We're always being told to create secure passwords and if you use some of the password generators then the really secure pw's generated are horrible ugly pieces of gibberish!

How to create an easily remembered difficult to guess password.

Try this

!QAZxdr5^YHNmko0

You'd never remember this would you?

Easier than you think.
On your keyboard (assuming English layout)

Its a 'W' zig-zagging down-up-down-up starting with ! alternating stripes of shift on and shift off.

I've tested this on all the password checkers and everytime it gets 100/100.

Using all the types of keys on the keyboard, CAPS, lowercase, numbers and 'things' you have 96 characters to choose from.

My password is 16 characters long which makes for a possible combination that is (96x96) x 16 combinations which is 4.99x10^33, thats 4,990,000,000,000,000,000,000,000,000,000,000 possible combinations, sooooo if your hacker's computer can guess 10 billion combinations a second, would take 15,830,950,632,488,332 years to crack.

Now tell me that ain't secure! Of course they could get lucky in the first second.

If you look at your keyboard in this way, there are loads of varieties of this type of password combination.

Now you don't have to use 16 characters it is recomended to have a minimum of 8 and to use UPPER, lower, number and character in it, so !QAZxdr5 would fit the bill.

Hope it helps

Sorry to rain on your parade, but that doesn't seem very secure to me.

Now that you have told us the secret, and if I was a hacker, those kinds of combinations are the first I'd try -- along with variations on QWERTYUIOP etc

The knowledge that the next character is adjacent to the current character on the keyboard eliminates a lot of possibilities that the brute force hacker would otherwise have to consider.

Hi, what you say is true if you know the answer.

What you describe is a dictionary attack, that is using a predetermined set of 'words' to throw at the password field.

You have three variables.

1. Character set - you don't know this
2. Password length - you don't know this
3. Dictionary to use in your attack - you don't know this either.

If the hacker assumes that I am a typical lazy human, I'm going to go for something simple, an easy word perhaps replacing the odd character with a number or adding on a character of punctuation, for example B33rMu6! (BeerMug!).

That would take no time at all to crack.

If I extend the length of the password, each character I add makes the job 96 times harder and the possibilities that I can use in my dictionary attack become fewer as the random element increases. That is there are fewer common words of longer lengths so the 'infill' between common word or pattern and the password length requires me as the password setter to use a random series of characters from my keyboard.

Humans think in patterns which of course is easy for me and also easy for the cracker, but I as the setter have two things in my favour.

1. I'm using an english qwerty keyboard layout. Ok its used in loads of places but bear in mind that english is one of the few languages that has no accented characters, how does the hacker know I'm not French with my AZERTY layout or that I've not used an accented character such as é or ž for example, that just makes the job harder. Lets not even get into arabic, chinese or other multibyte character sets!

2. The pattern I use is a visual pattern, its easy to see on the keyboard and yes I as the cracker could easily type that into their dictionary however, what you also have is the truly random element which is the start position.
In my example, I made it really obvious on the keyboard where to start, but I could start anywhere and go in any direction and make the password any length, it doesn't need to be 16 digits, it could be 12, 13, 14, 15 or 17 digits.

So what you have is as much as a human can approximate a random sequence of characters.

Of course I could use one of the password generators - I have one on my hosting account and that generates some nasty looking passwords which from a character set point of view look no different to my 16 character password one above. You may think this is more secure. Surely a hacker would have thought to include the generating algorithm of the password generator in his cracking tool.

You'll have noticed that I love a good debate but I'm sure there is a few things we can agree on.

A strong password is lengthy
It has a wide character set to choose from
IT IS CHANGED NOW AND THEN

I think we can also agree that regardless of the passwords we set if a hacker wishes to break it they will either by a dictionary attack or by using brute force techniques.

Our job to protect the stuff we value is to confound and confuse.

