to obtain a password of yours in its encrypted state from a server that stores it, I think you're likely to be in trouble, whatever the password is.

I spoke to a person this afternoon who has worked on servers and he told me: servers (i.e. their software) usually enable the administrator to specify settings such as how many failed login attempts to allow before locking an account, with a default value of 3. If the admin wants unlimited attempts, the server will warn of the consequences and advise this should be done only for test purposes.
Remember that with such a password safe, the (encrypted) database of passwords resides on your computer so only people with access to it (which includes outsiders who manage to smuggle malware onto it) can even get hold of that database, before being able to consider "cracking" it.

Well, even if you don't like my suggestions (or extensions thereof such as longer words or bigger numbers) for how to create a password (& let me stress again a password should never be literally one word) I hope this thread will make some Prozians think again about their passwords (those few of you there may be, that is, whose passwords are at present not good ones) and perhaps change the important ones into "good" ones.

Oliver


Direct link Reply with quote
 

Tina Vonhof  Identity Verified
Canada
Local time: 22:33
Member (2006)
Dutch to English
+ ...
One question Aug 13, 2010

How do you remember which password you used for what???

Direct link Reply with quote
 

Oliver Walter  Identity Verified
United Kingdom
Local time: 05:33
Member (2005)
German to English
+ ...
TOPIC STARTER
Sorry, that's your problem! Aug 13, 2010

Tina Vonhof wrote:
How do you remember which password you used for what???

I think you'll have to invent your own system for that!
A possible approach might be:
  1. Invent a nice long-enough rememberable password
  2. Have a simple method of adding to that basic password a prefix or suffix that indicates what you use it for

Example: if your basic password is ppppp, you could perhaps use the password
pppppProz for Proz,
pppppBank for the bank and
pppppISP for your ISP.

If ppppp is well chosen and can't be cracked, neither can these. (But of course, if it is known that you use a system like this, if ppppp is ever cracked, the real passwords would not be very difficult to determine after that, depending on what you use for "Proz", "Bank" etc.
Oliver


Direct link Reply with quote
 
Post removed: This post was hidden by a moderator or staff member for the following reason: Damian Harrison asked me to remove his post.

Neil Coffey  Identity Verified
United Kingdom
Local time: 05:33
French to English
+ ...
You don't need to remember passwords Aug 13, 2010

Tina Vonhof wrote:
How do you remember which password you used for what???


You don't. You write them down.


Direct link Reply with quote
 

Tina Vonhof  Identity Verified
Canada
Local time: 22:33
Member (2006)
Dutch to English
+ ...
I do Aug 14, 2010

Neil Coffey wrote:

Tina Vonhof wrote:
How do you remember which password you used for what???


You don't. You write them down.


Yes of course I have them written down but that is what you are always told not to do....
I actually do have my own password system: I use a short phrase in my mother tongue that is relevant to the particular site (most sites I need such as my bank etc. are English language sites) and then add a number that is meaningful to me - similar to what Oliver suggests. I don't know if these can be cracked but at least I can remember them.


Direct link Reply with quote
 
Pages in topic:   [1 2] >


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

How to invent a password

Advanced search






Anycount & Translation Office 3000
Translation Office 3000

Translation Office 3000 is an advanced accounting tool for freelance translators and small agencies. TO3000 easily and seamlessly integrates with the business life of professional freelance translators.

More info »
WordFinder Unlimited
For clarity and excellence

WordFinder is the leading dictionary service that gives you the words you want anywhere, anytime. Access 260+ dictionaries from the world's leading dictionary publishers in virtually any device. Find the right word anywhere, anytime - online or offline.

More info »



Forums
  • All of ProZ.com
  • Term search
  • Jobs
  • Forums
  • Multiple search