skip to Main Content

Welcome

Stronghold Cyber Security is a veteran-owned cyber security company located near historic Gettysburg, Pennsylvania that provides cutting-edge security services to businesses throughout the country. Service offerings include regulatory compliance, penetration testing, advanced cyber risk management, along with customized cyber security programs.

Get In Touch

Email: info@strongholdcybersecurity.com
Phone: 1-800-378-1187
Phone: 717-549-4009
Address: Gettysburg, PA

Our Location

Gettysburg
The Password Pandemic II: How To Create Awesome Passphrases

The Password Pandemic II: How to Create Awesome Passphrases

In part I of “The Password Pandemic”, I advised (in the same vein as NIST SP 800-63b) the use of passphrases, instead of passwords.  This is because hackers have built massive databases of stolen passwords and tables full of password “hashes” (known as rainbow tables.)  Also, those of us in the InfoSec community know that when we force the use of complicated passwords on people, they will write them on Post IT notes under their keyboards.  I have even seen this happen in very high security environments — this is bad.
 
So passphrases it is – but not just any passphrase.  In Part I, I used the example passphrase “The quick brown fox jumps over the lazy dog.”  And guess what?  This passphrase and it’s hash are already in a hacker rainbow table, like the ones found at Crack Station.  This means that someone, somewhere, used this seemingly long, complex phrase as a password, and it was stolen.  Whoops!
 
So, how do we come up with a great passphrase, that is not already in a hackers rainbow table?  Make up silly, easy to remember phrases that no sane human being would ever mutter.  For best results, ask some grade school kids for help.  Here are ten examples that my wife and kids came up with:
random passphrases

random passphrases

Most websites and other applications nowadays will allow spaces in passwords.  These are all excellent passphrases, but they lack complexity – there are no capital letters, numbers, or symbols, so we need to add some.  Not only will this make the hackers job harder, it will also satisfy password complexity requirements most of the time.   However, we need to do it in a way that we can still remember our passphrases.
 
In the example below, you will see that for the third word of each phrase, we have added a capital letter, changed the first vowel to a number, and put a symbol at the end.  You can do this to any part of the phrase — it is up to you.  This old trick, which can be loosely described as a cipher, is now great again, as long as we use it with our ridiculous phrase (that no sane human being would ever mutter).
random passphrases with complexity

random passphrases with complexity

 
 It is extremely unlikely that any of these currently exist in a password dump or rainbow table anywhere, and it would take years (with current technology) to crack them via brute force.  I would be comfortable using any one of these for up to a year, provided they are used in only one place.

 

Back To Top