Home » Archimedes archive » Acorn User » AU 1998-12.adf » PD » RNDpass/!RNDpass/!Tips

RNDpass/!RNDpass/!Tips

This website contains an archive of files for the Acorn Electron, BBC Micro, Acorn Archimedes, Commodore 16 and Commodore 64 computers, which Dominic Ford has rescued from his private collection of floppy disks and cassettes.

Some of these files were originally commercial releases in the 1980s and 1990s, but they are now widely available online. I assume that copyright over them is no longer being asserted. If you own the copyright and would like files to be removed, please contact me.

Tape/disk: Home » Archimedes archive » Acorn User » AU 1998-12.adf » PD
Filename: RNDpass/!RNDpass/!Tips
Read OK:
File size: 1F16 bytes
Load address: 0000
Exec address: 0000
File contents
Choosing a good pass phrase (Contributed by Nat Queen)
******************************************************


Why do we speak of a 'pass phrase' instead of a 'password'?
-----------------------------------------------------------

When many people are asked to choose a password, they select some common
word or name. This can be cracked easily by a 'dictionary attack', i.e. a
computer program that uses a dictionary to try all possibilities. Many such
programs exist. They are sometimes used by people who have forgotten their
own password. But a password that can be recovered in this way is weak. It
can be recovered just as easily by anyone else who may gain access to your
encrypted data.

A somewhat stronger type of 'password' is one which is not a real word, and
perhaps even includes some numbers or other special symbols, if these are
allowed by the software that you are using. Although this is safe from a
classical dictionary attack, it can be cracked by a brute-force attack, i.e.
a program that simply tries all possible sets of characters until it finds
the right combination. Of course, the longer the password, the more
difficult such an attack becomes. Suppose, for example, that 50 different
characters are allowed in the password. Then if you add one extra character
to an existing password, a brute-force search for the correct password would
be expected to take 50 times as long.

Many Unix systems, for example, accept logon passwords of up to eight
characters. Logon passwords for ISPs are usually similar. Unfortunately,
such passwords are rather weak and are easily attacked. You should certainly
use longer passwords if your software allows this.

Documents on PGP and some other encryption software always speak of pass
phrases, rather than passwords, in order to stress that they can be of any
reasonable length, consisting of *many* words or groups of characters,
separated (optionally) by spaces.

How strong should a pass phrase be?
-----------------------------------

The pass phrase is by far the weakest part of many cryptosystems, at least
for many users, who use a weak pass phrase in practice. If an attacker wants
to read a typical user's encrypted messages, it would be far more efficient
to try to crack the pass phrase than to attempt any real cryptanalysis. This
is why it is very important to choose a good pass phrase.

Even for powerful organisations like government agencies with huge computing
resources, it would be most cost-effective to try to crack the pass phrase.
It is often said that the simplest technique for gaining access to encrypted
data is the 'rubber-hose attack' (beating the victim, or using other
methods of torture, until the pass phrase is revealed). Another such
technique is to plant an electronic bug or a hidden program in the user's
computer, to capture all the keystrokes. Alternatively, without even any
physical access to a computer or its user, a serious attacker can monitor,
from a distance, the electronic emissions from the computer and thereby
record the pass phrase. This is known as a 'Tempest attack'. It's not easy
to guard against any of these possible attacks. But you probably do not need
to worry about them, unless you are a serious target of government
investigations, or if you live under an oppressive regime.

It makes sense to choose a pass phrase which is equal in strength to the
cryptosystem being used, since any such system is only as strong as its
weakest link. This document explains some simple tricks which can help to
achieve that goal.

How can I choose a strong pass phrase?
--------------------------------------

In general terms, the aim should be to create a pass phrase that is easy to
remember and to type when needed, but very hard for anyone else to guess,
even for someone who knows you well. It should also be long enough to make
any dictionary attack or brute-force attack impractical.

One well known method is to select, by some random process, a set of words
from a dictionary. This technique is sometimes called 'diceware'. This is
what !RNDpass does.

