About the password those things (one)

"How to set a good hard-to-guess password"

The home-led iphone was lost and we were caught in a phishing email. Although there was no loss, it was also a cold sweat, especially aware that the non-jailbreak version of the iphone, which had always been thought to be very safe, could be violently cracked, causing personal information to fall into the hands of scammers.

Shock, re-examined the security of their various devices, including password policy. Here I'm going to introduce my own experience on setting passwords in a couple of times.

The importance of passwords is self-evident, and it is a security barrier to many of our accounts. But it is also often attacked by hackers of all sizes, the most common of which are dictionary attacks and brute force attacks. Dictionary attacks are attempted with the most common passwords, while brute force cracking is done by enumerating through all the possibilities of a password. For example, the iphone's lock screen simple password is 4 digits, brute force will only need to try from 0000 to 9999 10,000 times, must be able to hit. And the modern computer performance is so high, and does not say that can be counted 10 trillion times per second supercomputer, the average home computer to try 10,000 times is much less than 1 seconds.

So why does the iphone dare to use a 4-digit simple password? Because Apple can set a continuous password 9 times to self-destruct-erase all data-the command, that is, you protect your privacy probability is nine out of 10,000, which is quite reliable. However, unfortunately, iOS itself has a loophole, so there are hackers to create such a special hack device, with the cable connected to the iphone, the use of this loophole can be used to bypass the self-destruct device constantly retry, so that you can quickly test the lock screen password. So the iphone's simple password is insecure and does not protect the personal data and privacy of the iphone. My home-led iphone is estimated to have suffered this tragic experience.

It is important to point out that brute force is unavoidable. But there is a price to brute force, and the price is the time it takes to keep trying until it hits, and if the time is astronomical, then we can think of that password as a defense against brute force. This one of the math is not to say, just remember a bit, password each more, the time required for brute force is more than an order of magnitude. So, you have to change your iphone's lock screen password from a simple 4-digit number to a complex password like a corporate domain account.

So one of the more secure password-setting rules that we're familiar with is this:

• Length requirement: At least 8 digits

• Complexity requirements: and must have uppercase English letters, lowercase English letters, numbers and characters, at least one of each.

• Time Requirement: Password must be changed once every 3 months

• Must not repeat the request: the system will remember 12 times the history password, once used password must not use repeatedly

However, setting a complex password is hard to remember, and many people are worried about changing the password. So, how do you set yourself a strong, hard-to-guess password that can withstand brute-force, but well-remembered passwords? Let me talk about my own experience.

First, the password can not be too obvious, can not use their own birthday, the name of the family leader, the name of the child or pet, etc. too easy to guess the words. So remember again, how to do? The better way is to pick a 6-10-character phrase. For example, students who like Nike can choose its advertising language:

Just do it!

Then make a slight deformation. Replace the letters with numbers or characters. The commonly used variants are:

• A change to @

• Small Letter O to number 0

• Small Letter B to number 6

• Small Letter L changed to number 1

• Capital Letter S changed to characters $

• The space is removed or changed to an underscore symbol _

• The first letter of each word of the phrase is changed to uppercase

  
  

Wait, wait.

For example password can be changed to [email protected]$ $w 0rd, (of course, this [email protected]$ $w 0rd is too common, not recommended use OH)

So just do it! You can morph into a ju$td0it!. Or ju$t_d0_it! this looks complicated, but it's not hard to remember.

In fact, Ju$td0it! has 9 characters, uppercase and lowercase numeric characters are complete, is already a good password. But usually we will be asked to change the password for 3 months, every time the brain change a completely different password too nerve-wracking, without exposing the complex password in front of the case, a compromise method is to use the previous password as the main keyword, on the basis of the main keyword to add a prefix or suffix.

A commonly used suffix or prefix is the addition of a year or a month. This increases both the password length and the complexity. To write this article at the time of the April 2015 example:

Add only 2-digit month suffix: ju$td0it!04

2-digit year plus 2-digit month suffix: ju$td0it!1504

3-Letter Month plus 2-digit year prefix: apr15ju$td0it!

Chinese zodiac Pinyin (year of the RAM) plus 1 digit month suffix: ju$td0it! Yang4

Of course, there are a lot of different types of the prefix, the date is not good, there are many other options, such as:

• With zodiac pinyin: Jia, Yi, Bing, ding Ding, E Wu, Ji, Geng Geng, Xin Xin, Ren, GUI Kui

• Pinyin of the periodic table: Potassium Jia, Mg mei, aluminum lv, CA gai, Phosphorus lin

• With the five elements of the sun and Moon: Gold Jin mu mu water shui fire huo tu ri Moon Yue

• Color: Chi Chi Orange Cheng Yellow Huang Green LV cyan Qing blue lan Violet Zi

All right, new skills get out No!

Warning! The passphrase mentioned in this article may be added to the scope of the dictionary attack, please do not use it again.

To be continued, tomorrow's notice: The two things about the password

This article from "Triangle Balcony Technical Notebook" blog, declined reprint!

About the password those things (one)