C:\>format blog: /s /q

These days it’s actually quite difficult to pick a decent password that’s difficult to crack; the future is going to present us more options around biometrics or algorithmic keys.   More than likely, passwords will never go away but will continue to be combined with a device (card, key, etc) which is called two-factor authentication (something you know such as a password, and then something you have such as a card or fingerprint).  If you’ve done technical support or network administration, no doubt you’ve seen all the password combinations from numbers, to letters and numbers, mixes, and so on.   You also know that social engineering often gets someone to give up their password, so it is difficult to guard against that as well. 

Crackers are basically hackers that use toolsets designed to defeat either the password or the method that encrypts the password.  There’s lots of commercial software available because people forget password, even system administrators, so you’ll find a password cracker for just about every system out there.   Most of these applications start with what’s called a dictionary attack, which means it has a large text files with just words in them and it tests them.   Some of these dictionaries are giant, in other languages, and focus on specialty niches like movies, Shakespeare, etc.   The other common attack is a brute force attack in which the program will try to logically guess your password in a sequence such as “pasp“, “pasq“, “pasr“, “pass“.   Brute force can take a long, long time because your password might be 16 characters long, contain symbols (*&^%$#), capital letters, numbers, and so on.   Brute force attacks will eventually find your password no matter what, plus the time to find your password decreases as crackers take advantage of powerful hardware like distribution farms (lots of computers) with multiple, multi-core 64 bit processors.   A bank of 10 servers with dual 64 bit quad core processors could crack the password “g00dn1gHt3very1″ in less than 10 seconds if encrypted with a 40 bit algorithm.

Anyway, let discuss 5 good password techniques that will throw off the dictionary attacks and brute force methods.

1. Use a pass-phrase – Pass-phrases are much better, basically use a sentence rather than your child’s first name.  Unfortunately, most programs limit your password length.  If a program doesn’t limit password length pick a pass-phrase because it’s easy to remember, won’t be in a dictionary, and hard to brute force.  An example would be “I love 2 drink sugar free lemonade!“.  That’s a 35 character password with a capital letter, a symbol, spaces, and a number.   (I tested this password with 128 bit AES encryption and a cracking tool was unable to crack the password after working on it for 12+ hours on a single dual core 3.2Ghz processor.

Example test (I love 2 drink sugar free lemonade!):
Works on Windows Vista
Works with WinRAR 3.70
Works with WinZIP 11.1
Works with Excel 2007
Does not work with Word 2007 (character limitation)
Passed Basic Passware Audit*

*Password Audit Notes: Passware 8.0 has a 27 character limit on brute force attacks for the Office Recovery tool.  The RAR & Zip Recovery tool has a limit of 12 characters.  In all my tests, I used the defaults. This is one of the top password recovery and audit tools on the commercial market and retails for $495.   If you’re an IT specialist, I suggest a copy.  (No, I’m not getting paid for referring them)

2. Math – These are easy to remember, won’t be in a dictionary, and hard to brute force.  Use a word, symbol, and a number.  Here are some examples of passwords: 12*Twelve=144, Ten*10=100!, Eighteen-1=17.  Combine this tip with the previous one for a super strong password: “Ted said 2*2=4″.  When I spoke with Microsoft consultants a couple of years ago, they fell in love with this method.

Example test (Ted said 2*2=4):
Works with Windows Vista
Works with Word 2007
Works with Excel 2007
Works with WinRAR 3.70
Works with WinZIP 11.1
Passed Basic Passware Audit

3.  Extended ASCII (Grpahics) - Some password crackers don’t have options for Extended ASCII, in fact, it’s rarely used anymore within the Windows world due to fonts and graphics.  They aren’t preloaded into cracking tools, they aren’t well known, and they’re not in dictionaries.  Someday this might change, but until then, a passphrase like “451°F will burn paper” is a platinum-class passphrase.  Easy to remember, is 21 characters, has extended ascii, numbers, and a capital letter.

The whole extended ASCII set is 127 through 255, 255 is fantastic because it looks like a blank space but it isn’t! Imagine a password that’s intertwined with 255’s and spaces.  Even if a password cracker cracks the password and is able to display it, it’s going to show as a bunch of blank spaces looking as if it failed to crack it correctly.   It’s even better if someone is using a sniffer and not looking at the hex codes.  Some web browsers won’t be able to display this but here’s what it looks like: “     ” That’s two 255’s a space, then two more 255’s.  

All the extended ASCII sets make good passwords (for programs that support them) or add one symbol to your current password.  Here’s a another slightly artistic example: “░▒▓▒░”  A poorly written cracking program may not be able to display these characters and may crash or display other symbols in an interpreted font set.  For example, ▒ may show up as “_” in another font, but the underlying value is ASCII 177 not “_”.  Remeber to add words to make it a phrase and make it even stronger.

Example test (451°F will burn paper):
Works with Windows Vista
Works with Word 2007
Works with Excel 2007 (not Mac compatible)
Works with WinRAR 3.70
Works with WinZIP 11.1 (not DOS compatible)
Passed Basic Passware Audit

4. Common Set (capital letter, longer than 6 characters, and number or a symbol) - Common set passwords involve a pattern and are great to use because they’re not in a dictionary, brute force will take some time, but these are not always easy to remember.  Examples are: Tropicana9, Battlestar3, !Starbucks!, Goldfrapp$, etc. 

Bold example:
Works with Windows Vista
Works with Word 2007
Works with Excel 2007
Works with WinRAR 3.70
Works with WinZIP 11.1 
Passed Basic Passware Audit

5. When possible save your documents in a higher encryption such as 128bit AES or RC4 RSA encryption.  128bit AES is set by default in Office 2007. 

People are now using passwords that they think are secure but really aren’t anymore because password crackers have picked up on these ones. Password methods to now avoid:

1.  Leet (or Hax0r) – This was clever, but the brute force crackers picked up on it quickly and coded for common substitutes.  There’s even a dictionary now for it, so avoid these passwords.   Examples of these now well used passwords are: l33t, r0xx0rz, n00b, etc.

2.  Foreign Language – Language dictionary sets are common now, so forget the Russian password you came up with.   A brute force is going to crack this very fast anyway. 

3.  Qwerty – Keyboard patterns all well known now and in dictionaries as well as some brute force options.  Examples include: qwerty, asdfg, poiuy, and zxcvb.

Not sure if you password is secure?  Try cracking it yourself (elcomsoft, lostpassword.com) provide tools for dictionary and brute force password recovery.  Microsoft has a password checker as well for strength, you can test it here.