Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

How to Be Your Own Best Password Generator

Let’s face it people, we’re bad at coming up with our own passwords. They’re too short, too obvious, and hackers have gotten very good at breaking them —either by outright guessing...
Michael Buckbee
2 min read
Published November 12, 2014
Last updated January 17, 2023

Let’s face it people, we’re bad at coming up with our own passwords. They’re too short, too obvious, and hackers have gotten very good at breaking them —either by outright guessing or looking up  password hashes in large pre-computed tables.

How bad is our collective password making abilities? You can see for yourself. After the epic RockYou data breach in 2009, 32 million unencrypted—I had trouble with that as well –passwords were stolen and made available on the Intertoobz.

Hate computers professionally? Try Cards Against IT.

 

We now have a pretty good idea just how uninspired the general public is at this essential security task.

The Evils of Convenience

Not surprisingly, “123456” was the most popular—it was the choice of almost 300,000 users—followed by all the usual suspects: “password”, “iloveyou”, and the name of the online gaming service itself, “rockyou”.

Convenience is, understandably, driving our password choices. After looking through the RockYou files myself, I can say you’re not being the least bit clever using this formula:  <your name> + “boy” or “girl”+ <random two digit number>.

Hackers exploit our desires for convenience, and so they can make very informed high-probability guesses.

It’s only a little more complicated if they get a hold of a list of password hashes, as was the case of infamous Linkedin breach. Using existing password lists and dictionaries of common words, they can pre-compute giant tables associating passwords with hash values.  After a quick reverse lookup, they’ve broken the cryptic hash sequence.

Yes, “salting” the hashes helps, but with immense computing power within reach of average hackers, offline brute force attack are now feasible.

By the way, Cindy and I are finishing up an ebook that examine the many issues with password-based authentication, including an in-depth look at password hashes. We’ll have more news very soon!

Longer Is Better

One very obvious way to make the job of hackers more difficult is to come up with longer passwords—in crypto-speak, you’re increasing information entropy.

Why does adding a few characters to a password make such a difference?  It’s really has to do with the power of exponential growth.

Let’s say your choice of characters includes upper and lower case letter (52 possibilities), numbers (10), and all those punctuation and other non-alpha numeric symbols (about 13). If you add it up, then increasing the password by a single character introduces 75 new possibilities.

A six character password means that the total number of combinations is 75 raised to the power of six, which is over 200 billion. In the Big Data era, this ain’t a large number.  Add two more characters, and the space that hackers have to search is now almost a quadrillion—a thousand trillions.

Longer passwords, say in the 8-10 range,  push guessing attacks into the unlikely-to-succeed zone. Hackers who’ve obtained a file of password hashes  would have a serious computation problem on their hands.

Easy Long Passwords

It turns out we humans are capable of coming up with long passwords.  The technique I now present is based on an old-fashioned memory trick, known as a mnemonic.

The idea is you create a story and then use that to generate the letters and symbols. For example, I know on Saturdays, I usually have a lot of errands to do. So here’s the story that I use: Every Saturday, I go to the dry cleaners at 10 to get my 2 sweaters.

From that sentence I take the first letter of each word to create my long, non-crackable password:  ES,Igttdca10tgm2s.  I would never remember that long string on its own.  But with my little story, which is easy for me to recall, I can quickly recreate the password.

Yes, you can be creative, and your stories can involve sports teams and scores, or shopping lists and recipes.

So your assignment is to make a New Year’s resolution to change all your passwords in January 2015.

Or SyaitmaNY’srtcaypiJ2015.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

koadic:-implants-and-pen-testing-wisdom,-part-iii
Koadic: Implants and Pen Testing Wisdom, Part III
One of the benefits of working with Koadic is that you too can try your hand at making enhancements. The Python environment with its nicely organized directory structures lends itself to...
master-fileless-malware-penetration-testing!
Master Fileless Malware Penetration Testing!
Our five-part series brings you up to speed on stealthy techniques used by hackers. Learn how to sneakily run scripts with mshta, rundll32, and regsrvr32, scary Windows binaries that live...
koadic:-security-defense-in-the-age-of-lol-malware,-part-iv
Koadic: Security Defense in the Age of LoL Malware, Part IV
One of the advantages of examining the gears inside Koadic is that you gain low-level knowledge into how real-world attacks are accomplished. Pen testing tools allow you to explore how...
koadic:-pen-testing,-pivoting,-&-javascripting,-part-ii
Koadic: Pen Testing, Pivoting, & JavaScripting, Part II
Mshta and rundll32, the Windows binaries that Koadic leverages, have been long known to hackers. If you take a peek at Mitre’s ATT&CK database, you’ll see that rundll32 has been...