Simple and reliable password - collective creativity

After reading a lot of related literature and looking at a ton of habratopics (links to interesting ones are given at the end of the article), I decided to compile information about the basic methods for generating a reliable and memorable password.

To begin with, I myself use the wonderful program KeePass to generate and store my passwords. Its functionality is enough for all my modest webmaster needs. Its main disadvantage is the fact that it also requires to remember one main password. Therefore, all this fuss about inventing a password also applies to me and all the happy owners of the KeePass program or its analogs, since still have to come up with one password.

Let's talk about hacking methods

To understand the depth of the problem, I will devote a couple of lines to the hacking technique. So, how can an attacker find out / guess / pick up your password?

1. The method of logical guessing. Works in systems with a large number of users. The attacker tries to understand your logic when drawing up a password (login + 2 characters, login on the contrary, the most common passwords, etc.) and applies this logic to all users. If there are many users, a collision will happen very soon and the password will be guessed;
2. Bust through the dictionary. This type of attack is used when the database with hashed passwords is merged from the server. It can be combined with the replacement of letters (typos) or the substitution of numbers / words at the beginning or end of a word as a prefix or a suffix. Also used dictionaries, typed in the wrong keyboard layout (Russian words in the English layout);
3. Search through the table of hashed passwords. Advanced password cracking method, when hashes have already been generated and it remains only to find a hash password in the database. It works very fast even on weak machines and leaves no chance for owners of short passwords.
4. Other methods: social engineering and social engineering, using keyloggers, sniffers, trojans, etc.

Password strength

Summarizing the information obtained from various reliable sources, I will highlight the main features of a password that is resistant to cracking (by hacking I mean going through the hash bases , when the hashing algorithm is known in advance):

1. Password length (the more the better), for running cases it is recommended to use a 15-character password;
2. The absence of vocabulary words and parts of common passwords as part of a password;
3. The absence of templates when creating a password (I understand the logical algorithm for generating a password as a template, for example: “Med777vedev”, “12 @ yatsu @ 21” or even “q1w2e3r4t5”);
4. Stochastic sequences of characters from different groups (lowercase, uppercase, numbers, punctuation marks and special characters);

However, we are all people with rather limited abilities to memorize incoherent information, so the passwords that fit the above parameters, although they will be very resistant to cracking on the one hand, but on the other hand, they are very difficult to remember. Therefore, consider the less paranoid options for compiling and remembering passwords.
')

How do people remember their passwords?

After analyzing the methods of generating habralu password, I came to the conclusion that the basic methodology for remembering a password is based on the compilation of a logical or associative series. Also used all sorts of distortions of words. It can be:

1. Domain names interspersed with login ("gooUSERglcom", "UmailruSer");
2. A specific standard phrase that is attached to the domain (“passgoogleru”, “passhabrahabrru”);
3. A common word interspersed with significant numbers and other characters (" 321DR67ag0On ", where 32167 is a cheat that summoned 5 black dragons in Heroes of Might & Magic);
4. Russian words in the English layout (", k.lj [htyf" - "horseradish dish");
5. Permutation of letters ("Moina and Vir", "twirret");

Of the most memorable, we can distinguish the technique of shocking absurdity: “the mollusks otgryzli my dancing genitals ”, writing down the passwords in a mobile phone as a subscriber and working with an encyclopedia , as with a dictionary of possible passwords.

Recommendations for remembering passwords from professionals

The human brain is not strong at composing completely random sequences. Therefore, we can use its strengths, namely, the compilation of sequences of words that are interconnected enough to make our password easy to remember. So, here are some recommendations with examples from Mark Burnet, the author of the book Perfect Password. Selection, Protection, Authentication (note: all my examples):

1. Use in the password antonyms , synonyms and homonyms , etc. in various combinations with punctuation marks and numbers ("young age18", "svetlo! Dark", "dog = @");
2. Use formulas and expressions ("12! = 12.1", "@die ('hard')", "echo $ string");
3. Use fake email addresses (“Ya.Krevedko@ya.ya”);
4. Use rhymes in the password ("google'shmugl", "HABRa_kadabra");
5. Repetition ("http: // http: // double_pass", "zloe_zlo");
6. Visualization (“Zombies have given me a mo3g”, “Kukla. Dasha.plachet”);
7. Exaggeration (“25 o'clock in the morning”, “Putin as mayor!”, “Scratch my stomach”);
8. Use mats in passwords (do this yourself);
9. One of the most reliable ways to remember a password is to repeatedly type it on the keyboard.

Instead of conclusion

Many users on the network do as I once did: they have one simple password for one-time access to some unimportant sites and two or three long and complex SUPER-passwords for everything else. Of course, this is better than one password for everything. However, I recommend having a password for each site, I really do not want to simplify the life of hackers.

And finally, the facts for paranoids

1. The most common figure in passwords is 1, found in 21% of passwords, while the remaining numbers are in 7% -10% of cases;
2. 24% of all passwords consist of 6 characters;
3. Over 60% of all passwords contain only lowercase characters;
4. The most common password on the network: "123456";
5. There are programs that can check more than a million passwords per second on a Pentium 4 processor with a frequency of 3 GHz;
6. The number of possible password options of 15 characters in length, in which all types of standard keyboard characters (in the English layout) can be used, is 463,291,230,159,753,000,000,000,000 variants.

List of references and sources of inspiration

• Using the password card and Habratopik on this topic ;
• Where it is thin, it breaks there - problems of paranoid security;
• Bruce Schneier about password recovery algorithms ;
• The method of generating passwords using the original algorithm .

UPD 1: Microsoft password security checker