How To Remember Complex Passwords Use the BEST password system ever

[travstatesmen 0]

 

The Xisto forums have a whole subforum devoted to those amongst use who have failed to remember their passwords, and have locked themselves out of their free web hosting account. If you forget your password, you can go to Free Web Hosting, No Ads > FREE WEB HOSTING > FREE WEB HOSTING REQUESTS > Free Web Hosting : Password Reset and ask the friendly admins there to reset your password for you.

 

 

 

Remember the days when your password on the Internet could be something like andrew18? And you could use that same password on all three websites that you visited regularly? Well those days are long gone, and we need to not only create and remember much more complex passwords, but for security reasons we are advised to use different complex passwords for each site we visit, and also we are expected to change those complex passwords regularly. So, here is an example that you can do for yourself. Try memorizing this....

Xisto forums password: c?.3\FeO/q),%:!Sg%Uv

cPanel Login: 3J'hP6#eg&!(%>QS8AwJ

FTP access password: C%l3`V:?h*F!1myt^!kl

Login for your Blog: P3lq!5mLtGio;8i*F3%K

Login for your MySpace or other network profile: WNvd;IiB2jORSY'%?6FF

As you see, that is only five example passwords. Most people that I know use many more than five passwords. So, imagine having to memorize 20 or so passwords similar to the ones above. Each of the examples is only 125 bits, 20 characters long, including upper and lower case characters, numerals, and special characters. They are good, complex passwords that would be considered complex enough for most users. But how do you remember them? And, most importantly, how to you learn and remember new ones, perhaps once a month, as you dutifully change your passwords regularly? Surely this is enough to fry the brain of anybody who doesn't have a photographic memory!? How the heck are we supposed to memorize all these complex passwords, without keeping the admins employed in resetting our forgotten passwords all the time?

 

 

 

One suggestion that I have seen on the internet is to develop an interleaved password system, which uses two less complex passwords weaved into each other to create a much more complex password. For example, here are two relatively low-security passwords...

rubyonrails (11 characters, 48 bits)

ANDREW18 (8 characters, 42 bits)

Now, let's try interleaving them, as follows....

rAuNbDyRoEnWr1a8ils which makes a great password of 19 characters, and 108 bits.

rAuNbDyRoEnWr1a8ils

This can be done fairly easily with any two passwords, and can give some really complex results. Try adding some punctuation too!

 

Another good idea is to use a password manager. There are plenty of good password managers out there these days, such as the examples above. Many of these packages have the facility to not only store and retrieve your passwords, but also to generate complex random passwords for you on the fly, and even to autofil online forms with your username and password details from their database! Now you will never need to remember another password again! Well, not quite. They will most likely have a single sign-on password that you will need to remember. Your passwords should be stored in such password management programs in an encrypted form, and will need to be decrypted with a key, which you will need to remember!

 

 

 

One of the failings with all of the systems above is that they need to be installed on your local computer. They are not really all that portable. You may need to start thinking about ways to synchronize the password management database, such as emailing the database file between your work computer and your home computer, or making use of a USB thumb drive. But what happens in a situation, such as I have at work, where you are forbidden from attaching anything to your work computer, and plugging in a USB thumb drive could mean that you violate your company's IT policy, and you could get fired! And, whats more, installing a password manager package, even a freeware one, is impossible due to the software distribution policies enforced on the company network. Even if you could access the data on the USB thumb drive you couldn't decrypt it without the password manager application being installed also.

 

So, here is how I overcome this situation. I use a program called KeePass Password Safe, which not only does not need to be installed, and can run directly from a USB thumb drive, but also they have a PocketPC version which can read the same database as the desktop PC version! What I do is I keep my password database on the miniSD memory card of my smartphone, and either access it though a card-reader on my desktop PC or laptop, or I access the passwords directly on the touch-screen of my smartphone. This means that in situations where you cannot get access to your passwords in any other way on the desktop PC, at least you can still view them and type them in manually from the smartphone. Total portability! The only thing that I can think of that would be better than this is an enterprise grade password management token, such as MandyLion, starting at $US269 for a 5 User Workgroup. One of the best things about KeePass Password Safe is that it is free!

