Crack-proof Passwords

Your passwords may not be very secure, even if you think they are. Find out how you can create robust passwords

Everyone has to keep track of dozens of passwords: for network accounts, online services, premium websites, ATMs or credit cards. It’s difficult to remember all of them, so some write their passwords on a piece of paper, leaving their accounts vulnerable to thieves or in-house snoops. Others choose the same password for different applications which makes life easy for intruders of all kinds. According to a recent survey, nearly 50% of users have the same password for all the sites they visit on the Internet. Moreover, almost 90% of them don’t change their password periodically. Imagine what would happen if any of your accounts were to be hacked; the hacker would gain access to all your email, bank and social networking accounts and may even wipe out your presence from the Internet!
Just for a scare, try this: search your email for some of your own passwords. Most probably, you will find a lot of your own passwords, either because you have emailed them to yourself or because some websites email your password when you register or when you click on the ‘I forgot my password’ link. So, if a hacker manages to access your email, he can easily break into your other accounts.

You can prevent this from happening by creating passwords that are difficult to crack. Unfortunately, increasingly sophisticated technology, coupled with our own carelessness, may render even supposedly ‘robust’ passwords vulnerable to attack by an experienced hacker.

So, how can you create a truly secure password? Although no password can be 100% secure, you should use a combination of words, digits and special characters to create a password that will be difficult to crack. It’s also important to be aware of the methods used by hackers to crack a password.

According to Eric Thompson, founder of AccessData (a technology forensics company that helps detect and investigate cases of fraudulent data access), most passwords follow a pattern. (In fact, AccessData has developed a ‘password-guessing’ software). He says that people, typically, choose a readable word as the base for a password—it may be a word that is pronounceable in English but not included in a dictionary. When pressed to add a numeral or symbol to make the password more secure, most people add ‘1’ or ‘!’ to the end of that word.

AccessData’s software, which uses a ‘brute force’ technique that tries thousands of passwords until it guesses yours correctly, can easily figure out such common passwords. When it incorporates your computer’s web history into its algorithm—including all your information on Twitter, Facebook and other such sites—AccessData’s software can come up with a list of passwords that is highly likely to include yours as well.

AccessData’s research found that a typical password consists of a root word plus an appendage. The appendage is a suffix to the root word in 90% of the cases.
The first operation of the AccessData software is to test a dictionary of about 1,000 common passwords, like ‘letmein’, ‘password1’, ‘123456’ and so on. Then, it tests each of these words with about 100 common suffix appendages, like ‘1’, ‘4u’, ‘69’, ‘abc’, ‘!’ and so on. Believe it or not, the software recovers about 24% of all passwords with these 100,000 combinations.

Then, the software scans a series of increasingly complex ‘root dictionaries’ and ‘appendage dictionaries’. The ‘root dictionaries’ include a common word dictionary (5,000 entries); names dictionary (10,000 entries); comprehensive dictionary (100,000 entries); and phonetic pattern dictionary (1/10,000 of an exhaustive character search).{break}

The software runs an exhaustive four-character-string search of each dictionary—the most common lowercase, the second most common initial uppercase, all uppercase and final uppercase. It also runs the dictionaries with common substitutions: ‘$’ for ‘s’, ‘@’ for ‘a’, ‘1’ for ‘l’ and so on. The appendage dictionaries include all two-digit combinations, all dates from 1900 to 2009, all three-digit combinations, all single symbols, all single-digit plus single-symbol and all two-symbol combinations.

This exhaustive process succeeds in cracking even the most ‘foolproof’ passwords. The company’s research indicates that the ‘sweet spot’ of a typical password is a seven- to nine-character root plus a common appendage and that it’s much more likely for someone to choose a hard-to-guess root than an uncommon appendage.

The good news is that you can use certain techniques to create robust passwords that cannot be cracked even by using such sophisticated software programs. Choose a password that doesn’t contain a readable word. Mix upper- and lower–case letters. Use a number or symbol in the middle of the word, not at the end. Don’t just use ‘1’ or ‘!’, and don’t use symbols as replacements for letters, such as ‘@’ for a lowercase ‘a’. And, of course, create unique passwords for different sites.

Confused? Think it will take too much time? It needn’t be that difficult to create a robust password if you follow some simple rules. Rule No. 1 is to start with an original but memorable phrase—for example, ‘Moneylife says know what’s coming’ or ‘My first Maruti was a real lemon so I bought a Toyota’. The phrase can be anything, but make sure it’s something you can remember easily without writing it down.

Next, convert the simple phrase into an acronym. Be sure to use some numbers, symbols and capital letters, too. Thus, ‘Moneylife says know what’s coming’ can become ‘MLskwc’ or [email protected]; and ‘My first Maruti was a real lemon so I bought a Toyota’ can become ‘M1stMwarlsIbaT!’

That’s it! These mnemonic passwords are hard to forget, but they contain no guessable English words. Using the same method, you can also create site-specific passwords; for example, ‘It’s 45 degrees in May, so I use Gmail’ can become ‘i50dgiMsIuG’ (50 is not the real temperature; it’s for the month number multiplied by 10). Based on the phrase, you can change your password almost every month; for November, it becomes ‘i110dgiNsIuG’ and for March, it’s ‘i30dgiMsIuG’ and so on.

However, there is no need to use robust passwords for every site you visit. For general sites which don’t affect you personally or financially, use simple phrases to create passwords. Reserve your strongest, most distinct passwords for critical services—like your bank account, your computer and your personal e-mail.
You should also avoid using a public computer because the Windows operating system’s memory management feature retains any data that you input in the normal course of operations. When you type your password into a program, it gets stored in the system memory. When Windows swaps the page out to disk, it becomes the tail-end of some file on your hard drive, and it will sit there forever. Linux and Mac OS are no better in this regard.

There is one more password you will always need to remember—your ATM personal identification number (PIN). Although your bank provides the PIN, it is advisable to change it. Many banks offer the facility to change your PIN by using the ATM. The PIN consists of just four numbers, making it difficult to create another secure PIN; but you can do so by using your imagination. For example, you can use your mobile handset to create a robust and yet easy-to-remember password: your root phrase ‘Moneylife says know what’s coming’ becomes 6592 (using the digits corresponding to the first letter of each word—6 for ‘Moneylife’, 5 for ‘know’, 9 for ‘what’s’ and 2 for ‘coming’); and ‘My first Maruti was a real lemon so I bought a Toyota’ becomes 6758.

So, what are you waiting for? Can you create a robust and safe password using something like “Mahabharat mein Ghatotkach, jo ki Bhima ka putra tha, mara gaya” or “Yudhishthir ne kaha naro wa kunjaro”!

  • Like this story? Get our top stories by email.


    We are listening!

    Solve the equation and enter in the Captcha field.

    To continue

    Sign Up or Sign In


    To continue

    Sign Up or Sign In



    online financial advisory
    Pathbreakers 1 & Pathbreakers 2 contain deep insights, unknown facts and captivating events in the life of 51 top achievers, in their own words.
    online financia advisory
    The Scam
    28 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
    Moneylife Online Magazine
    Fiercely independent and pro-consumer information on personal finance
    financial magazines online
    Stockletters in 4 Flavours
    Outstanding research that beats mutual funds year after year
    financial magazines in india
    MAS: Complete Online Financial Advisory
    (Includes Moneylife Online Magazine)