How to choose a strong password (for anything!)

[ElDiabloConCaca]

This is taken from another thread I posted in, but I believe it contains valuable information about making up a strong password that is not easily guessed (or "hacked," as some like to misrepresent it):

Quote:

I don't mean to come off sounding like a naysayer, but someone guessing a weak password should not and is not considered "hacking," nor does it matter whether or not you use Windows, Mac, Linux, UNIX, DOS, BeOS, or any other flavor of operating system in this case.

Hotmail is available to everyone, regardless of platform, so the type of computer you use has absolutely zilch to do with the "hacking" of a Hotmail account.

A weak password is usually the culprit, as many here have found, and exploiting a weak password is the simplest of "hacking" techniques, though it can hardly be called "hacking." Your Hotmail password was simply guessed by someone -- it was not "harvested" by malware installed on your Mac.

It does sound like Hotmail tech support is handing out canned answers to common problems:

"Someone hacked into my account!"

"Well, that's because more than likely you're infected with malware."

I think, more than likely, that Hotmail accounts that have been compromised have been compromised because people choose extremely poor passwords, or use the same password across multiple sites -- both extremely unintelligent things to do, like using the exact, same key for your house, car, boat, lockbox, safe, and safety deposit box. Once they have one, they've got them all because little to no precaution was taken to protect anything.

This happens quite frequently (in fact, more frequently than it should, simply because of laziness). It's akin to building a fortress, complete with a moat, motion-sensing sensors, motion-sensitive lights, laser beams, crocodiles, sharks with lasers on their heads, spike pits and banana peels strategically placed throughout said fortress, then putting a plastic Fisher-Price lock on the front door -- rendering every other security precaution moot. A weak password is the weak-link "chink" in the armor that the sword passes through without effort: all that protection for nothing.

Lessons learned:

1) Don't use a weak password. Ever. At all. At any time. For anything. Use a password that is at least 8 characters long, and includes both upper- and lower-case letters, numbers, and symbols. The 8-character requirement is because even with the super-est of super computers on the planet, all put together, all working in unison, it would take more years than you will live and your children will live to go through all the possible combinations of letters, numbers and symbols. It is programmatically infeasible to guess a strong, 8-character password in any reasonable amount of time. With 7 characters, you're talking a day -- maybe hours. 6 characters takes minutes. 5 characters would take seconds. You get the drift.

2) Don't use the same password for two different ANYthings. "But I can't remember all those passwords!" Tough titty. Get over it. Get a better memory. Get a piece of paper and a pencil. Get something.

3) Your password should change, at the very minimum, twice a year, and ideally once a month. Yes, it's tough to remember all those new passwords. No, no one has sympathy for you. If that's the toughest thing you have to do to protect your sh*t online, well, I'd say that's a pretty easy life you've got going there.

4) There are no malware/viruses/trojans for Mac OS X that "harvest" Hotmail password nor spies on your keystrokes. At all. In existence. That's not the culprit, no matter what the boneheads at Hotmail tech support say.

A good password is something like, "Gg6y(0!h54".

A horrible password is "JLH_1976". That's my initials and my birth year. An equally pathetic password would be "1J9L7H6", for very obvious reasons. Choose a password that is gibberish -- has absolutely no meaning -- no significant dates -- no initials -- nothing that means anything to you at all. If you can remember the password without having typed it several hundred times, you have chosen an inferior, pathetic and lazy password.

Right now, we should all be hearing each other's feet scrambling out the door to the nearest password-protected website to change our passwords, once again.

[End rant]

[Giaguara]

The problem with those @##@$ passwords is they are impossible to remember...
Here's some more password advice http://www.schneier.com/blog/archive...ng_secure.html
and secret questions advice http://www.schneier.com/blog/archive..._question.html

[chevy]

Make sure that you can input your password on any computer... avoid passwords that are impossible to enter on an US keyboard (with éöàä) or one an Asian computer or you may be locked out when you travel.

On Windows, use 9 or more characters. On Unix (including MacOS X) 8 is enough (because of the way the password is encrypted in your computer).

[Jesse714]

I always use the amount of taxes taken out of my check, and then a word after it, and i change it every time i get paid. Its always easy to remember, and no one will really ever catch on. So for example 190.9o.u.t.


=]

[simbalala]

Keychain Access has a pretty good assistant for creating passwords and checking password strength.

Go to File -> New Password Item then click the Key. It brings up a password generator with several options and checks the strength.

[pds]

Keychain access makes very strong passwords, but they are impossible to remember, so just forget them.

Copy and paste a really strong password into a word processor. Set the text color to white and zoom the screen a bit (cmd +). Then select the invisible password and drag it to the desktop. It will show up as a picture clipping and look rather inscrutable if you open it.

Rename the clipping to something cryptic - Buff 1 is my login name for a bank in Buffalo and Buff too is the password. (I don't live in Buffalo so it works for me.)

To login, I go to the page and drag the clippings to the appropriate field and hit return.


I keep them all in an encrypted disk image that I have well backed up so the only time I type a password is to open the disk image.

Only problem is getting them to work on a Windows machine.... but so far I've been able to work around that.

[Mikuro]

There's always a compromise involved in choosing passwords. Convenience and security are opposing forces here, and you need to pick a spot in the middle.

I use many different passwords. Some are very short. Some are simple words. Some have been left unchanged for over a decade now. Some are virtually random, quite long and short-lived. It depends on what I'm securing. I always consider a few factors:

1. What do I stand to lose if the password is compromised?
2. How often do I need to use it?
3. In how many places do I need to use it?

I don't consider web forums, for instance, to be terribly sensitive, and I use them often, and I use them in many places. That tips the scales toward convenience. So I use relatively weak passwords for them. If someone cracks it....well, boo hoo for me. "Oh no! They can change my avatar!" It's not worth the inconvenience to use really strong passwords.

Random characters would be secure, but I say that random words would be even more secure. There are far more words than characters (a few hundred characters vs many thousands of words), so even if someone used a dictionary attack, they'd have a harder time cracking 8 words than 8 characters. And even though the 8 words will be much longer (could easily be over 50 characters), they'll also be much easier to remember. I'll admit it does get tedious typing such long passwords, though. Again, there's always a compromise.

I aim to thwart two theoretical adversaries when I want a "strong" password:

1. A supercomputer using brute-force or dictionary attacks.
2. Someone who knows virtually everything there is to know about me.

If both of them in tandem would not have a prayer or cracking the password, then I think it's quite secure.

My greatest concern is when I use a password on many machines. How do I know none of those machines were compromised? I would recommend changing important passwords the next time you get home after using it ANYWHERE else, EVERY time. But I realize that's incredibly inconvenient. Always a compromise.

[Satcomer]

Well I have heard that iPassword really like the service since it also has an iPhone version that syncs with the desktop version. This might be a solution for people.