Operation Bootstrap

Web Operations, Culture, Security & Startups.

My Take: Creating & Maintaining Secure Passphrases

| Comments

This was an article I wrote for my internal blog @ work. I’ve re-posted it here incase others have a need to share information like this with their company as an awareness tool. Feel free to use and abuse.These are my opinions – there are plenty of other articles about how to do this.

We’re all familiar with the policies right?

“Your password must be a minimum of 8 characters, must contain an uppercase character, a lowercase character, a number, a special character (which ones, exactly, are special?), must not be a dictionary word, must not be your name, must not be your hometown, must not be another persons hometown, must not be the name of a planet, a galaxy, an alien race and must be changed every other week” – How in the world are you supposed to meet those requirements?

We’ve all been dealing with passwords for a long time but so few of us do much more than meet the minimum requirements. How many different passwords do you have? Three? Five? Are two of those five really just a variant of one of the other three? Creating and remembering good passphrases is challenging for some folks but I’ve found a way that works well for me and wanted to share some tips I use. I actually like changing my passphrase – it’s a fun chance to give my brain a break and think of something silly to use for the next 90 days. The more it makes me chuckle each time I type it in, the easier I’ll remember it and the better life will be. Ready to get started?

First thing first – Passphrase, not Password


The first trick in all of this is the use of a phrase, not a word. You would be surprised how long a passphrase can be with just a short common phrase that you can easily remember. The other advantage to doing this – punctuation counts toward all those silly characters you have to use! But bottom line, we want something longer than 12 characters.

In a past life I did establish a passphrase policy that required 12 or more characters in passphrases. This was done based on some statistics (see below) that showed that cracking passwords over 12 characters are generally going to be avoided due to time and effort required (and the fact that there is usually a shorter one you can crack). Everyone moaned and groaned when this policy was put in place – “12 characters! How am I going to do that?!” people would ask. After a little education (like this post) people figured it out and all was fine. I got a good chuckle, and a little personal pride, when I was reviewing the results of a password cracking session we had allowed to run for about 2 weeks. One password, which sadly was cracked, was “Stupid 12 character passwords!” – brilliant! Although it was cracked, it met all our requirements, gave me a good laugh, and is exactly what I’m going for here with a few tweaks.

So, passphrase, not password – with me so far?

Second thing – h4x0r typing & misspelling


Take the above passphrase “Stupid 12 character passwords!”. As brilliant as it is, it did get cracked. It’s made up of a fairly straightforward sentence structure with a capital at the start, punctuation at the end, and no real mis-spellings in the middle. Password crackers are made by smart people – we have to try harder than that. This is where you get to have fun though – make it yours!

“$tupid 12 chrctr pssw0rds!” – see the difference? It’s quite a lot more work to go through all the possible mis-spellings and variant characters when you start mixing it up in this way. And it can be kinda fun to think of new ways to represent a letter. The letter “O” for example – 0 (zero), (), <>, [] – the list could go on, as long as you know what it means. How about “W” as VV or ^/. The idea is that you know the letter & the variant you used, but guessing it is tough. Bonus points anytime you turn one character “O” into two “()”, or more.

And mis-spelling is important. Things like using “da” instead of “the” (or better, “d^”) and the like results in a much more difficult to guess passphrase.

Third thing – no finger acrobatics!

finger-twister1This is getting a little more strategic in your password creation but again, make it fun, make it a process, take a break from the daily grind. When you type a passphrase a bunch of times per day you want to be able to type it pretty quickly & easily. Eventually your brain memorizes the actions & you forget what the passphrase even was really if challenged to write it down.

I usually will start thinking of phrases and then typing variants into a notepad or my password safe program (more on that later). As I come up with ones that meet my other criteria (funny, memorable, not too long) I pay attention to how easy they are to type. At first all passphrases are awkward to type but pay attention to how much you have to move your hands out of their natural typing positions – if you have to play finger-twister to type your passphrase it’s going to get frustrating to type. Spend a little time and go easy on yourself. Also, if you use it for a few days and it’s just not working out – change it!

