Introduction

With shopping, e‐health, e‐benefits and financial sites all becoming more complex and demanding of hard to remember passwords, it can be daunting to come up with multiple passwords to meet these arcane secure password filters. Special character this, number that, it’s all so daunting to the average user. But now using an easy to remember method you too can create complex passwords with the best security professionals.

Password 101

From the earliest days of multi‐user systems there was the idea of using passwords to protect information. In the early days that’s what they were “words” like ‘pencil’ or ‘crayon’. Now with password cracking utilities that can try ALL of the words in the English Dictionary AND the permutations (like bananab0at instead of bananaboat) in less than a minute. It’s important for everyone to create a COMPLEX and UNGUESSABLE password that can make your online data more secure.

A complex secure password has the following attributes:

1. Is at least eight to TEN characters long
2. Does not contain your user name, real name, or company name
3. Does not contain a complete word
4. Is significantly different from previous passwords
5. Contains characters from each of the following four categories:

• Uppercase letters A, B, C
• Lowercase letters a, b, c
• Numbers 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
• Symbols found on the keyboard ` ~ ! @ # $ % ^ & * ( ) _ ‐ + = { } [ ] \ | : ; " ' < > , . ? /

NOTE: Current guidance is for a password to still be only 8 characters. This is really obsolete with current technology a password/passphrase should easily be much longer to be secure currently

Passphrase not Passwords

You may ask immediately, how one might follow all those rules and remember their password. Excellent question; the answer is the passphrase.

Let’s start with the basics you need a string of characters that is not a word, name, company name. The best way to discover your string is to use a favorite song or phrase you always remember but most people you casually know could not guess.

The example to be used here is a famous Coca‐Cola Company jingle: “I’d like to buy the world a Coke”

• This phrase if you use only the first letters yields: IltbtwaC  (Notice we get the capital letter requirement and no words with this phrase!)
• But how do we get the special characters? Easy add quotes: “IltbtwaC”
• How do we get the numbers needed? Easy add a year associated with the phrase

In this case the Coke jingle came out in 1971: “IltbtwaC”1971

Now, THIS passphrase is VERY STRONG and will withstand all but the most sophisticated decryption.

But we are not done. Have you ever noticed that once you come up with a really good password the admins have some reason to reset passwords for everyone and you need to come up newer even harder to remember passwords??? This happens to me all the time, which is why I use password permutation.

Passphrase Permutation

Without getting into a detailed discussion of cryptographic hashing it’s safe to say that trivial changes in a password are not secure. For example if one simply changed the above passphrase to “IltbtwaC”1972 the password validation would immediately detect that the password is too similar to one previously used. The key is to make it different BUT not so different you DON’T REMEMBER THE CHANGE. The answer lies in our use of special characters around the passphrase.

If we do THIS to permute our passphrases then the password validator is happy. So “IltbtwaC”1971 changes to something like this: $IltbtwaC$1971

You could continue this pattern with every reset. The next permutation in the sequence would be:

1. %IltbtwaC%1971, then
2. ^IltbtwaC^1971, then
3. &IltbtwaC&1971

Online Password Permutation

So now you have a phrase that you change every 6 months like your network admin keeps telling you to. But since it’s so strong you use it for EVERYTHING online right? (Go ahead and admit it… everyone does). The answer here is to use a permutation that can be associated with the online site.

The method I use is the number of letters before the .com in a sites address.

Example: amazon.com

• Six letters I use the following for Amazon only: 66“IltbtwaC”1971

Example: yahoo.com

• Five letters use: 55“IltbtwaC”1971

The idea here is that you don’t expose yourself to one compromise at an e‐commerce site allowing ALL your online accounts to be compromised. Obviously if you are informed of a site breach at one of the online sites you frequent. You should immediately reset all the passwords on your critical online accounts using the special character permutation described above. Remember to always use secure Passwords!

If you enjoyed this article, read Jeff's previous article: SecureIT - Basic Cyber Defense

Do you have any questions or comments? Send us an email or leave a comment below!