The Password Pandemic II: How to Create Awesome Passphrases
In part I of “The Password Pandemic”, I advised (in the same vein as NIST SP 800-63b) the use of passphrases, instead of passwords. This is because hackers have built massive databases of stolen passwords and tables full of password “hashes” (known as rainbow tables.) Also, those of us in the InfoSec community know that when we force the use of complicated passwords on people, they will write them on Post IT notes under their keyboards. I have even seen this happen in very high security environments — this is bad.
So passphrases it is – but not just any passphrase. In Part I, I used the example passphrase “The quick brown fox jumps over the lazy dog.” And guess what? This passphrase and it’s hash are already in a hacker rainbow table, like the ones found at Crack Station. This means that someone, somewhere, used this seemingly long, complex phrase as a password, and it was stolen. Whoops!
So, how do we come up with a great passphrase, that is not already in a hackers rainbow table? Make up silly, easy to remember phrases that no sane human being would ever mutter. For best results, ask some grade school kids for help. Here are ten examples that my wife and kids came up with:
Most websites and other applications nowadays will allow spaces in passwords. These are all excellent passphrases, but they lack complexity – there are no capital letters, numbers, or symbols, so we need to add some. Not only will this make the hackers job harder, it will also satisfy password complexity requirements most of the time. However, we need to do it in a way that we can still remember our passphrases.
In the example below, you will see that for the third word of each phrase, we have added a capital letter, changed the first vowel to a number, and put a symbol at the end. You can do this to any part of the phrase — it is up to you. This old trick, which can be loosely described as a cipher, is now great again, as long as we use it with our ridiculous phrase (that no sane human being would ever mutter).
It is extremely unlikely that any of these currently exist in a password dump or rainbow table anywhere, and it would take years (with current technology) to crack them via brute force. I would be comfortable using any one of these for up to a year, provided they are used in only one place.