'Open Sesame!' – Is Your Password So Easy to Guess?

11 Jun 2013 | Michael Waksman

When I was a child, I loved hearing folk stories. One of my favorites was the legendary tale of Ali Baba and the Forty Thieves from 1001 Arabian Nights. Wasn’t it amazing how just a couple little words could be the secret to opening up a world of treasures! Ali Baba was lucky to discover the secret password, ‘Open Sesame!’ by overhearing the Master Thief as he commanded open the mouth of the cave.

But what if Ali Baba had to figure out the secret password by himself? Just how long might it have taken to test all the infinite possibilities? Would he have ever succeeded? Or maybe the legend of Ali Baba might have never been told.

How Hard Could It Really Be to Guess a Password?

Well, let’s pretend to be Ali Baba, but not so lucky to overhear the secret password – and of course living in a time before computers. How challenging would it be to guess the password, ‘Open Sesame’?

Let’s assume we know the password isn't very long, maybe 10 letters or so. We try to consider all possible combinations of all letters. We know in this case that the password was verbal and not typed, so it must only contain a combination of letters, with no numbers or symbols.

If it takes about one second to say aloud each 10-letter phrase, then the time to guess all possible 10-letter phrases amounts to about 3 million years! And there most definitely would not have been a story about Ali Baba.

Fast forward to now. With all our technological advances, it's now relatively easy for computers to guess passwords. Commercial tools exist that claim to test up to 2.8 billion passwords per second using just a standard desktop computer. If Ali Baba were fortunate to have such a powerful device at his fingertips, he could crack the thieves’ password in just one day!

So – as the NCSA Advises – How Can You Make a Password Long & Strong?

Thankfully, modern technology now allows for more complex passwords. Nowadays, with upper or lower case, numbers and special characters, our passwords today can be composed from about 100 different symbols – and many more by using Alt-codes or different languages. A ‘brute force’ attack to guess a 10-symbol password would now take about 3000 years.

Yet password-guessing programs, such as a dictionary attack, can test only likely possibilities instead of all combinations – reducing this amount of time considerably.

We need our information to be safe online. So we must have a reliable way to create good passwords that are unlikely to be found in any dictionary.

Here are some ideas:

  • Abbreviate by using only the first letters of a memorable sentence, like from a favorite song or poem.
  • Remove the vowels from a word, or move all the vowels to the end of the word.
  • Increase the number of characters:
  1. Use special symbols such as @, or use Alt-codes. See http://alt-codes.net.
  2. Use also capitalized letters.
  3. Use also numbers and mix standard numbers with Roman numerals, such as 2=II or 25=II5.
  4. Download language packs or even special keyboards.
  • Some advice for when replacing letters with numbers and symbols:
  1. Type the letters using the numbers located on the telephone keypad. For example, ‘Ali’ would become 254. Add in some random symbols and letters.
  2. Think of symbols as shapes and not as their meanings. For example, use $ instead of S.
  3. Combine two or more symbols and numbers to make a single letter. For example, use () instead of O.
  • Use a long passphrase, such as a news headline or even the title of your last book report or research paper. Then add in some punctuation and capitalization. A 40-letter passphrase can be very secure even if special symbols are not used.
  • Use phonetic replacements. For example use PH instead of F. Or make deliberate, but obvious misspellings, such as enjin instead of engine.
  • Use words in reverse order, such as noitazilivic instead of civilization.

Just Remember…

Always keep an open mind. Invent your own algorithms. In line with the guidance promoted by the NCSA, make your password unique to your life and not something that is easily guessed. Just one method is never enough. The best is to use a combination of methods, like so…

Let's return to the story of Ali Baba, but this time he wants to be more security conscious. After finding 'Open Sesame', he then decides to change this secret password so nobody else can access the treasure.

  1. Ali's favorite song is Jingle Bells.
    Dashing through the snow
    In a one-horse open sleigh
    O'er the fields we go
    Laughing all the way
    Bells on bobtails ring
    Making spirits bright
    What fun it is to ride and sing
    A sleighing song tonight!

    So we type the first letters of each line: diolbmwa
     
  2. Ali capitalizes BMW because it's his favorite car: diolBMWa
     
  3. He then remembered the date when he first saw Zeinab, his beautiful wife. It was on the 24th of August and nobody else knows about this, not even Zeinab. So he adds 24 as a mixture of a standard number and Roman numerals '2IV' to his password: d2IViolBMWa
     
  4. To make it even more secure, he added Aug to the end: d2IViolBMWaAug
     
  5. And then, just to be sure, he changed the 'u' in 'Aug' to Alt-code 5 ('♣'). Now here is Ali’s password: d2IViolBMWaA♣g

Surely, this is one very tough password to crack. The secret password to access Ali Baba's treasure will remain just that – a secret. But don't be tempted to copy this exact password… Ali Baba has copyright!

Final Thought – Watch out for Keyloggers!

In the story of Ali Baba, the password was spoken out loud so he was able to overhear it. When our passwords are typed on a keyboard, a different kind of 'hearing' is possible. Your keystrokes can be recorded as you type by so called, 'keyloggers'.

To protect yourself from keyloggers, encryption software is available with an ‘anti-keylogger’ built in. This is the only way to ensure that your password – and therefore your personal information – stays safe and private.

This post originally appeared as part of a guest blog on StaySafeOnline.org, the website of the National Cyber Security Alliance, and is republished here with permission of NCSA.

Pure & Simple Encryption Software by Jetico

Jetico provides pure and simple data encryption software for National Security, Compliance and Personal Privacy. To protect stored data, Jetico's BestCrypt delivers compliant data encryption software for whole disks, virtual drives and selected files or folders. Jetico Enterprise Editions include central management for client software control.

Michael Waksman Jetico CEO bio image
Michael Waksman

Michael Waksman has been serving as CEO of Jetico since 2011, more than doubling the size of the company during his tenure. He brings more than 20 years of communications, technology and leadership experience.

At Jetico, Waksman has lead creation of the corporate identity, raising global brand awareness, building a more commercially-driven team and initiating enterprise customer relations. Jetico has maintained a wide user base throughout the U.S. Defense community, in the global compliance market and for personal privacy.

Waksman served as vice-chairman of the Cyber Group for the Association of Finnish Defense and Aerospace Industries. Recognized as a security and privacy advocate, he is a frequent speaker at international events, occasionally on behalf of the Finnish cyber security industry. In 2012, Waksman was honored with The Security Network's Chairman's Award for fostering collaboration between the United States and Finland. As dual citizen, he is a native New Yorker and has been living in the Helsinki region for over 15 years.

View all blog posts

Thank you for contacting Jetico!
We will respond to you as soon as possible.

Send us a message - we'll reply within 24 business hours.

Need help now? Call Us
US: 202 742 2901 EU: +358 50 339 6388