 

 

 

So, there you have it, my solution to the problem of how to remember all those complex passwords. In short, don't! You only need to remember one complex password, which you could create using the interleaved password system outlined above. This password then gives you access to the rest of your passwords, that are stored in a password manager, which can create complex passwords for you, can remember and retrieve them for you, and can create new ones regularly, (even backing up the old ones when it does). This meets most of the expectations of a secure password system. And doing this will take the workload off the Xisto administrators, so that they don't have to keep on resetting your password for you because you forgot it again!

 

So, download KeePass Password Safe today. Go on, what are you waiting for?

[rvalkass 5]

If you forget your password, you can go to Free Web Hosting, No Ads > FREE WEB HOSTING > FREE WEB HOSTING REQUESTS > Free Web Hosting : Password Reset and ask the friendly admins there to reset your password for you.

You can reset your hosting account password yourself by visiting https://support.xisto.com/ Just log in with your forum username and password, and choose the option to reset your hosting account password. Then it gets done instantly and automatically, rather than waiting for someone to do it for you

 

A theory I advocate, rather than passwords is passphrases. Most software used to guess passwords will cycle through common patterns, dictionary words, etc. However, even a password like g"1R%v can be guessed by software fairly quickly by cycling through every possible character in every possible location. Now that graphics cards are being used to do this, the time taken to crack a password has dropped dramatically. However, consider the following passphrase:

 

First in my class here at M.I.T., Got skills, I'm a Champion of DND

 

That contains a mixture of uppercase and lowercase characters, and punctuation. You can always tag a number on the end if you have to. It is also incredibly easy to remember (as long as you are a Weird Al fan ).

 

Now look at how long each one would take to crack:

 

The first password has 128 possible characters per place, and is 14 characters long. 4.40x10¹² possibilities. At 200,000 guesses per second, that would take an absolute maximum of 254 days to guess. Two computers takes that down to half.

 

The second passphrase, even if it was all in lowercase, would have 26 possible characters, and is 66 characters long. At our best estimates the Sun would have exploded long before it was guessed Passphrases, to me, make much more sense than passwords. They are far easier to remember, and are much more secure. Also, when typing words you type much quicker than typing random symbols. This helps stop people reading your password over your shoulder as you type.

 

So, there you have it, my solution to the problem of how to remember all those complex passwords. In short, don't! You only need to remember one complex password, which you could create using the interleaved password system outlined above. This password then gives you access to the rest of your passwords, that are stored in a password manager, which can create complex passwords for you, can remember and retrieve them for you, and can create new ones regularly, (even backing up the old ones when it does). This meets most of the expectations of a secure password system. And doing this will take the workload off the Xisto administrators, so that they don't have to keep on resetting your password for you because you forgot it again!

The problem with password managers is their encryption. If the encryption algorithm is flawed then you may as well not bother with the password in the first place. I even once saw a password manager that stored the passwords in a plaintext file in the following format:

 

Xisto.com|username|password

[Saint_Michael 3]

On top of using hte manage page of changing your password you can change your password there for free and thus you can save yourself 15 credits, Unless of course you forgot your password or it no longer works and so yo uhave to spend the 15 credits to get back. As for remembering password the best thing to do is write it down and on top of that use it in several other accounts such as email, IM clients etc etc. It took me a few weeks to memorize my password after changing it for the first time in 12 years and heres the disturbing thing it was a no no password, someone's name. So yeah how I survived the last 12 years on that password without having any problems Iwill never know.Ok to break your post down to toss in a bit of reality, password managers are only as effective if you have a secured system because if your computer gets trapped that password manager just became your worse enemy. The other thing is though if your system was to crash and your password were connected to the web you have to be able to remember them again and if you don't you have to go through the process of changing all of them. So the best thing I would do is two 1-3 password you can memorize 100% accuracy and that way when you do have to type it in again your fingers will fly over the keyboard in putting it in.However, lets not forget all those online password generators, don't use them because your asking for a world of hurt since the algorithms could easily be hacked and most of them are not new either. Another recommendation I would make is learn about leetspeak, that is a good way to help create a stronger password since your changing 1's into i's or 3's to E's.