With a dictionary as large as the one included in !RNDpass, a pass phrase
consisting of 6 or more random words is likely to withstand any conceivable
attack, because of the enormous number of possible combinations, especially
if it's modified in some unpredictable way to prevent a pure dictionary
attack.

Some simple tips for 'distorting' a pass phrase are described below. If they
are applied with a little ingenuity, they will work well even if the user
starts with a 'normal' pass phrase in plain English (instead of random
words, as given by !RNDpass) and distorts it in such a way that it becomes
quite unpredictable.

A few special methods of doing this can be automated in !RNDpass, as an
option. 'Random' (computer-generated) distortions of a pass phrase
consisting of normal words are undoubtedly more secure than distortions
added by hand in an intuitive manner, but it may take more effort to
remember them.

How can a 'normal' pass phrase be distorted to make it stronger?
----------------------------------------------------------------

� First of all, you may start with either a set of random words like those
generated by !RNDpass (more secure, but harder to remember) or a meaningful
sequence of words (less secure, but easier to remember). If you choose the
latter approach, do not use any famous quotations, proverbs or sayings. All
these exist in dictionaries, including some in electronic form, which can be
used for cracking purposes. One possibility would be to select a phrase from
a book at random, preferably avoiding any complete sentence. Try to avoid
phrases with a conventional, predictable grammatical structure. If
necessary, replace some words with silly, unexpected words.

� When 'distorting' a 'normal' pass phrase, it is best to avoid the use of
only dictionary words, in order to foil any possible dictionary attack.

� You can use non-alphabetic characters, such as numbers or any other
symbols on your keyboard. These can be inserted in unexpected places. For
example, you can change the word 'computer' to 'c0mputer', '98%computer', or
'comput#'. The use of additional characters can increase the number of
possible pass phrases enormously, without making them much harder to
remember. It is best to put them in unexpected places. An attacker may
guess, for example, that you replaced 'o' by '0'.

� Pass phrases in many programs, such as PGP, are case-sensitive. This means
that it is a good idea to mix upper and lower case. For example, 'computer',
comPUTer and COMPUTER would all be treated as distinct.

� If you know any words from foreign languages, you can include some in your
pass phrase.

� You can invent your own nonsense words, like the famous word 'jabberwocky'
coined by Lewis Carroll.

� You can create completely meaningless 'words' consisting of apparently
'random' characters, but which are easy to remember. For example, 'ilro'
might stand for 'I love RISC OS'.

� Bear in mind that you can use any printable ASCII characters, not just the
ones that appear on the keyboard. For example, the copyright symbol � can be
obtained by holding down the ALT key, typing 169 on the numeric keypad, and
then releasing the ALT key. Details of how to get all such characters can be
found in your computer's User Guide.

� You can disguise dictionary words by using strange and unexpected
spellings. For example, the word 'computer' can be changed to 'komputta'.

� Dictionary words can also be hidden by using extra spaces, or omitting
spaces, as in 'com puter' or 'Acorncomputer'.

� The techniques suggested above become even more effective when used in
combination. An example might be the 'word' 'MY2c0mputas@home'.

A final word of advice: Whatever you do, don't ever write down your pass
phrase or store it in any computer file. If you do, it's asking for trouble. 
Your pass phrase should exist only in your head!



