Making a 'Super Password'

"How to create a 'super password'"
John D. Sutter, CNN (August 20, 2010)

"Say goodbye to those wimpy, eight-letter passwords.

"The 12-character era of online security is upon us, according to a report published this week by the Georgia Institute of Technology.

"The researchers used clusters of graphics cards to crack eight-character passwords in less than two hours.

"But when the researchers applied that same processing power to 12-character passwords, they found it would take 17,134 years to make them snap.

" 'The length of your password in some cases can dictate the vulnerability,' said Joshua Davis, a research scientist at the Georgia Tech Research Institute.

"It's hard to say what will happen in the future, but for now, 12-character passwords should be the standard, said Richard Boyd, a senior research scientist who also worked on the project...."

According to the CNN article, the researchers chose the number 12 for their recommended password length because they think it's a good balance between convenience and security.

Eventually, we may get really long passwords.

"...Here's one suggested password-sentence from Carnegie Mellon University:

" 'No, the capital of Wisconsin isn't Cheeseopolis!'..."

That'll have to wait until the security systems websites use will handle characters other than letters of the alphabet and numbers: like commas, apostrophes, and blank spaces.

The Lemming must be using some of the better-run websites: I was surprised to learn that a fair number of places online won't accommodate long passwords.

The Lemming Applauds Himself: But You Might Find It Useful

Me? I've been using 'long' passwords, a dozen or so characters long, for years. They're not all that hard to remember, since I use a pattern. I have three parts for each password. One's a word that isn't in most dictionaries, the other involves a number that's easy for me to remember, and the third is very mnemonic - generally having something to do with the website or service I'm logging into.

If all I relied on was the mnemonic part, I could be hacked fairly easily. All three together? I'm not sure how long it'd take for a program to run through enough combinations to 'guess' the right one. I'm not worried, though: the places I go generally limit the number of times I'm allowed to make a mistake before having to wait and visit the place later.

The CNN article does a pretty good job of discussing password security: including how to deal with the issue of remembering your passwords.

One of the solutions seems to be a disaster waiting to happen, as the author concedes:

"...A website called Password Safe will store a list of passwords for you, but Boyd and Davis said it may still be possible for a hacker to obtain that list...."

There are other solutions: including physical gadgets you can carry around with you.

The Lemming's opinion is that the best approach to password security is to work out a system that

• You can remember at 2:00 a.m.
• Produces
  • Different password for every site
  • Long passwords
  • Passwords with letters and numbers
• Doesn't involve your birthday, or other fact that others know about you
• Isn't on a sticky note stuck to your monitor

Related posts:

• "Twitter's Password Plight(s)"
  (June 26, 2010)
• ""iTunes account hacked" - Widespread and Under-Reported?"
  (April 29, 2010)
• "San Francisco Computer Hijacker Convicted"
  (April 28, 2010)
• "If Your Password is "Password1" - CHANGE IT"
  (November 24, 2009)
• "Passwords: Be Sure Yours Isn't on These Lists"
  (April 20, 2008)