Pages in topic:   [1 2] >
How to invent a password
Thread poster: Oliver Walter

Oliver Walter  Identity Verified
United Kingdom
Local time: 10:37
Member (2005)
German to English
+ ...
Aug 13, 2010

If you use a password as part of your procedure to use some service on a computer or the Internet, it is important for the password to be a character string that is in fact not a word, so that so-called dictionary attacks cannot discover it. It should also not be a word that names anything that other people know about you.
I have a simple method that you can use to invent passwords that are probably not crackable (except by "brute force" attack) and are fairly easy to remember.
This method gives passwords of 8 or 9 characters and you can easily see how to extend them by multiples of 2 or 3 characters.
The 8 characters consist of two 3-letter words and a 2-digit number; one of the words is in upper case and one in lower case; the number can be at the start, middle or end of the password.
Examples of 3-character words: one, two, six, ten, sky, sun, sea, his, our, its, ear, eye, toe, lip. The number is, of course, one of 00, 01, ... 98, 99.
Examples of passwords: ONE00one, tenTEN99.
I have calculated that using one of the 4 "number" words, this gives a total of 19200 possible 8-character passwords. You could use a 3-digit number (000-999), giving ten times as many possible passwords.
I hope this is useful, or at least of interest, to somebody.
(P.S. my Proz password is not one of these!)

Oliver


 

Sergei Leshchinsky  Identity Verified
Ukraine
Local time: 12:37
Member (2008)
English to Russian
+ ...
creative approach Aug 13, 2010

Opnet Notepad and let your cat walk over the keyboard.icon_wink.gif

 

Gudrun Wolfrath  Identity Verified
Germany
Local time: 11:37
English to German
+ ...
Good idea, Sergei. Aug 13, 2010

Cats are ever so creative.

 

Oliver Walter  Identity Verified
United Kingdom
Local time: 10:37
Member (2005)
German to English
+ ...
TOPIC STARTER
That would be too long Aug 13, 2010

Sergei Leshchinsky wrote:
Opnet Notepad and let your cat walk over the keyboard.icon_wink.gif

1. I don't have a cat (nor a dog or parrot),
2. such a password would be too long (I suppose I could take the first n characters),
3. it would be just a little more difficult to remember than the type I have described.
Oliver


 

Erik Freitag  Identity Verified
Germany
Local time: 11:37
Member (2006)
Dutch to German
+ ...
You've just burnt your system Aug 13, 2010

Oliver Walter wrote:

Sergei Leshchinsky wrote:
Opnet Notepad and let your cat walk over the keyboard.icon_wink.gif

1. I don't have a cat (nor a dog or parrot),
2. such a password would be too long (I suppose I could take the first n characters),
3. it would be just a little more difficult to remember than the type I have described.
Oliver


Dear Olivier,

I hope you know that you've just "burnt" your system? If I were a criminal, I'd have an easy way of breaking into your password protected accounts (banking, mail, with the additional chance of getting further personal information from the latter) now.

Not a good idea ... Time to change your system, I'm afraid.

Best regards,
Erik



[Bearbeitet am 2010-08-13 15:46 GMT]


 

Oliver Walter  Identity Verified
United Kingdom
Local time: 10:37
Member (2005)
German to English
+ ...
TOPIC STARTER
I did wonder about that Aug 13, 2010

efreitag wrote:
Dear Olivier,

I hope you know that you've just "burnt" your system? If I were a criminal, I'd have an easy way of breaking into your password protected accounts (banking, mail, with the additional chance of getting further personal information from the latter) now.

Not a good idea ... Time to change your system, I'm afraid.

When I was writing my post, I did wonder whether that would "burn" it.
I think that password-protected accounts would not permit even a few hundred attempts at breaking in; they would suspend the account either for a set period or until the owner takes some other action to contact the institution in question. In my experience, login attempts will not be permitted after about 3 failures.
The situation where my system would not be so good is to use such passwords for encrypting the contents of files (e.g. with Word, Excel or Winzip; to do this with Word or Excel, use Save As... and then select General Options from Tools) because a "password-recovery" program can then try as many times as it likes.
And, if anybody is interested, I do not use this system at present for online banking or email accounts.

Question to anybody who really knows: are there in fact any systems that require a user to log in with a password, that permit an unlimited number of failed attempts without taking some action such as suspending the account?

Oliver


 

Neil Coffey  Identity Verified
United Kingdom
Local time: 10:37
French to English
+ ...
Dictionary attacks... Aug 13, 2010

Oliver Walter wrote:
If you use a password as part of your procedure to use some service on a computer or the Internet, it is important for the password to be a character string that is in fact not a word, so that so-called dictionary attacks cannot discover it.


It's worth bearing in mind that dictionary attacks are a bit cleverer than you seem to be assuming, and do indeed look for sequences of words, sequences of words with numbers in between, sequences of words with "i" replaced by "1" etc...

Another common method you consider is to think of not a password but a pass *phrase*, and then make your password consist of the first (or second/last) letter of each word in the phrase.

You could also just created a string of random letters and write it down-- usually the threat you're trying to protect yourself against doesn't hinge around remembering your password or somebody physically having access to the piece of paper you wrote it on, just around somebody else in a remote place not knowing it.

(Still preferable: use something like TrueCrypt to have a virtual drive that contains all your passwords, and protected with just one strong passphrase that you can remember.)


 

Neil Coffey  Identity Verified
United Kingdom
Local time: 10:37
French to English
+ ...
On-line vs off-line attacks Aug 13, 2010

Oliver Walter wrote:
Question to anybody who really knows: are there in fact any systems that require a user to log in with a password, that permit an unlimited number of failed attempts without taking some action such as suspending the account?


It's likely that a lot would, and would also look at the *frequency* of attempts as well as the number per se.