00000000  43 68 6f 6f 73 69 6e 67  20 61 20 67 6f 6f 64 20  |Choosing a good |
00000010  70 61 73 73 20 70 68 72  61 73 65 20 28 43 6f 6e  |pass phrase (Con|
00000020  74 72 69 62 75 74 65 64  20 62 79 20 4e 61 74 20  |tributed by Nat |
00000030  51 75 65 65 6e 29 0a 2a  2a 2a 2a 2a 2a 2a 2a 2a  |Queen).*********|
00000040  2a 2a 2a 2a 2a 2a 2a 2a  2a 2a 2a 2a 2a 2a 2a 2a  |****************|
*
00000060  2a 2a 2a 2a 2a 2a 2a 2a  2a 2a 2a 2a 2a 0a 0a 0a  |*************...|
00000070  57 68 79 20 64 6f 20 77  65 20 73 70 65 61 6b 20  |Why do we speak |
00000080  6f 66 20 61 20 27 70 61  73 73 20 70 68 72 61 73  |of a 'pass phras|
00000090  65 27 20 69 6e 73 74 65  61 64 20 6f 66 20 61 20  |e' instead of a |
000000a0  27 70 61 73 73 77 6f 72  64 27 3f 0a 2d 2d 2d 2d  |'password'?.----|
000000b0  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |----------------|
*
000000e0  2d 2d 2d 2d 2d 2d 2d 0a  0a 57 68 65 6e 20 6d 61  |-------..When ma|
000000f0  6e 79 20 70 65 6f 70 6c  65 20 61 72 65 20 61 73  |ny people are as|
00000100  6b 65 64 20 74 6f 20 63  68 6f 6f 73 65 20 61 20  |ked to choose a |
00000110  70 61 73 73 77 6f 72 64  2c 20 74 68 65 79 20 73  |password, they s|
00000120  65 6c 65 63 74 20 73 6f  6d 65 20 63 6f 6d 6d 6f  |elect some commo|
00000130  6e 0a 77 6f 72 64 20 6f  72 20 6e 61 6d 65 2e 20  |n.word or name. |
00000140  54 68 69 73 20 63 61 6e  20 62 65 20 63 72 61 63  |This can be crac|
00000150  6b 65 64 20 65 61 73 69  6c 79 20 62 79 20 61 20  |ked easily by a |
00000160  27 64 69 63 74 69 6f 6e  61 72 79 20 61 74 74 61  |'dictionary atta|
00000170  63 6b 27 2c 20 69 2e 65  2e 20 61 0a 63 6f 6d 70  |ck', i.e. a.comp|
00000180  75 74 65 72 20 70 72 6f  67 72 61 6d 20 74 68 61  |uter program tha|
00000190  74 20 75 73 65 73 20 61  20 64 69 63 74 69 6f 6e  |t uses a diction|
000001a0  61 72 79 20 74 6f 20 74  72 79 20 61 6c 6c 20 70  |ary to try all p|
000001b0  6f 73 73 69 62 69 6c 69  74 69 65 73 2e 20 4d 61  |ossibilities. Ma|
000001c0  6e 79 20 73 75 63 68 0a  70 72 6f 67 72 61 6d 73  |ny such.programs|
000001d0  20 65 78 69 73 74 2e 20  54 68 65 79 20 61 72 65  | exist. They are|
000001e0  20 73 6f 6d 65 74 69 6d  65 73 20 75 73 65 64 20  | sometimes used |
000001f0  62 79 20 70 65 6f 70 6c  65 20 77 68 6f 20 68 61  |by people who ha|
00000200  76 65 20 66 6f 72 67 6f  74 74 65 6e 20 74 68 65  |ve forgotten the|
00000210  69 72 0a 6f 77 6e 20 70  61 73 73 77 6f 72 64 2e  |ir.own password.|
00000220  20 42 75 74 20 61 20 70  61 73 73 77 6f 72 64 20  | But a password |
00000230  74 68 61 74 20 63 61 6e  20 62 65 20 72 65 63 6f  |that can be reco|
00000240  76 65 72 65 64 20 69 6e  20 74 68 69 73 20 77 61  |vered in this wa|
00000250  79 20 69 73 20 77 65 61  6b 2e 20 49 74 0a 63 61  |y is weak. It.ca|
