Weak passwords are still by far the most effective way to break into a system and even though many people think they have clever ways to obfuscate their passwords, they often fail badly either by inadvertently making something guessable or by coming up with something so hard you have to write it down somewhere or use a password manager just to use it. How bad is it? I have had 3 different techs assign me the same login “Gerhard” with password “G3rh4rd” and at an additional time someone even tried to be even more clever “G3h4rd!” This is bad. I know from experience that I can expect a password guessing script to hit my personal server at least 4 times daily. Originally the scripts all hit the ssh port until I took countermeasures but now they check every open port for possible password combinations from FTP to SASL to web logins and even with my countermeasures I can expect to have 1 or 2 accounts on my system cracked per year forcing me to disable someone’s website until they change their password again.
How can we come up with a password that is both hard to guess and easy to remember? Thankfully it is easy.
Take a couple of lines from a song you like but not the first lines and not the chorus. For example take this verse from a Election–The People’s Right [1] written in 1801:
We should support and pleasure take
In frequent Free Elections.
Now take the first letter of each word. “wssaptiffe” and there you go. The password is not an actual word so not likely to be hit by a dictionary attack but if you know the song you know your password so it’s easy to remember. One important note though: if ever the password was used on a website that got broken into you must assume the password is now added to several dictionaries for future attacks.
[1] I selected this song because it was the first one I could find that was both out of copyright and readable.
I feel this is important enough that I grant permission to republish this article provided a link to news.innerfire.net stays with the article.