[-Sky- 0]

Thankyou. I will use this to remember my passwords also. :)Does it need a serial, or license key?

[travstatesmen 0]

Some interesting comments and perspectives, as always, Saint_Michael and rvalkass. I can see that I am going to enjoy getting into debates with you two later. My wife tends to enjoy discussion and chat more, but I quite enjoy an intellectual challenge, having to back up my comments with facts and such. I'll meet you both at some time in the Life Talk > Debates forum no doubt. I haven't had time to get there yet, but I look forward to sparring with you both.

 

I found an interesting little tool on the Internet a while ago which I thought I'd share here. It is an Online Password Calculator by Last Bit Software. It will take as inputs the length of the password (to a maximum of 20 characters), the number of passwords per second that are being processed by a brute force attack, and the ASCII character groupings (upper case, lower case, digits, punctuation, etc) and will calculate how long it would take for a brute force attack against such a password to be completed. It basically does what rvalkass did above, but I am not a mathematician so I rely on such tools. As they say, there are three types of mathematicians in the world: those that can count and those that can't.

 

According to the Online Password Calculator, it would take only 10 days to crack the password example g"1R%v that was given by rvalkass, at 200,000 passwords per second. Whereas, the longer example, a line from my theme song "White and Nerdy" by Weird Al Yakovic (good choice rvalkass!) can not even be evaluated by the Online Password Calculator as its 67 character length exceeds the limit of this online tool. But at the maximum limit of the tool, 20 characters, this online tool says that it would take 2.1367476784093944x10²³ years to crack the password for a single computer crunching 200,000 passwords per second. That would be something similar to the Deep Thought computer, the second largest computer ever made (according to fiction author Douglas Adams), wherein the makers of the computer that ran the program had to leave it to their ancestors to finally read the results. In the meantime the ancestors had formed a whole religion out of the computer and its program, while waiting for the answer.

 

Speaking of mathematicians who can't count, I'm pretty sure that your example from a line of "White and Nerdy" is actually 67 characters in length, rvalkass, and not 66 as you stated. However, the passphrase idea is a good one, as long as, as you say, it includes punctuation and numbers.

 

The problem with password managers is their encryption. If the encryption algorithm is flawed then you may as well not bother with the password in the first place.

I agree, keeping all your treasure in a safe where the lock is broken and the door is held closed with a bit of chewed up bubblegum probably isn't going to be adequate protection. The encryption systems that KeePass Password Safe uses are the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithms to encrypt its password databases. There is a detailed discourse about the security measures implemented in Keepass Password Safe which, being that I have already acknowledged my own inadequacies as being mathematically challenged, I will leave it up to you to interpret. Edited August 31, 2008 by travstatesmen (see edit history)

[Nabb 0]

A few things to note regarding passwords:

 

Generally bruteforce attempts are done locally on stolen hashes. Web servers should lock out users who repeatedly fail login attempts (or at least hinder them, for example by forcing them to answer a CAPTCHA on each login attempt like gmail). This means that your password is safe unless the database of the website is compromised - in which case a hacker would only have a password hash. (Assuming they didn't store your password as plaintext!!)

 

Common hashes (e.g. MD5, SHA-1) can be bruteforced extremely fast - at millions of tests a second on a regular computer.

 

There exists wordlists of many thousands of words and common passwords, these would be tested first! This means that having a password of 1234567890 or qwertyuiop is going to be unsafe, even though they are both 10 digits long..

 

There are only about 95 (don't know the number off the top of my head) usable characters in the first 128 ASCII characters, so counting the other 30 in calculations is probably useless... However, having a password like 2²=4 using characters which are in the second half of the ASCII table would greatly increase security - well at least if it's lengthy! 2³²=4294967296 would make a great password...

 

Keep in mind that someone trying to bruteforce a password does not know what character types are in it.