Why does my passphrase need to be so long? Is it really that easy to crack?

You only need one account – the shortest password loses & the organization is compromised. Good passwords are not easy to crack, but bad passwords are. Below is a graphic from Virginia Commonwealth University, which gives an idea of the amount of time required to crack a passphrase. Now, this assumes 100,000 password attempts per second and that speed depends heavily on the CPU power involved and the type of encryption used for the password & assumes a brute force attack against a known hash. On my old AMD Athalon 3200 I can achieve well over 100,000 passwords per second. For anyone with hardware designed for cracking passphrases you could cut these numbers to 15-25% of what is shown in this graph… or less.

These statistics are based on a brute force attack where every possible combination is tried. For Dictionary attacks, rainbow table attacks or hybrid attacks the times are much shorter however, those attacks do not typically try every possible combination. That said, those attacks all rely on a passphrase using relatively common phrases or words – if you mix it up enough then the brute force becomes the only option & cracking times are dramatically increased.

Now I have a secure passphrase – how do I keep it safe?

You put it on a sticky note and stick it to your monitor! No! Wait… There are a few different ways to keep your password secure.

1 – Your head

Yes, the best place to keep a passphrase is in your head. Over time you do memorize your passphrase assuming you use it often but you do need somewhere safe to store it until it’s reliably memorized.

2 – A Password Safe

Imagine that – this problem of remembering passwords is so common that somebody went out and wrote a program to solve it! Infact, there are many, many password safe applications. I’ll talk about one and you can do your own experimentation. My only word of warning is about services which store your passphrase “in the cloud”. I’m not a big fan of this, services like LastPass work this way. We can get into the religion behind that later, but my preference is KeePass – it’s a multi-platform system that works on Windows, OSX, Linux and a variety of other systems. The database file is small and you may keep multiple files, which means you can separate your personal stuff from work. It also means you can leverage synchronization services to make that file available on multiple machines – something important to me.

KeePass and other password safes make it convenient to have many different passphrases. They will even generate them for you – though theirs won’t be nearly the ball of fun that my method above will yield they will be secure. Password safes are unlocked with a master passphrase – you should choose a very strong passphrase for this that you do not use for anything else. “How do I remember that passphrase?” you ask? See option #1 above & #3 below. With KeePass it doesn’t matter if someone is looking over your shoulder, you just bring it up, unlock it, select the account you are trying to use and it copies the passphrase to your clipboard without ever showing it to you. You can then paste it into the password field and whalla – you are in. If you want to see the passphrase as a reminder, you of course may view it.

The passphrases are all stored in an encrypted file on disk. These programs take many measures such as securely wiping the clipboard, not utilizing swap space, and automatically closing down after a period of time, to keep your passphrases as secure as possible. They are also designed to be convenient and KeePass has a number of plugins to allow it to integrate with other applications for easier password use. I keep all my passphrases in KeePass and sometimes even use it to generate passphrases for me. I then utilize a free service, Dropbox, to store the encrypted KeePass database and synchronize it between my various machines.

3 -Your wallet.

That’s right. It’s not the best place for your passphrases but it’s a heck of a lot better than most. You keep all kinds of sensitive information in your wallet. Now, you need to be discreet and keep your passphrase in your wallet only for those times when you really cannot remember it. If you pull your wallet out every day, and there stuck over your drivers license is a sticky with your password on it – no, that’s not good. Folded up and put in your wallet for that rare moment when you can’t remember, that’s ok. This isn’t just my opinion – others think so too.


All that said, there are some really simple rules to passphrases to keep them safe. My favorite is to think of your passphrases like underwear:

Passwords are like underwear…

Change yours often – we require you to change your passphrase every 90 days, keep that same cycle with other passphrases you use if you can.

Don’t share them with friends – Do not share your password with ANYONE – not friends, coworkers or family members.

Be Mysterious – When creating your password don’t use anything that would be easy for someone to guess.

The longer the better – A longer password equals better security.

Don’t leave them lying around – Do not write your password down on a piece of paper and leave it in plain view.

I sure hope this has helped you maintain better password security.