How to build an un-hackable password

Okay, another friend got hacked yesterday – here’s how to build an un-hackable password:

1. Pick a favorite date, like Bastille Day, your dog’s birthday, the moon landing or something.  You could also do something like a favorite movie mixed with it’s author’s name.

2. Reverse it, so for example today would be 8102voN82.  You could do the film thing like “Clarke1002Arthur”.

3. Pick two letters from the site you’re visiting or app you’re using, best is the leading letters of the first two syllables, so FaceBook would be FB.

4. Pick two numbers and use the Shift key to make them special chars, so 3-4 would be #$

5. String all these together to make your password, so my example here would be Clarke1002ArthurFB#$. Or add them together the other way to make #$FBClarke1002Arthur.

You can re-use this algorithm anywhere, it’ll give you a unique password for any site or app, and you only have to remember the pattern you use to build the password. It should take an average PC about 3 million years to crack it brute-force style.

This entry was posted in IT, PC Stuff, Software, Tips, Work. Bookmark the permalink.

3 Responses to How to build an un-hackable password

  1. Dennis says:

    Uhmm. no. I’m a hacker. I’ve hacked ebay. Got a password file with unencrypted passwords (yes, a lot of sites exists that uses unsalted unencrypted passwords….) found your password #$eBClarke1002Arthur. I’m using JohnTheCracker-Tool (or any other), set a coressponding scheme aabbccccccddddeeeeee (=every obious part of the password) and guessing that eB would be ebay (same for EB, BE (backwards), FC (one letter up), DE (one down), etc) and got your FB password. as well as any other site. This scheme is not safe. sorry.

  2. ttheobald says:

    While your premise sounds good, you are relying on something that you don’t have: the algorithm a person chooses to use, and a sample password derived from that password. So your idea that you could take a password from site A and then magically figure out what the algorithm is, is flawed.

    Furthermore, the statement “found your password #$eBClarke1002Arthur” is bullshit, because that’s not a password I use anywhere, neither is it one I would generate. I find your other statement “I’ve hacked ebay” to also be bullshit. I suggest you find another line of work. As you can’t even differentiate between brute-force and pwned passwords, it would seem ‘hacking’ is not a suitable choice for your pastimes. Bragging with easily-disproven assertions does not serve you well.

    The point of this post is to prevent someone from using simple passwords – which are vulnerable to brute-force hacking – and to prevent them from repeating the same password.

    Having a strong password – the result of using a good algorithm as given above – does not defend against someone decrypting the storage of a site or app and retrieving said password. It does, however, prevent an automated attack from brute-forcing its way to finding out what your password is.

    Having a different password for each site – and making them easy to remember – prevents that password from being used in a “pwned password” attack, which is to take a password stolen from one location and applying it to many others.

    So perhaps it would be wise to study up a bit before making inane comments.

  3. Dennis says:

    Preface: *ugh*. Of course my statement was a little bit too simple (the ebay and fb were just examples, and no, I’m not a hacker). No one does *simple* bruteforce attacks anymore, have you ever used any of the mature password hacking tools? if you would do you’d be amazed what’s possible – far beyond plain simple brute force or dictionary hacks.

    You’re right – a password constructed like you’ve written is far more sturdy than “12345678”. If you mean “not possible with simple bruteforce” by using the phrase “un-hackable” then you’re right. Of course.

    But your scheme is not a *unhackable* password scheme in terms of security.

    “.. the algorithm a person chooses to use, and a sample password derived from that password” .. I don’t need the algorithm, most hacker tools identify parts from a stolen passwords by itself and then start “mixing” (e.g. brute forcing PARTS of a password). A hacker won’t steal a password from eBay nor Facebook but from sites like myradioshowcleveland.com or humblebumbleflowershop.net – which stores unsecure plain text passwords instead of salted hashed passwords. And then the tools automatically generate just a *fraction* of possible variants.

    Assuming you’ve got a plain text password from kpopradioshow.com constructed with your scheme above:

    krsVincent#170696!Price

    now just guess which password I’m using on facebook.

    It’s not sufficient changing small parts of a password on each site, you need to change *everything* – just because you do NOT KNOW how they store your password. And that’s the point of secure password generators… and the problem of storing/using/memorizing, but yes, that is another story.

Leave a Reply to ttheobald Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.