• news
  • WEDNESDAY MAY 31 2006 6:00 PM

Salt Your Passwords

Submitted by WilWheaton

Edited by WilWheaton

Humans are the weakest link in any security chain. We can be tricked, tortured, or otherwise socially engineered into giving away just about any key to any otherwise secure system.

We're also pretty stupid, according to this interesting observation from Bruce Schneier.

From a list of 100,000 passwords for a German dating site, we learn that 123456 works 1.4% of the time and that 2.5% of all passwords begin with 1234.

That's not a huge percentage, but it's a pretty significant number of people who think that 123456 is a perfectly secure password. In the comments at Bruce's site, someone observed that a huge number of passwords were swear words, and proper nouns, which are typically included in just about every script kiddie's brute force cracking dictionary.

Even those of us who aren't stupid can still be pretty lazy. Sure, it's a great idea to have a diceware-generated, eleven character, unique password that you change every six months for every different site you visit, but they're difficult to remember, usually end up written down, and eventually changed to something more easily memorized . . . like 123456.

Enter password salting.

A salt is defined as a random number that is added to the encryption key or to a password to protect them from disclosure. But in this case, it’s not a random number (since that wouldn’t be easy to remember either), but rather, it’s a combination of letters that you somehow derive from the site name, and somehow insert into your usual password.

For example.

Let’s say you’re creating a Hotmail account and you need to come up with a password. Your usual password is ‘monkey7’. But rather than just typing that in, you alter ‘monkey7’ with some characters that are unique to the site you’re visiting.

Maybe it’s the first two letters of the site name. Maybe it’s the first letter and the last letter, or the first and third letters. Whatever it is, pick a scheme and stick to it.

Let’s say you’ve chosen the first and third letters, and you’re going to put it before the 7. Your Hotmail password is now ‘monkeyht7’. Your Amazon password is ‘monkeyaa7’. Your Yahoo password is ‘monkeyyh7’. You get the picture.

This is not the most secure way in the world to generate a unique password, especially if someone figures out that you do [site name]123456, but if you choose a salting scheme that's easy for you to remember, but difficult to guess, you're one step ahead of the average script kiddie.

Actually, if you've ever kissed a member of the opposite sex and have about an ounce of common sense, you're several steps ahead of the average script kiddie already. But you should still salt your passwords.

  • PERMALINK
  • PRINT
  • Digg This
  • Email To A Friend
 

Previous

PAGE: 

1 | 2 | 3

Next

Comments
Vestril

Vestril

Coronado, CA
February 2003

MAY 31, 2006 06:15 PM

I'm sorry, but a German dating site is the place to be super-secure? Riiiiiiiiiight...

Personally I'm completely careless when I am signing up for anywhere that doesn't make use of my credit card or isn't my email account. If someone wants to hack my "myspace" I could give a shit...

Still, good advice wink

starrydynamo

starrydynamo

San Francisco, CA
December 2005

MAY 31, 2006 06:27 PM

This is a great bit of advice, especially since I usually forget my passwords... but isn't it a bit "less secret" now that it's all over the internet? Now they know that all they have to do is try your usual password with a few letter combonations... confused
But like Vestril said, if someone actually wants to put so much of their time and effort into hacking into something like my myspace or email? All the more luck to them. I don't care, they're not going to find anything interesting.

LinkIsMyHero

LinkIsMyHero

USA
February 2005

MAY 31, 2006 06:27 PM

Waaaaait a sec. If I heard that my password was released along with 99,999 others, I'd be pretty pissed. That's 100,000 people who have to change their passwords now. Did they volunteer for this?

WilWheaton

WilWheaton

Los Angeles, CA
June 2005

MAY 31, 2006 06:45 PM

starrydynamo said:
This is a great bit of advice, especially since I usually forget my passwords... but isn't it a bit "less secret" now that it's all over the internet? Now they know that all they have to do is try your usual password with a few letter combonations... confused

Actually, if you come up with your own scheme, like 

number + common string + initials for site
and I come up with 
common string + number + initials for site
and then someone else comes up with 
number based on alphabet relation of site's first letter + common string + site initials + another common sting
it becomes more difficult for a casual attacker to figure out your password, if it's always 123456. Of course, if someone uncovers your salting scheme, you're still boned.

effstop

effstop

Las Vegas, NV
June 2004

MAY 31, 2006 06:55 PM

comedy. any "scheme" that doesn't incorporate special characters, numbers, AND letters, and no sequences of letters that could make up a word isn't as secure as it could be.

i typically use a dictionary word, but swap out special characters and numbers for letters.

like $uic1d3G1rl$. all you have to remember is what you swap things out with.

simply adding a few characters like the article suggests makes cracking a password take .00001 more second than normal, especially if there is a dictionary word in there somewhere.

