Anatomy of a Lousy Password

Before we get started on how to create a hard-to-crack password, let's look at the type of weak passwords that are overused and easy to break. How easy you ask? Well, there is a free and easy-to-obtain program called Crack that can be used to systematically attempt to guess your password, trying out millions of passwords in a matter of hours through the use of an internal dictionary. This dictionary checks against every known word, in just about every language, with all standard manipulations, including character replacements, common misspellings, and letter reorderings. It also checks against names in every language (including the Chinese phone book). If that were not bad enough, it also checks against common character patterns, fictional characters and places, and every real place in the galaxy that has a name. In addition it also checks every date in every format. In other words, if it is a person, a time, an event, a place, a thing, or even a thing's place, or a person's thing, it is a bad idea to use it as a password.

Hackers use programs such as this to conduct what are known as brute-force password attacks, meaning they use a program to keep trying password after password until they get a hit. Weak passwords make it much easier for such attacks. Table 8-1 shows some specific examples of weak passwords.

Table 8-1. Sample Weak Passwords
Example	What's the Problem
password	This is not clever. Do not use any known words, especially this one.
wordpass	Also not clever and easily cracked because it is made up of common words.
drowssap	Crack (and other programs like it) checks for words written in reverse.
Pa$$word	Crack (and other programs like it) checks for character replacements.
passwurd	Crack (and other programs like it) checks for misspellings, phonetic or otherwise.
Password49	Adding numbers to the end of a word does not make a password harder to crack.
123password	Prefixing words with numbers does not make a password harder to crack.
wachtwoord	Using Dutch (or any other known language, including Klingon and Hobbit) does not help. Crack checks them all.
12345	This is just something an idiot would use on their luggage.
lkjhgf	This is a consecutive string of keyboard characters that is easy to crack.
14159265	Any nonsequential, but algorithmic pattern is easily cracked. (This is the first eight digits of pi to the right of the decimal point.)
abbcccdddd	Any repeating pattern is easily cracked.
mrsmee	Crack (and other programs like it) checks for literary characters.
lordnelson	Crack (and other programs like it) checks for real people and historical figures.
1600pennave	Do not use real addresses. Crack (and other programs like it) checks for them.
22 BakerSt	Crack (and other programs like it) checks for fake addresses, too.
Raleigh	Do not use real places. Crack (and other programs like it) checks for them.
munchkinland	Crack (and other programs like it) checks for made up places, too.
	No password. Although this may be convenient for Windows login, it is ill advised.

These are just a few examples of weak and easily cracked passwords. In general, if you use something familiar to you, Crack and other programs like it will figure it out. Also, you should never use personal information such as dates, login names, Social Security numbers, or any other number associated with you for your password.

Now that we have probably convinced you to change all your passwords, let's look at what it takes for a password to be considered strong.

Table 8-1. Sample Weak Passwords