'Open Sesame!' - Is Your Password So Easy To Guess?

Mar 4, 2013 9:58am


The following is a guest blog by Jetico CEO Michael Waksman

When I was a child, I loved hearing folk stories. One of my favorites was the legendary tale of Ali Baba and the Forty Thieves from 1001 Arabian Nights. Wasn’t it amazing how just a couple little words could be the secret to opening up a world of treasures! Ali Baba was lucky to discover the secret password, ‘Open Sesame!’ by overhearing the Master Thief as he commanded open the mouth of the cave. But what if Ali Baba had to figure out the secret password by himself? Just how long might it have taken to test all the infinite possibilities?  Would he have ever succeeded? Or maybe the legend of Ali Baba might have never been told.

How hard could it really be to guess a password?

Well, let’s pretend to be Ali Baba, but not so lucky to overhear the secret password – and of course living in a time before computers. How challenging would it be to guess the password, ‘Open Sesame’?

Let’s assume we know the password isn't very long, maybe 10 letters or so. We try to consider all possible combinations of all letters. We know in this case that the password was verbal and not typed, so it must only contain a combination of letters, with no numbers or symbols.

If it takes about one second to say aloud each 10-letter phrase, then the time to guess all possible 10-letter phrases amounts to about 3 million years! And there most definitely would not have been a story about Ali Baba.

Fast forward to now. With all our technological advances, it's now relatively easy for computers to guess passwords. Commercial tools exist that claim to test up to 2.8 billion passwords per second using just a standard desktop computer. If Ali Baba were fortunate to have such a powerful device at his fingertips, he could crack the thieves’ password in just one day!

So – as the NCSA advises – how can you make a password long and strong?

Thankfully, modern technology now allows for more complex passwords. Nowadays, with upper or lower case, numbers and special characters, our passwords today can be composed from about 100 different symbols – and many more by using Alt-codes or different languages. A ‘brute force’ attack to guess a 10-symbol password would now take about 3000 years.

Yet password-guessing programs, such as a dictionary attack, can test only likely possibilities instead of all combinations – reducing this amount of time considerably.

We need our information to be safe online. So we must have a reliable way to create good passwords that are unlikely to be found in any dictionary.

Here are some ideas:

  • Abbreviate by using only the first letters of a memorable sentence, like from a favorite song or poem.
  • Remove the vowels from a word, or move all the vowels to the end of the word.
  • Increase the number of characters:
    • Use special symbols such as @, or use Alt-codes. (See http://alt-codes.net/)
    • Use also capitalized letters.
    • Use also numbers and mix standard numbers with Roman numerals, such as 2=II or 25=II5.
    • Download language packs or even special keyboards.
  • Some advice for when replacing letters with numbers and symbols:
    • Type the letters using the numbers located on the telephone keypad. For example, ‘Ali’ would become 254. Add in some random symbols and letters.
    • Think of symbols as shapes and not as their meanings. For example, use $ instead of S.
    • Combine two or more symbols and numbers to make a single letter. For example, use () instead of O.
  • Use a long passphrase, such as a news headline or even the title of your last book report or research paper. Then add in some punctuation and capitalization. A 40-letter passphrase can be very secure even if special symbols are not used.
  • Use phonetic replacements. For example use PH instead of F.  Or make deliberate, but obvious misspellings, such as enjin instead of engine.
  • Use words in reverse order, such as noitazilivic instead of civilization.

Just remember… 

Always keep an open mind. Invent your own algorithms. In line with the guidance promoted by the NCSA, make your password unique to your life and not something that is easily guessed. Just one method is never enough. The best is to use a combination of methods, like so…

Let's return to the story of Ali Baba, but this time he wants to be more security conscious. After finding 'Open Sesame', he then decides to change this secret password so nobody else can access the treasure.

1. Ali's favorite song is Jingle Bells.

Dashing through the snow
In a one-horse open sleigh
O'er the fields we go
Laughing all the way
Bells on bobtails ring
Making spirits bright
What fun it is to ride and sing
A sleighing song tonight!


So we type the first letters of each line: diolbmwa

2. Ali capitalizes BMW because it's his favorite car: diolBMWa
 
3. He then remembered the date when he first saw Zeinab, his beautiful wife. It was on the 24th of August and nobody else knows about this, not even Zeinab. So he adds 24 as a mixture of a standard number and Roman numerals '2IV' to his password: d2IViolBMWa
 
4. To make it even more secure, he added Aug to the end: d2IViolBMWaAug
 
5. And then, just to be sure, he changed the 'u' in 'Aug' to Alt-code 5 ('♣'). Now here is Ali’s password: d2IViolBMWaA♣g

Surely, this is one very tough password to crack. The secret password to access Ali Baba's treasure will remain just that – a secret. But don't be tempted to copy this exact password… Ali Baba has copyright!

Final thought – Watch out for keyloggers!

In the story of Ali Baba, the password was spoken out loud so he was able to overhear it. When our passwords are typed on a keyboard, a different kind of 'hearing' is possible. Your keystrokes can be recorded as you type by so called, 'keyloggers'.

To protect yourself from keyloggers, encryption software is available with an ‘anti-keylogger’ built in. This is the only way to ensure that your password – and therefore your personal information – stays safe and private.

Michael Waksman is the CEO of Jetico, a company that provides military-standard data protection software for all highly sensitive information and mission-critical data throughout the lifecycle. For over 10 years, Jetico's BCWipe has been trusted by the U.S. Department of Defense to securely erase sensitive data.