Edited August 31, 2008 by Nabb (see edit history)

[CyrusX 0]

Hi,It was too technical for my little head but I tried to figure a way to create good passwords and remember them easily...Consider a verse of a song that you love, that you chant easily...Who can hold a fire in his hand and think to the frost Caucasus?OK!Now look at this: W!c@H#a$F%i^h&H*a(T)t!T@f#CPretty complex huh? You can memorize it by a simple pattern and there are many nice verses that you know that you can use.Just a little experience! Good luck with your password,CyrusX

[rvalkass 5]

According to the Online Password Calculator, it would take only 10 days to crack the password example g"1R%v that was given by rvalkass, at 200,000 passwords per second.

However long it would take, we have established that it is not all that long. What is considered by many to be a secure password is, in fact, not very secure at all. People use passwords like that for online banking, their emails, and all sorts of other incredibly important accounts. If someone is determined enough, they don't need long to crack that password.

 

Whereas, the longer example, a line from my theme song "White and Nerdy" by Weird Al Yakovic (good choice rvalkass!) can not even be evaluated by the Online Password Calculator as its 67 character length exceeds the limit of this online tool. But at the maximum limit of the tool, 20 characters, this online tool says that it would take 2.1367476784093944x10²³ years to crack the password for a single computer crunching 200,000 passwords per second. That would be something similar to the Deep Thought computer, the second largest computer ever made (according to fiction author Douglas Adams), wherein the makers of the computer that ran the program had to leave it to their ancestors to finally read the results. In the meantime the ancestors had formed a whole religion out of the computer and its program, while waiting for the answer.

A password only really needs to be strong enough so that, when it is finally inevitably cracked, the information/power/access the cracker gets is pointless and of no use to them. If a password will take a thousand years to crack, by the time that has been done, the password would be of no use to the cracker.

 

Speaking of mathematicians who can't count, I'm pretty sure that your example from a line of "White and Nerdy" is actually 67 characters in length, rvalkass, and not 66 as you stated. However, the passphrase idea is a good one, as long as, as you say, it includes punctuation and numbers.

I counted it and calculated it before I put the comma between the two lines Even without punctuation and numbers, even with only lowercase letters, a passphrase is a much better bet. A 20 character all-lowercase password is 1,000 times better (literally!) than a 12 character password using punctuation, uppercase, lowercase, etc. Punctuation and numbers are only included to satisfy those signup forms that require them.

 

Generally bruteforce attempts are done locally on stolen hashes. Web servers should lock out users who repeatedly fail login attempts (or at least hinder them, for example by forcing them to answer a CAPTCHA on each login attempt like gmail). This means that your password is safe unless the database of the website is compromised - in which case a hacker would only have a password hash. (Assuming they didn't store your password as plaintext!!)

If the entire database was compromised, the hacker would have all the information anyway. If, however, they only had usernames and passwords, then I would hope the creator of the site had used salted one-way encryption to store the passwords.

 

Common hashes (e.g. MD5, SHA-1) can be bruteforced extremely fast - at millions of tests a second on a regular computer.

Unless they are salted. The rainbow tables which store all possible hashes, and the passwords which create them, have unsalted hashes. What you need to do is hash something like "74gfbv94372bv03864" + "password". That way, a rainbox lookup table has to be created solely for your site, which takes a colossal amount of time, and isn't worth the effort.

 

There are only about 95 (don't know the number off the top of my head) usable characters in the first 128 ASCII characters, so counting the other 30 in calculations is probably useless... However, having a password like 2²=4 using characters which are in the second half of the ASCII table would greatly increase security - well at least if it's lengthy! 2³²=4294967296 would make a great password...

Unfortunately my keyboard doesn't feature keys for characters like ³, ², µ and ». Using them in a password would be great, but looking them up in a character table on the screen would be a bit obvious!

 

Keep in mind that someone trying to bruteforce a password does not know what character types are in it.

Sometimes they do. Some websites stipulate a password must contain lowercase, uppercase, numerals and punctuation. Some still say it must all be lowercase. Some set the length. They have no reason to do any of this, but they do it anyway.

