Ways to create the strongest possible password?

Forums Hardware & Software General Software Discussions Ways to create the strongest possible password?

  • This topic has 4 replies, 5 voices, and was last updated 1 year ago by Dan.
  • Post
    divinenews
    Participant
    One way I found to create possibly the strongest password.

     

    There are many strong password creators online, and a lot of articles from “experts” suggesting how to create strong passwords that are hard or impossible to crack.  I have come to believe that there are so many “bad actors” working at breaking any password that eventually there may be no such thing as a password that cannot be hacked/figured out. But, that does not mean that we should ever quit trying to figure out the strongest passwords possible.  Why should we ever make it easy for these criminals (bad actors) to get at us?

    So, I have discovered what I think may possibly be the best password tester online at this time:  http://www.passwordmeter.com

    This password tester requires that your password have the following:

    Minimum of eight(8) characters in length.
    Contains 3/4 of the following items:
    – Uppercase Letters
    – Lowercase Letters
    – Numbers
    – Symbols

    I suggest that you try what you think are the strongest password makers that you have found up to this time and make a password.  Then try it out here against these high standards.  I think you will be surprised at the results. I know I was when I first found it.  I could not get a perfect score on any password I was currently using or any password that I could get using password makers that I found online.

    So, I went to work trying to figure out how to make a maximized password that would pass the standards of this unique tester/evaluator.

    First, I compiled a list of all the letters, numbers and symbols that I could use to build a password:

    (possible characters to use in a password = 94)

    abcdefghijklmnopqrstuvwxyz

    ABCDEFGHIJKLMNOPQRSTUVWXYZ

    !”#$%&'()*+,-./:;<=>[email protected][\]^_`{|}~

    1234567890

    Or, printed another way,

    abcdefghijklmnopqrstuvwxyz    ABCDEFGHIJKLMNOPQRSTUVWXYZ    1234567890    !”#$%&'()*+,-./:;<=>[email protected][\]^_`{|}~

    abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!”#$%&'()*+,-./:;<=>[email protected][\]^_`{|}~

    And then, I started scrambling them together with the hope of getting a perfect score on  <a href=”http://www.passwordmeter.com&#8221; target=”_blank” rel=”noopener”>Passwordmeter.com</a>  .   …. It took me a while but I finally got it, and so can you if you put in the time and effort.

     

    At this time, my understanding is that google.com allows up to sixty characters in any password that is submitted to them for approval of an account (gmail.com, or log-in to any google.com service.)  It is reported by various sources on the web that you may use a blank/empty space in a Gmail or google.com password,  just not at the beginning or end.  I have not tried an empty space yet so I cannot confirm this. … Check with the site where you are a member to see what is their maximum number for a viable password.

    My gift to you is shown below. It is a set of 60 characters that will pass the standards of  Passwordmeter.com, which I consider to be the highest I have ever found.
    <blockquote>Fi3r$l\U4y?Tf7I(e/b{[email protected]#Bn%g^z_h:Lt”Ms’N]P[uQ;R~vS`V
    This password should not be used as-is since others are seeing it and some are sure to use it.  So be smart and alter it in this fashion before testing it out first over at  http://www.passwordmeter.com. …. *Simply change any similar character with another to get it to remain perfect.  For example, exchange the first letter F with any other capital letter.

    • This topic was modified 1 year ago by divinenews. Reason: spelling corrections
    • This topic was modified 1 year ago by divinenews.
    • This topic was modified 1 year ago by divinenews.
    • This topic was modified 1 year ago by divinenews.
    • This topic was modified 1 year ago by divinenews.
    • This topic was modified 1 year ago by divinenews.
    2
    0
Viewing 4 replies - 1 through 4 (of 4 total)
  • Replies
    Thrllskr
    Participant
    NL
    .+ added Yubikeys, and you good to go 😉
    1
    0
    SudoJudo
    Participant
    none
    I created a method whilst working in a specific high security field quite some time ago.

