Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
The problem with strong passwords is that they are somewhat difficult to remember. It's much easier to remember a password such as GuessThePassword than one such as 6!2f?MHclh6@, but the former is also much easier to guess or attack with brute-force techniques. Coming up with a strong but easy-to-remember password is easy, however, if you follow these steps:
- Come up with a series of obfuscation rules.
- Choose a phrase that you will remember.
- Obfuscate the phrase.
- Try out the password.
Let's look at these steps.
Come Up with a Series of Obfuscation Rules
This is a simple step: think of some words or letters, and consider how you would obfuscate each of them by reducing them to a single letter or symbol. Table B-2 shows some examples.
Table B-2. Some obfuscation rules.
| Word or Letter | Obfuscation | Comments |
|---|---|---|
| Up | ^ | The up arrow |
| Down | V | The down arrow (uppercase or lowercase letter V) |
| Right | > | The right arrow |
| Left | < | The left arrow |
| And | & | C++/Perl/JScript "and" |
| Or | | | C++/Perl/JScript "or" |
| Pipe | | | The shell pipe symbol |
| Not | ! | C++/Perl/JScript "not" |
| Not | ~ | C++/Perl/JScript bitwise "not" |
| Point/arrow | -> | C++ pointer symbol |
| Equal/compare | = | The programming equal symbol |
| Point | . | A single point |
| At | @ | Symbolic at |
| You | U | Phonetic similarity |
| Be | B | Phonetic similarity |
| See/Sea | C | Phonetic similarity |
| Are | R | Phonetic similarity |
| To/Too | 2 | Phonetic similarity |
| Why | Y | Phonetic similarity |
| F | Ph | Phonetic similarity |
| Snake | S | Looks like a snake! |
| Come | , | Comma-sounds similar |
| Stop | . | Anglo version of period-a full stop |
| Water | ~ | Squiggly line-like a wave! |
| Star | * | A starlike symbol |
| Cross | X or + | Crosslike symbols |
| Great | > | The greater than symbol |
| Less | < | The less than symbol |
| O | 0 | Replace letter O with zero |
| On | 1 | On = binary on or 1 |
| Off | 0 | Off = binary off or 0 |
| E | 3 | Hackers often use 3 to represent E reversed. |
| L or I | 1 | Hackers often use the number 1 to represent L or I. |
| 1 | ! | Hackers often use the symbol ! to represent the digit 1. |
| A | 4 | Hackers often use the number 4 to represent the letter A. |
| S | $ | Hackers often use the symbol $ to represent the letter S. |
| T | + | Hackers often use the symbol + to represent the letter T. |
| Laugh, sad, shout, etc. | :-) :-( :-0 | Smileys! |
NOTE
You should derive your own obfuscation rules because some password-guessing programs might account for ! for 1, 3 for E, and so on.
Choose a Phrase That You Will Remember
This is the easy part: just think of a sentence, a line from a poem, part of a song, a nursery rhyme.
Obfuscate the Phrase
Now apply the rules you defined in the first step to come up with a password. Table B-3 shows some examples. Don't use these!
Table B-3. Some examples of complex yet easy-to-remember passwords.
| Phrase | Password | Comments |
|---|---|---|
| Mary had a little lamb its fleece was white. | M+4vLiFW* | Mary = M had = + (add) A = 4 (see Table B-2) little = v (down, small) lamb = L its = i fleece = F was = W white = * (bright) |
| Laugh and the world laughs with you. | :-)&t0:-(wU | Laugh = :-) and = & the = t world = 0 (zero, physically big) laughs = :-( (opposite to smile!) with = w you = U |
| One day a man went to the zoo. | !D4mw2tz00 | One = ! (see Table B-2) day = D a = 4 (see Table B-2) man = m went = w to = 2 the = t zoo = z00 (see Table B-2) |
Try Out the Password
Finally, lock and unlock your workstation a couple of times to get familiar with how the password "feels." This might sound silly, but it helps you remember the password.
Use RandomGoo to Create Very Strong Passwords
We've included a tool for Microsoft Windows CE Pocket PCs that will allow you to create long strings of cryptographically random data. The tool, RandomGoo, is available on the companion CD for MIPS-based and SH3-based Pocket PCs.