[innosia 1]

[*]Xisto forums password: c?.3\FeO/q),%:!Sg%Uv

[*]cPanel Login: 3J'hP6#eg&!(%>QS8AwJ

[*]FTP access password: C%l3`V:?h*F!1myt^!kl

[*]Login for your Blog: P3lq!5mLtGio;8i*F3%K

[*]Login for your MySpace or other network profile: WNvd;IiB2jORSY'%?6FF

I wonder these passwords can be remembered..

 

some people suggest me to use number and then change it to symbol, if your password is perhaps 891105 then the password should be *(!!)%, because when trying to input the number, press shift and change it to symbol right above the number in keyboard. Is this good?

[galexcd 0]

I wonder these passwords can be remembered..

 

some people suggest me to use number and then change it to symbol, if your password is perhaps 891105 then the password should be *(!!)%, because when trying to input the number, press shift and change it to symbol right above the number in keyboard. Is this good?

Just because symbols look a bit more confusing than numbers don't always mean that they are the most secure. However, if you are trying to be secure against a dictionary attack it might be better, but then so would any password that has more than lowercase letters. As for a brute force attack, most methods try symbols last just because they are less likely to be in the password, but then it depends on the brute force method you are doing and what you have set. For example if somebody knew that the password was all symbols it would greatly increase the ease of getting your password using brute force. Think of it this way. If A is the number of possible different characters your password could be made up of, and B is how long your password is the worst case senario for a brute force attack would be A^B. If you change your password from letters to symbols you are only adding about 15 to A, however, every new character you add to your password would add 1 to B. Therefore if you start adding new characters to your password it will start taking longer and longer for a computer to generate that password.

 

Also, take a look what rvalkass said here:

A 20 character all-lowercase password is 1,000 times better (literally!) than a 12 character password using punctuation, uppercase, lowercase, etc.

[pasten 0]

Well... Actually I don't remember passwords. I have opera wand to remember it for me. Every time I open the forum, the wand automatically inserts it for me. It's more efficient than using a password storing software.

 

Ok, since here we are discussing about ways to create passwords which are easy enough to be remebered by humans but complex enough for so called cracking algorithms, I have a suggestion.

 

Yet another way of forming passwords:

 

We know that we have to insert good combination of numbers and letters to make a password complex. But how? Answer --> Instead of choosing correct english spellings, one could use something like:

 

1) EchTooEssOhhFoure for H2SO4 (either spaced or joined, giving a bad time for dictionary attacks)

2) 6T9 (for 69)

3) La8 (for Late)

 

after forming the individual words, just combine them either spaced or joined. You can find out more yourself. Just needs a bit of creative thinking, a step aside from english, that's it.

 

If your mother tongue is other than english or you know other language then just use it. Isn't that good? These modified words in your passwords would be second nature to you after you use it for a few times.

 

On the end note, I just want to say, think practical, the master cracker (not the ordinary one) sitting at the nook won't trouble your account unless, what you own is google's root admin account, paypal's super admin account or the like .

Edited October 8, 2008 by pasten (see edit history)

[daftpunk 0]

Hmm interesting, i will try using this my password is really easy i guess but a warning to all not to use personal details easily accesed and don't use your credit card number for your password! The admin of site could easily get at your credit card then and you will be screwed . Good Luck- Daft Punk

[ychael 0]

 

The Xisto forums have a whole subforum devoted to those amongst use who have failed to remember their passwords, and have locked themselves out of their free web hosting account. If you forget your password, you can go to Free Web Hosting, No Ads > FREE WEB HOSTING > FREE WEB HOSTING REQUESTS > Free Web Hosting : Password Reset and ask the friendly admins there to reset your password for you.

 

 

 

Remember the days when your password on the Internet could be something like andrew18? And you could use that same password on all three websites that you visited regularly? Well those days are long gone, and we need to not only create and remember much more complex passwords, but for security reasons we are advised to use different complex passwords for each site we visit, and also we are expected to change those complex passwords regularly. So, here is an example that you can do for yourself. Try memorizing this....

