We usually rag on Bruce Schneier and his self-imposed title of “security” guru. The man is about as well versed in actual physical security as we are in space travel. However, there is one thing he knows, and that’s cryptography, a branch of mathematics that most peope with a computer is at least passing familiar with. Here’s one of the few things we endorse that comes from BS: “Schneier’s Scheme”, a way of choosing passwords for everything. These babies are really, really hard to crack, and we can’t recommend this enough, really, for anyone interested in security.
Generally speaking, the problem isn’t that passwords get broken, the problem is that how we think about them is. Replacing o’s with 0’s (zeros) and I with 1 and so on isn’t going to cut it in the long run.
Here’s Schneier himself:
As computers have become faster, the guessers have got better, sometimes being able to test hundreds of thousands of passwords per second. These guessers might run for months on many machines simultaneously.
They guess intelligently. They don’t run through every eight-letter combination from “aaaaaaaa” to “zzzzzzzz” in order. That’s 200bn possible passwords, most of them very unlikely. They try the most common password first: “password1”. (Don’t laugh; the most common password used to be “password”.)
So what’s the solution? If any word and/or name you can think of is a liability waiting to happen, you’ve got serious cleaning up to do, huh? Yep. Don’t we all. The good news? There’s still a secure scheme out there, which will render your passwords impervious to conventional attacks, at least.
So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.
That easy. Even if the site or application you need a password for doesn’t accept spaces, this will check out. Replace spaces with dots, commas, underscores or eliminate them completely. Here’s how:
- WIw7,mstmsritt… = When I was seven, my sister threw my stuffed rabbit in the toilet.
- Wow…doestcst::amazon.cccooommm = Wow, does that couch smell terrible.
- Ltime@go-inag~faaa! = Long time ago in a galaxy not far away at all.
- uTVM,TPw55:utvm,tpwstillsecure = Until this very moment, these passwords were still secure.
You get the idea. Combine a personally memorable sentence, some personal memorable tricks to modify that sentence into a password, and create a long-length password.