00000260  6e 20 62 65 20 72 65 63  6f 76 65 72 65 64 20 6a  |n be recovered j|
00000270  75 73 74 20 61 73 20 65  61 73 69 6c 79 20 62 79  |ust as easily by|
00000280  20 61 6e 79 6f 6e 65 20  65 6c 73 65 20 77 68 6f  | anyone else who|
00000290  20 6d 61 79 20 67 61 69  6e 20 61 63 63 65 73 73  | may gain access|
000002a0  20 74 6f 20 79 6f 75 72  0a 65 6e 63 72 79 70 74  | to your.encrypt|
000002b0  65 64 20 64 61 74 61 2e  0a 0a 41 20 73 6f 6d 65  |ed data...A some|
000002c0  77 68 61 74 20 73 74 72  6f 6e 67 65 72 20 74 79  |what stronger ty|
000002d0  70 65 20 6f 66 20 27 70  61 73 73 77 6f 72 64 27  |pe of 'password'|
000002e0  20 69 73 20 6f 6e 65 20  77 68 69 63 68 20 69 73  | is one which is|
000002f0  20 6e 6f 74 20 61 20 72  65 61 6c 20 77 6f 72 64  | not a real word|
00000300  2c 20 61 6e 64 0a 70 65  72 68 61 70 73 20 65 76  |, and.perhaps ev|
00000310  65 6e 20 69 6e 63 6c 75  64 65 73 20 73 6f 6d 65  |en includes some|
00000320  20 6e 75 6d 62 65 72 73  20 6f 72 20 6f 74 68 65  | numbers or othe|
00000330  72 20 73 70 65 63 69 61  6c 20 73 79 6d 62 6f 6c  |r special symbol|
00000340  73 2c 20 69 66 20 74 68  65 73 65 20 61 72 65 0a  |s, if these are.|
00000350  61 6c 6c 6f 77 65 64 20  62 79 20 74 68 65 20 73  |allowed by the s|
00000360  6f 66 74 77 61 72 65 20  74 68 61 74 20 79 6f 75  |oftware that you|
00000370  20 61 72 65 20 75 73 69  6e 67 2e 20 41 6c 74 68  | are using. Alth|
00000380  6f 75 67 68 20 74 68 69  73 20 69 73 20 73 61 66  |ough this is saf|
00000390  65 20 66 72 6f 6d 20 61  0a 63 6c 61 73 73 69 63  |e from a.classic|
000003a0  61 6c 20 64 69 63 74 69  6f 6e 61 72 79 20 61 74  |al dictionary at|
000003b0  74 61 63 6b 2c 20 69 74  20 63 61 6e 20 62 65 20  |tack, it can be |
000003c0  63 72 61 63 6b 65 64 20  62 79 20 61 20 62 72 75  |cracked by a bru|
000003d0  74 65 2d 66 6f 72 63 65  20 61 74 74 61 63 6b 2c  |te-force attack,|
000003e0  20 69 2e 65 2e 0a 61 20  70 72 6f 67 72 61 6d 20  | i.e..a program |
000003f0  74 68 61 74 20 73 69 6d  70 6c 79 20 74 72 69 65  |that simply trie|
00000400  73 20 61 6c 6c 20 70 6f  73 73 69 62 6c 65 20 73  |s all possible s|
00000410  65 74 73 20 6f 66 20 63  68 61 72 61 63 74 65 72  |ets of character|
00000420  73 20 75 6e 74 69 6c 20  69 74 20 66 69 6e 64 73  |s until it finds|
00000430  0a 74 68 65 20 72 69 67  68 74 20 63 6f 6d 62 69  |.the right combi|
00000440  6e 61 74 69 6f 6e 2e 20  4f 66 20 63 6f 75 72 73  |nation. Of cours|
00000450  65 2c 20 74 68 65 20 6c  6f 6e 67 65 72 20 74 68  |e, the longer th|
00000460  65 20 70 61 73 73 77 6f  72 64 2c 20 74 68 65 20  |e password, the |
00000470  6d 6f 72 65 0a 64 69 66  66 69 63 75 6c 74 20 73  |more.difficult s|
00000480  75 63 68 20 61 6e 20 61  74 74 61 63 6b 20 62 65  |uch an attack be|