DDOM

DDOM

Katy, TX
November 2005

MAY 31, 2006 07:56 PM

Vestril said:
I'm sorry, but a German dating site is the place to be super-secure? Riiiiiiiiiight...

Personally I'm completely careless when I am signing up for anywhere that doesn't make use of my credit card or isn't my email account. If someone wants to hack my "myspace" I could give a shit...

Still, good advice wink


I have to agree with Vestril. Show me stats for a banking site and I might consider the numbers relevant. But if you do let me know what bank to avoid because a good password encryption is one way so they can't see your password. Using a generator to guess them proves nothing..

I am disappointed in you Wil. This is the kind of bogus study someone with your technical knowledge should be debunking, not spreading.

WilWheaton

WilWheaton

Los Angeles, CA
June 2005

MAY 31, 2006 08:21 PM

DDOMI am disappointed in you Wil. This is the kind of bogus study someone with your technical knowledge should be debunking, not spreading.

Well, sorry I let you down. The study was mentioned by Bruce Schneier, who I deeply respect and admire. When I read it, I remembered an article about salting I read at digg last week, and saw an opportunity to share something I thought was useful with the SG News readers, with a bit of perspective added via the "123456" article. There's a little forest in those trees, if you look for it, I hope.

AndrewB

AndrewB

Victoria, BC
August 2003

MAY 31, 2006 09:07 PM

Regardless of where the stats come from, any tips that help people make their passwords more secure is a good thing.

Now whether or not the average person will follow the advice... blackeyed

Postmark_Jensen

Postmark_Jensen

Minneapolis, MN
January 2005

MAY 31, 2006 09:17 PM

I used to do that with anything I would mail in. I would add letters to my apartment number so I could track who sold my name.

For instance, if I sent in a rebate to Maxtor, I would include my apartment number as "#6 mx1". The rebate would still get to me, and then I would get a bunch of spam using that address.

Didn't really help at all, but was fun to see who sold what to whom.

JennyLou

JennyLou

Danvers, MA
December 2002

MAY 31, 2006 09:45 PM

I have had the same word as my password for 13 years... I use random numbers in the middle and at the end of it... and special characters if they are usable on certain places... it changes frequently... hopefully that's good enough... if not... none of my info is that important I guess.

Morgan

Morgan

SUICIDEGIRL

Illinois, USA

MAY 31, 2006 09:51 PM

I don't have much to say on this article except for that I really do *heart* WilWheaton.

fatdavid8

fatdavid8

Cook Islands
June 2004

MAY 31, 2006 09:56 PM

I like to use a handful of passwords that are dictionary words that I can type in with one hand, like, say, "farts", and then I move that word to various locales on the keyboard with mnemonics for where I should place my pinky or index fingers. So, if I were at myspace, my mnemonic might be "narcissist", and I'd place my index finger on "i" and type in "farts" as "it89y".

I've never had any trouble with hacked passwords, so maybe it works.

wickedgrin

wickedgrin

Birmingham, AL
October 2004

MAY 31, 2006 09:59 PM

I use different geometrical patterns with the shift button pushed for a certain part of it. This covers the whole letter, number, special character thing then, when it comes time to change my password I either pick a different part of the keyboard as a starting point or just change the pattern from say a pyramid to a pair of parallel lines.

[Edited on May 31, 2006 10:04PM]

PaperDress

PaperDress

Rock Island, IL
December 2005

MAY 31, 2006 10:00 PM

I use the same password for everything. I know that's really bad. Good idea.

edited to add:

except for my login password at my old job. It was always variations of the word "password"...because I didn't care if it got hacked and we had to change it sooo much I would never have remembered which one was the most recent one.

[Edited on May 31, 2006 by PaperDress]

eightzeroone

eightzeroone

I'm lost
OLD SKOOL

MAY 31, 2006 10:13 PM

It's kinda sick that it's come to suggesting users salting their own passwords. Users are notoriously stupid, I'm not convinced this will get through to them either.

Anyone who uses a password that is sequential and comprised entirely of either alpha or numeric deserves to have their shit ripped off twice. Dictionary words as passwords, the same.

I prefer randomly generated, pronounceable passwords. It's strange how much they stick in your brain.

Previous

PAGE: 

1 | 2 | 3

Next

featured interviews