There's also another type of attack to be aware of, whereby the attacker gets hold of the hashed version of the password stored on the site, and can then do an "off-line attack"-- essentially they don't actually need to make login attempts to try and guess the password, they just take the data they've stolen and run a process at their leisure, making millions and millions of guesses if they want, until they find the password that matches the hash from the stolen data.

That said, I think criminals will tend to be more bothered about doing this for your Swiss bank account than your ProZ account...


 

Drew MacFadyen
SITE STAFF
Password generators Aug 13, 2010

There are some good password generators online
http://strongpasswordgenerator.com/
http://www.goodpassword.com/
http://www.pctools.com/guides/password/

Most will let you set char length, whether to use alpha, numerical and punctuation as well.

If you are like me, and cannot remember passwords to save your life (and wish to update/change them every 3 months - a good practice) the a free opensource password safe like
http://passwordsafe.sourceforge.net/

is highly valuable.

Drew


 

Oliver Walter  Identity Verified
United Kingdom
Local time: 10:37
Member (2005)
German to English
+ ...
TOPIC STARTER
Another password safe Aug 13, 2010

Drew MacFadyen wrote:
There are some good password generators online
http://strongpasswordgenerator.com/
http://www.goodpassword.com/
http://www.pctools.com/guides/password/

Most will let you set char length, whether to use alpha, numerical and punctuation as well.
Yes, I am aware that password generators exist, though I have never used one. The first one I encountered was, IIRC, part of VMS on the VAX computer (anybody remember them?). I used my own passwords because I thought the machine-generated ones would be too difficult to remember. I have never looked at the ones you have listed, so I have no idea whether their generated passwords are easy enough to remember.

If you are like me, and cannot remember passwords to save your life (and wish to update/change them every 3 months - a good practice) the a free opensource password safe like
http://passwordsafe.sourceforge.net/

is highly valuable.
Yes, such password safes are very valuable. I use this one:
http://keepass.info/
and my master "password" for it is more than 12 characters long and easy for me to remember, but not related to anything about me personally.

If, in the situation mentioned by Neil, someone manages to obtain a password of yours in its encrypted state from a server that stores it, I think you're likely to be in trouble, whatever the password is.

I spoke to a person this afternoon who has worked on servers and he told me: servers (i.e. their software) usually enable the administrator to specify settings such as how many failed login attempts to allow before locking an account, with a default value of 3. If the admin wants unlimited attempts, the server will warn of the consequences and advise this should be done only for test purposes.
Remember that with such a password safe, the (encrypted) database of passwords resides on your computer so only people with access to it (which includes outsiders who manage to smuggle malware onto it) can even get hold of that database, before being able to consider "cracking" it.

Well, even if you don't like my suggestions (or extensions thereof such as longer words or bigger numbers) for how to create a password (& let me stress again a password should never be literally one word) I hope this thread will make some Prozians think again about their passwords (those few of you there may be, that is, whose passwords are at present not good ones) and perhaps change the important ones into "good" ones.

Oliver


 

Tina Vonhof
Canada
Local time: 03:37
Member (2006)
Dutch to English
+ ...
One question Aug 13, 2010

How do you remember which password you used for what???

 

Oliver Walter  Identity Verified
United Kingdom
Local time: 10:37
Member (2005)
German to English
+ ...
TOPIC STARTER
Sorry, that's your problem! Aug 13, 2010

Tina Vonhof wrote:
How do you remember which password you used for what???

I think you'll have to invent your own system for that! icon_eek.gif
A possible approach might be:
  1. Invent a nice long-enough rememberable password
  2. Have a simple method of adding to that basic password a prefix or suffix that indicates what you use it for

Example: if your basic password is ppppp, you could perhaps use the password
pppppProz for Proz,
pppppBank for the bank and
pppppISP for your ISP.

If ppppp is well chosen and can't be cracked, neither can these. (But of course, if it is known that you use a system like this, if ppppp is ever cracked, the real passwords would not be very difficult to determine after that, depending on what you use for "Proz", "Bank" etc.
Oliver


 
Post removed: This post was hidden by a moderator or staff member for the following reason: Damian Harrison asked me to remove his post.

Neil Coffey  Identity Verified
United Kingdom
Local time: 10:37
French to English
+ ...
You don't need to remember passwords Aug 13, 2010

Tina Vonhof wrote:
How do you remember which password you used for what???


You don't. You write them down.


 

Tina Vonhof
Canada
Local time: 03:37
Member (2006)
Dutch to English
+ ...
I do Aug 14, 2010

Neil Coffey wrote:

Tina Vonhof wrote:
How do you remember which password you used for what???


You don't. You write them down.


Yes of course I have them written down but that is what you are always told not to do....
I actually do have my own password system: I use a short phrase in my mother tongue that is relevant to the particular site (most sites I need such as my bank etc. are English language sites) and then add a number that is meaningful to me - similar to what Oliver suggests. I don't know if these can be cracked but at least I can remember them.


 
Pages in topic:   [1 2] >


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

How to invent a password

Advanced search






BaccS – Business Accounting Software
Modern desktop project management for freelance translators

BaccS makes it easy for translators to manage their projects, schedule tasks, create invoices, and view highly customizable reports. User-friendly, ProZ.com integration, community-driven development – a few reasons BaccS is trusted by translators!

More info »
memoQ translator pro
Kilgray's memoQ is the world's fastest developing integrated localization & translation environment rendering you more productive and efficient.

With our advanced file filters, unlimited language and advanced file support, memoQ translator pro has been designed for translators and reviewers who work on their own, with other translators or in team-based translation projects.

More info »



Forums
  • All of ProZ.com
  • Term search
  • Jobs
  • Forums
  • Multiple search