Thursday, May 29, 2008

How to choose secure passwords

In response to the Debian ssh fiasco, I've decided to take a closer look at all my passwords and keys. There are six machines on which I regularly log in, probably about a dozen accounts on these in total, and of course around fifty web services that I have at some point registered with. All this has become quite a mess, and I'll try to clear it up as well as I can. This post may be the first in a series of hands-on security-related posts; but it may not.

Here's a recommendation on passwords that you hear often: “take a sentence that you remember easily, like a song lyric, then take the first letter of each word, and there's your password.” Works pretty well, as long as your sentence is long enough and you mix in some digits (like ‘4’ instead of ‘for’). However, if someone happens to know your taste in music (from, for example, Last.fm), a little patience and some brute force can still recover your password.

I think I can do better. I, too, start with a sentence, sometimes even a song lyric. But instead of replacing each word with its first letter, I replace it with something that, in my mind, is connected to that word, and is the first thing that comes to mind. If nothing comes to mind, I just take the first letter of the word.

For example, let's say my sentence is ‘Shall I compare thee to a summer's day’. ‘Shall’ reminds me of ‘shallow’ and therefore becomes ‘_’. ‘I’ remains ‘I’. ‘Compare’ reminds me of Perl's spaceship operator and thus becomes ‘<=>’. ‘Thee’ is the Dutch word for tea (although pronounced differently) and becomes ‘cU’ since that looks somewhat like a cup of tea. ‘to’ becomes ‘2’. ‘a’ remains ‘a’. ‘Summer's’ could be ‘^o's’ because in summer the sun (‘o’) is high (‘^’) in the sky. At ‘day’ I ran out of inspiration, so this becomes ‘d’, and I add a trailing ‘,’ for good measure. Hence a secure password, that I could remember (and, if necessary, reconstruct): ‘_I<=>cU2a^o'sd,’.

The reason why this is (hopefully) a little bit more secure than the naïve version is that it uses information that is only in my strange, illogical, twisted brain, and nowhere else. That, combined with a broad taste in music, should make brute force over song lyrics a lot tougher.