Xisto forums password: c?.3\FeO/q),%:!Sg%Uv

cPanel Login: 3J'hP6#eg&!(%>QS8AwJ

FTP access password: C%l3`V:?h*F!1myt^!kl

Login for your Blog: P3lq!5mLtGio;8i*F3%K

Login for your MySpace or other network profile: WNvd;IiB2jORSY'%?6FF

As you see, that is only five example passwords. Most people that I know use many more than five passwords. So, imagine having to memorize 20 or so passwords similar to the ones above. Each of the examples is only 125 bits, 20 characters long, including upper and lower case characters, numerals, and special characters. They are good, complex passwords that would be considered complex enough for most users. But how do you remember them? And, most importantly, how to you learn and remember new ones, perhaps once a month, as you dutifully change your passwords regularly? Surely this is enough to fry the brain of anybody who doesn't have a photographic memory!? How the heck are we supposed to memorize all these complex passwords, without keeping the admins employed in resetting our forgotten passwords all the time?

 

 

 

One suggestion that I have seen on the internet is to develop an interleaved password system, which uses two less complex passwords weaved into each other to create a much more complex password. For example, here are two relatively low-security passwords...

rubyonrails (11 characters, 48 bits)

ANDREW18 (8 characters, 42 bits)

Now, let's try interleaving them, as follows....

rAuNbDyRoEnWr1a8ils which makes a great password of 19 characters, and 108 bits.

rAuNbDyRoEnWr1a8ils

This can be done fairly easily with any two passwords, and can give some really complex results. Try adding some punctuation too!

 

Another good idea is to use a password manager. There are plenty of good password managers out there these days, such as the examples above. Many of these packages have the facility to not only store and retrieve your passwords, but also to generate complex random passwords for you on the fly, and even to autofil online forms with your username and password details from their database! Now you will never need to remember another password again! Well, not quite. They will most likely have a single sign-on password that you will need to remember. Your passwords should be stored in such password management programs in an encrypted form, and will need to be decrypted with a key, which you will need to remember!

 

 

 

One of the failings with all of the systems above is that they need to be installed on your local computer. They are not really all that portable. You may need to start thinking about ways to synchronize the password management database, such as emailing the database file between your work computer and your home computer, or making use of a USB thumb drive. But what happens in a situation, such as I have at work, where you are forbidden from attaching anything to your work computer, and plugging in a USB thumb drive could mean that you violate your company's IT policy, and you could get fired! And, whats more, installing a password manager package, even a freeware one, is impossible due to the software distribution policies enforced on the company network. Even if you could access the data on the USB thumb drive you couldn't decrypt it without the password manager application being installed also.

 

So, here is how I overcome this situation. I use a program called KeePass Password Safe, which not only does not need to be installed, and can run directly from a USB thumb drive, but also they have a PocketPC version which can read the same database as the desktop PC version! What I do is I keep my password database on the miniSD memory card of my smartphone, and either access it though a card-reader on my desktop PC or laptop, or I access the passwords directly on the touch-screen of my smartphone. This means that in situations where you cannot get access to your passwords in any other way on the desktop PC, at least you can still view them and type them in manually from the smartphone. Total portability! The only thing that I can think of that would be better than this is an enterprise grade password management token, such as MandyLion, starting at $US269 for a 5 User Workgroup. One of the best things about KeePass Password Safe is that it is free!

 

 

 

So, there you have it, my solution to the problem of how to remember all those complex passwords. In short, don't! You only need to remember one complex password, which you could create using the interleaved password system outlined above. This password then gives you access to the rest of your passwords, that are stored in a password manager, which can create complex passwords for you, can remember and retrieve them for you, and can create new ones regularly, (even backing up the old ones when it does). This meets most of the expectations of a secure password system. And doing this will take the workload off the Xisto administrators, so that they don't have to keep on resetting your password for you because you forgot it again!

 

So, download KeePass Password Safe today. Go on, what are you waiting for?

i'v always used passwd like Liverpool+gerald

[Dooga 0]

For my password, I actually practice a meaningless password that consists of random keyboard strikes. As long as you practice it enough, it will be in your muscle memory, and you can "play" your password each time. Works like a charm!

[Ruben 0]

Wow! Thanks, man! I was thinking of a way, and, well this seems great! You don't know how much you helped me. Again thanks, oh and also, very nicely organized and laid out. I look forward to more.