Choosing Passwords

There's an old joke about two hunters who come face-to-face with a bear.  The bear charges them, at which point they start running for their lives.  While running, one of the hunters says, "Why are we running?  We're never going to outrun this bear!"  And the other says, "I don't have to outrun the bear.  I only have to outrun you."

When it comes to security issues, it's all too easy for Mac users to adopt the attitude of our second hunter.  We don't have to adopt best practices with respect to security, right?  After all, Windows is the platform that has all the security problems, right?

Wrong.  Whatever security issues users of other systems might run into, they are irrelevant to our experience.  If all you do is keep running from that bear without looking at where you're running, there's a non-zero chance that you'll run into a pack of wolves.  Indeed, at the Chaos Communciation Congress, have shown how you can hack File Vault passwords.

That's why I tell every Mac user I've encountered to always follow best practices when it comes to security.  Install the latest security updates when they become available, and that holds for applications as well as operating systems.  That's one of the reasons we did auto update with Mac Office 2004.

Among the best security practices that everyone should adopt, choosing strong passwords is at the top of the list.  If you're reading this, then you have access to the Internet.  You likely have accounts on various web sites.  You might even be doing some on-line banking.  All of these systems, systems not under your control, store your password somewhere.  Should someone get their hands on that password file, it's not at all difficult to crack some of the passwords in that file.

If you search for "strong passwords" on the Internet, you'll find a lot of information about them.  The definitions and advice at UT Austin are both sound and typical of what you'll find.  But, you can take it one step further.  The primary difficulty with strong passwords is coming up with something that's both easy to remember and very hard to crack.

One of the best ways I've discovered is to learn about 10 or 15 words in a language that doesn't use the Roman alphabet.  I use Arabic, but you can use Hebrew, Hindi, Chinese or any other such language.  Just choose a language that doesn't use the Roman alphabet.

Now, you don't really need to learn how to spell those words in the native alphabet.  For most languages that don't use the Roman alphabet, there is at least one way of transliterating words from that language into the Roman alphabet.  In fact, for most cases, there are multiple ways of transliterating from the native alphabet to the Roman alphabet.  The Wikipedia page on Arabic transliteration lists 10 different systems, and I know there is at least one not listed in that table.

So, what you really want to learn is a Roman alphabet transliteration of those 10 or 15 words.  For example, I couldn't spell the Arabic word for mosque using the Arabic alphabet if you put a gun to my head.  On the other hand, I know a couple of ways people might transliterate that same word into the Roman alphabet.

Once you've learned those 10 or 15 words, then you can construct a strong password following a simple rule.  First, choose some uncommon punctuation mark, say one of the shifted characters of numbers 1-8 on a standard US keyboard for example.  Second, concatenate parts of two of those transliterated words together with that punctuation mark between them.  Third, choose a consistent scheme for capitalization--the second and fifth characters, for example.

The reason you'll want 10 or 15 words, is that some systems require you to change your password every 60 days or so, and they have an additional restriction in that you can't base any new password choice on any of the previous 20-30 passwords.  Knowing 10 or 15 words allows enough room to combine a couple different words with different punctuation marks in order to fulfill that requirement.

Using strong passwords is an important part of any security strategy, and using this scheme for generating your own passwords will leave you as invulnerable as possible to any kind of password guessing attack.



Currently playing in iTunes: I'd Rather Be Blind, Crippled and Crazy, by The Derek Trucks Band