    It was a decoration method. Basically use password managers for long strong passwords on things like most websites – there is no way you can remember a lot of unique strong random passwords, nor is it necessary to try, given the risk (for most websites). It’s sometimes possible to add a “pin” as a decoration if you need some protection against password manager compromise. Browser-password storage has been found to have many weaknesses over time.

    How this works is, you allow your password manager to auto-fill the password. For example:

    8WQ7xR%pHScf

    is the password your password manager auto-fills. Then you have your own personal, confidential decoration. For example 129219, so you MANUALLY append your pin to the end of the password each time you login to the site. Of course this pin is stored as the password on the site, but in the password manager it is NOT stored.

    So your password to the site would be:

    8WQ7xR%pHScf129219

    That way, if the password manager is compromised, or the database where it is hosted, none of the passwords in that database will be usable, and it will appear that the database is corrupted to the attacker. In addition it adds another layer of security that doesn’t exist anywhere but in your mind.

    This method is EXTREMELY secure and closes off a lot of threat vectors and adds pin-code security to password managers.

    1
    0
    gorblimey
    Participant
    none
    You can build your own very good password generator at home. You will need a spreadsheet, and Excel is top-of-the-range on Windows systems. Excel is still a thing on Macs, and for Linux it appears that Gnumeric is well-thought of. I personally use Lotus 123, which probably will run on Win10.

    Lots of good souls will immediately rise and cry “You can’t get truly random on a spreadsheet!” And they are absolutely completely correct. But here’s the thing: you don’t need “true randomness“. All good spreadsheets take their seeds from the computer clock, which counts up the number of seconds from the appropriate epoch, and this is what makes life difficult for the black-hats. The seed is generated at spreadsheet start-up, ready for the first usage of the RND function, and there is no way known in the universe how this start-up time on your computer can be predicted or inferred. The spreadsheet random number generator is as close to true randomness as you will ever find.

    So, my generator starts with 64 columns containing a counting number in the first row:

    (1..64)
    @RANDBETWEEN(33,126)
    @CHAR(A$2)

    This gives me strings that look like

    L;Eb,PHsY

    Next, we need some hex characters:

    @RANDBETWEEN(0,15)
    @DEC2HEX(A$5)

    eg:

    C58B40F0C46

    And because some systems don’t believe in “funny characters” a simple case selector:

    @RANDBETWEEN(1,3)
    @IF(A$8=3,@RANDBETWEEN(97,122),@IF(A$8=2,@RANDBETWEEN(65,90),@RANDBETWEEN(48,57)))
    @CHAR(A$9)

    eg:

    dKKHLM2s4mYlI

    Why don’t I include a space character? Because I can always insert one. Or several. “Printable” non-alphameric can be iffy on many systems due mostly to laziness on the designer’s part.

    In 123 the function key F9 will immediately recalculate the entire sheet… The trick is, if somebody is actually capable of seeing exactly when I start or recalculate, I have a lot more real immediate problems than merely generating a password.

    How long should the password be? Let’s assume the black-hat has a rack of 10 GPUs. 11 characters will take him/her/it a day or so. 13 characters will take about a week. 15 characters, about a month. 17 characters, most of a year; and 19 characters will be cracked some time in the next century. However, don’t forget that the attacker will most likely be seeing a hash, so multiply all of those by 10.

    If it’s a direct attack, many systems have begun inserting programmed delays of about half a second between attempts, so everything then gets multiplied by 500… The attacker must generate a “complete” password before presenting it for evaluation, and he/she/it has no idea of the length or density. So any attack must begin with the smallest believeable number of characters, usually 8.

    All my passwords are stored in a you-beaut encrypted flat-file called “Cobbler”, written by svenfaw, see the Wilders thread for the gory details.

    _________________________________

    Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall"]
    1
    0
    Dan
    Keymaster
    US
    Very cool ideas!
    0
    0
Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.