I think it would be useful to get the opinions of any Certified Ethical Hackers or any Black hat hackers there may be who'd like to contribute to this debate.

~~~~Clarification ~~~~

Hi Bruceee

Sorry, in the email I got, I didn't see the last bit of your post until I viewed the thread on the website.

What you say is true it does eliminate many possibilities as you theoretically only have to consider the six possible characters around your particular key.

So for example if I'm using 'g' then I'd only need to consider t,y,h,b,v,f but then it could be G so there would be T,Y,H,B,V,F to consider as well, but then what about all the accented characters I may use?

What I learn from one character doesn't carry over to the next one because as the password setter, I may go off in any direction on the keyboard so that random element is preserved.
So the further into the password I get the number of possible directions on the keyboard that the password could go multiplied by the number of possible characters I may use starts to get astronomical.

If we assume that using a brute force technique such as you suggest reduces the possible combinations by 10^12 then there would still be 10^19 combinations to go at. (10^31 in total)

Assuming that you change your password every 6 months, then you would still have a good level of security, compared to passwords such as 'password' !

Geek,

I could make a reasonable guess about the keyboard layout and language you are using based on an IP look-up. Most people have an IP native to their own country. Also, with a .uk its a pretty good guess you are using a QWERTY keyboard and English is your base language.

The theory behind your method is solid. While not entirely random, there is enough mix of numbers, special characters, and letters to make a dictionary look-up impossible. And as you say, generating a "dictionary" of patterns would be just as time-consuming.

I wonder if people are aware that their sites are getting hit? A year ago, I watched as two hackers (IPs located in China) continuously hit my FTP port for 18 hours, throwing a dictionary at it. They never got in, but it was frustrating to see the FTP port being tied up like that. I even shut down the port and re-enabled it the next day, only to see them come back to finish the dictionary. After the last "z" word, they left.

Hi Larry. This is slightly off topic. But could you tell me how you were able to watch the two hackers attack your computer? What kind of program did you use? This would be interesting to to observe.
Thank you.

I run my own server so I have access to my logs and can view them in real-time. Most host providers have a control panel option that will allow you review your access logs.

HELLO EVERYONE!,
IF YOU WANT A SURELY AND FREE PASSWORD PAGE. COPY THIS CODE AND POST IT TO A FREE PAGE OR A PAGE BETWEEN THE ADMINISTRATORS PAGE AND HOME PAGE, BUT READ THE LEGEND AT THE BOTTOM OF THIS POST.

CODE:
============================================
<!---Place code between your HEAD tags--->
<meta name="robots" content="no index,no follow">
<SCRIPT LANGUAGE="JavaScript">
<!-- Hide this file from non-JavaScript-supporting browsers!
function getPassword() {

var password = prompt("Please enter a password: \('ENCRYPTED FOR MEMBERS ONLY'\)", "Enter Password")
if (password == " password ") {
window.location=' yoursitehere.html '
}
else if (password == " password ") {
window.location=' yoursitehere.html '
}
else if (password == " password ") {
window.location=' yoursitehere.html '
}
else if (password == " password ") {
window.location=' yoursitehere.html '
}
else if (password == " password ") {
window.location=' yoursitehere.html '
}
else {
document.writeln("<BODY><H1>Sorry!</H1>You attempted to gain access with an incorrect password.<br>Please hit the back button on your browser and try again or <a href= yoursitehere.html >Click Here to Quit</a></BODY>")
}
}
// stop hiding now -->
</SCRIPT>
<!--Paste in place of your <body> tag--><BODY onLoad="getPassword()">
==============================================
PLEASE ONLY THE CODE INSIDE THE ==========
ALSO DO NOT COPY THE COLORS
LEGEND:
yoursitehere.html
-TO WHERE YOUR PAGE THE ADMINISTRATORS CAN PASS ONLY
yoursitehere.html
-TO QUIT PAGE OR TO BACK PAGE (THIS IS WHERE NOT ADMINISTRATOR GO BACK THROUGH THE LAST PAGE)
password
-YOUR PASSWORD

EXAMPLE:
administratorlounge.html
home.html
CRASHER_23

This message has been edited. Last edited by: Crasher,

Do you have an example page where this script is running?

Maybe I'm missing something, but wouldn't the names of the protected pages be visible to anyone who views the the code? The yoursitehere.htm parts?

Another point of interest is that the built-in password protection code in SiteSpinner Pro and the new SiteSpinner 2.90 series Betas are much better than they used to be -- particularly as regards security. Now it encrypts the page using the password, and (I guess and hope!) uses some kind of trap-door function to unencrypt it. While you can view the code, you see it only in its encrypted form.