Passwords

Tips, Tricks and Password Recovery

We live in a world of background checks, ID cards, locks, alarm systems, firewalls, and passwords, passwords, passwords ! ! !

One of the biggest fears  .  .  .  of every computer user  .  .  .  is the fear of forgetting an important password.  And we do forget passwords.  There are so many of them !!  But after reading this page, you will never worry about forgetting a password again.

NOTE - to those with a job in a high-security field - skip this web page entirely - you, unfortunately, will have to memorize multiple passwords. All I can tell you, is to repeatedly repeat them all to yourself in your mind, on a daily basis. 

Memorizing Multiple Passwords - Don't do It

Few people can successfully memorize 5 to 10 passwords - especially for systems that force you to change the password periodically (more on that later).

The trick is to NEVER, EVER MEMORIZE MORE THAN TWO PASSWORDS !!  

Selecting the two Passwords - these two passwords will be your primary and secondary passwords, to be used the rest of your life, unless they are ever found out (in which case you must pick new passwords, of course).  

Pick a simple primary password and a complex secondary password.  For example:

Primary (password 1) - velvet                Secondary (password 2) - vel99vet

That's it !!!  You will never need to memorize another password for the rest of your life !!

What about those funky passwords, and those "un-changeable" passwords??  some systems give you a password that you cannot change, and it is usually something impossible to memorize, like "3n!Q5@xG".  It won't of course, be associated with the two passwords you memorized.  Therefore write it down in your protected passwords file (explained later).

 

Storing Passwords 

 

  1. you can write down ID's in a non-secured document - but not passwords

  2. you can write down one character of a password, such as the last digit

Any security expert would completely disagree with this web page.  However, just as Doctors always take the most conservative approach possible ("don't run - it's bad for your knees . . . take all of these antibiotics, even if the infection is gone", etc), Security Experts take security to the nth level.  Which means never writing down an ID or a password . . . which also means you will forget them from time-to-time.  Here we take a real world approach, and we write them down - in a safe, secure manner !!

 

Your Passwords "Vault" - a file with a long Password

 

Save your passwords in a file, and password protect the file.  There are two commonly available applications for this - WinZip or Word.  Name the file something innocent, such as "gardening.doc" (Word protection) or "gardening.doc" (Zip protection - in which case you would then need to add it into WinZip, enter a password, and zip it).

 

Word is much more secure than WinZip, so we recommend that.  Perform the following steps (thes are for Word 2000):

  1. Open the file.
  2. On the Tools menu, click Options, and then click Security.
  3. In the Password to open box, type a password, and then click OK.  
  4. if you want higher security, click "Advanced" and select on the "RC4" options

Selecting a Password - you want to use a long password here.  We said that you should never need to memorize more than 2 passwords . . . so simply combine them.  For example, if your primary/secondary passwords are velvet and vel99vet, then your password to protect this extremely important file would be:

 

velvetvel99vet

 

Can they Hack my Password? all passwords are "theoretically hackable" - but by using a long password, you make it very difficult and impossible unless the hacker is using a multi-million supercomputer.  The time required is simply too long, and the task cannot be accomplished.  

 

There are numerous Office, and Zip Password Recovery tools available on the web.  But for a hacker that has no previous knowledge of your password, they will be forced to use the "brute force" attack.  Even if they do hack the file - you will have no passwords stored there !!!  Just small, 1-digit clues !!  The Brute-Force password hack is the slowest method, because it checks every possible password, one-by-one.  They usually start with 1-character passwords, then 2, and so on . . .  When they get up to checking 6 or 7 characters, it take many hours to try them all.  Nevertheless - what's several hours to someone that is trying to break into valuable systems?  This is why you want a long password  - the time required increases exponentially.  

 

Here are some brute force password hacking statistics.  26 is the number of lower case letters, 36 is letters and digits, 52 is mixed case letters, 68 is single case letters with digits, symbols and punctuation, and 94 is all the displayable ASCII characters including mixed case letters. The times shown are the times to process the entire set of passwords thus the average time to crack passwords would be one half the listed times.

 

Character Set

Password
Length
26 - Letters 36 - Letters and Digits 52 Letters and Digits with upper and lower case
3 0.18 seconds 0.47 seconds 1.41 seconds
4 4.57 seconds 16.8 seconds 1.22 minutes
5 1.98 minutes 10.1 minutes 1.06 hours
6 51.5 minutes 6.05 hours 13.7 days
7 22.3 hours 9.07 days 3.91 months
8 24.2 days 10.7 months 17.0 years
9 1.72 years 32.2 years 8.82 centuries
10 44.8 years 1.16 millennia 45.8 millennia
11 11.6 centuries 41.7 millennia 2,384 millennia
12 30.3 millennia 1,503 millennia 123,946 millennia
 

 

Your ID's and Passwords 

 

For this section we will use the example of a user ID = george  and  Passwords = velvet (primary, pass1) and vel99vet (secondary, pass2).

 

For each ID/password combination, write them all down in the file.  Enter your ID, and next to each ID, write down a clue that allows you to identify the password that goes with that ID.  Whenever a system forces you to change your password - update the file.

 

Here's the trick.  You have memorized two passwords, a primary and a secondary.  In general always use your primary if possible.  As we said, some systems force you to use a password that contains at least on character and one numerical digit, which is covered by your secondary, password2.  In your passwords file, you have a table with 3 columns.  Column 1 is the application or website that requires the password.  Column 2 is the ID you used.  Column 3 is the password clue.

 

IMPORTANT:  If the system forces you to change your password, add a digit at the end, and then each time you have to change it again - increment the digit !!  So you would start out with velvet, then velvet1, then velvet2, etc.  Write down only the number in your passwords file.

 

Sample Passwords Table:

 

Application - Link ID Password
Timorama (Timesheet Entry) george pass1
Banking (www.citibank.com) george pass1 - 4
AutoCad george pass2
OpenView (HP Router Tool) george 5fWQ200
Eroom (group collaberation tool) george pass1

 

As you can see - the table shows no real useful information to a hacker.  Only you know that your pass1 is velvet and pass2 is vel99vet.  The exception is the OpenView password, which is one of those funky passwords, and the application does not allow you to change it to your primary password - so it this case you have to enter the entire password.  However, as difficult as it is to hack into your Word document - you're safe !!

Websites and Passwords

 

For websites, you can skip the Word file, and instead store them in the name of the bookmark or Favorite.  For example. if your bank is CitiBank, and your ID/password combination is:  george/velvet3   - store your Favorite and name it as follows:

 

CitiBank (george - 3)

Password Recovery

 

Using the methods described - you should never need to perform password recovery.  However, if you need to, then there are a number of tools that you can download for WinZip and MS Office - some free, others $$$.  Just be aware that if your password is long, you may not live long enough to recover it.  If it is 6 or 7 characters, you can recover it in about one day.