Tuesday, 3 May 2011

Complicated passwords - it's easy!

I've decided to write about the passwords in a first post, because it's something I think about almost every day. Maybe, because people around me just thinks that hard passwords are hard to remember, so a "small" chance to have their passwords stolen don't worse the real danger to forget it. I'm facing the weak passwords issues pretty often, and every time I say a magic phrase: "mnemonic formulas". "What is it?" asks users. "It's something that will help you to have the complicated unique passwords for every site you're visiting". I will not come up with my own definitions and descriptions and just put some quotations below.

So, the first result of the google search for "password mnemonic formulas" gave me this document with a simple definition:
A Mnemonic Password Formula, or MPF, is a memory technique utilizing a predefined, memorized formula to construct a password on the fly from various context information that the user has available.
Actually, information in the document is enough to understand how it works, I just to put here a quote with a simple formula example:
A Simple MPF
The following simple formula should be sufficient to demonstrate the MPF concept.
Given the authenticating user and the corresponding authenticating system, a formula like that shown in the following example could be constructed. This example formula contains two elements: the user and the target system identified either by hostname or the most significant octet of the IP address.
< user >! < hostname|lastoctet >
The above MPF would yield such passwords as:
• ”druid!neo” for user druid at system neo.jpl.nasa.gov
• ”intropy!intropy” for user intropy at system intropy.net
• ”thegnome!nmrc” for user thegnome at system nmrc.org
• ”druid!33” for user druid at system
This simple MPF schema creates fairly long, easy to remember, passwords that contain a special character. However, it does not yield very complex passwords. A diligent attacker may include the target user and hostname as some of the first combinations of dictionary words used in a brute force attack against the password.
Due to the fact that only the hostname or last octet of the IP address is used as a component of the schema, passwords may not be unique per system. If the same user has an account on two different web servers, both with hostname ”www”, or two different servers with the same last address octet value within two different sub-nets, the resultant passwords will be identical. Finally, the passwords yielded are variable in length and may not comply with a given systems password lengthpolicies.
 Generally - that's it. Stay secured!

No comments:

Post a Comment