00000490  63 6f 6d 65 73 2e 20 53  75 70 70 6f 73 65 2c 20  |comes. Suppose, |
000004a0  66 6f 72 20 65 78 61 6d  70 6c 65 2c 20 74 68 61  |for example, tha|
000004b0  74 20 35 30 20 64 69 66  66 65 72 65 6e 74 0a 63  |t 50 different.c|
000004c0  68 61 72 61 63 74 65 72  73 20 61 72 65 20 61 6c  |haracters are al|
000004d0  6c 6f 77 65 64 20 69 6e  20 74 68 65 20 70 61 73  |lowed in the pas|
000004e0  73 77 6f 72 64 2e 20 54  68 65 6e 20 69 66 20 79  |sword. Then if y|
000004f0  6f 75 20 61 64 64 20 6f  6e 65 20 65 78 74 72 61  |ou add one extra|
00000500  20 63 68 61 72 61 63 74  65 72 0a 74 6f 20 61 6e  | character.to an|
00000510  20 65 78 69 73 74 69 6e  67 20 70 61 73 73 77 6f  | existing passwo|
00000520  72 64 2c 20 61 20 62 72  75 74 65 2d 66 6f 72 63  |rd, a brute-forc|
00000530  65 20 73 65 61 72 63 68  20 66 6f 72 20 74 68 65  |e search for the|
00000540  20 63 6f 72 72 65 63 74  20 70 61 73 73 77 6f 72  | correct passwor|
00000550  64 20 77 6f 75 6c 64 0a  62 65 20 65 78 70 65 63  |d would.be expec|
00000560  74 65 64 20 74 6f 20 74  61 6b 65 20 35 30 20 74  |ted to take 50 t|
00000570  69 6d 65 73 20 61 73 20  6c 6f 6e 67 2e 0a 0a 4d  |imes as long...M|
00000580  61 6e 79 20 55 6e 69 78  20 73 79 73 74 65 6d 73  |any Unix systems|
00000590  2c 20 66 6f 72 20 65 78  61 6d 70 6c 65 2c 20 61  |, for example, a|
000005a0  63 63 65 70 74 20 6c 6f  67 6f 6e 20 70 61 73 73  |ccept logon pass|
000005b0  77 6f 72 64 73 20 6f 66  20 75 70 20 74 6f 20 65  |words of up to e|
000005c0  69 67 68 74 0a 63 68 61  72 61 63 74 65 72 73 2e  |ight.characters.|
000005d0  20 4c 6f 67 6f 6e 20 70  61 73 73 77 6f 72 64 73  | Logon passwords|
000005e0  20 66 6f 72 20 49 53 50  73 20 61 72 65 20 75 73  | for ISPs are us|
000005f0  75 61 6c 6c 79 20 73 69  6d 69 6c 61 72 2e 20 55  |ually similar. U|
00000600  6e 66 6f 72 74 75 6e 61  74 65 6c 79 2c 0a 73 75  |nfortunately,.su|
00000610  63 68 20 70 61 73 73 77  6f 72 64 73 20 61 72 65  |ch passwords are|
00000620  20 72 61 74 68 65 72 20  77 65 61 6b 20 61 6e 64  | rather weak and|
00000630  20 61 72 65 20 65 61 73  69 6c 79 20 61 74 74 61  | are easily atta|
00000640  63 6b 65 64 2e 20 59 6f  75 20 73 68 6f 75 6c 64  |cked. You should|
00000650  20 63 65 72 74 61 69 6e  6c 79 0a 75 73 65 20 6c  | certainly.use l|
00000660  6f 6e 67 65 72 20 70 61  73 73 77 6f 72 64 73 20  |onger passwords |
00000670  69 66 20 79 6f 75 72 20  73 6f 66 74 77 61 72 65  |if your software|
00000680  20 61 6c 6c 6f 77 73 20  74 68 69 73 2e 0a 0a 44  | allows this...D|
00000690  6f 63 75 6d 65 6e 74 73  20 6f 6e 20 50 47 50 20  |ocuments on PGP |
000006a0  61 6e 64 20 73 6f 6d 65  20 6f 74 68 65 72 20 65  |and some other e|
000006b0  6e 63 72 79 70 74 69 6f  6e 20 73 6f 66 74 77 61  |ncryption softwa|
000006c0  72 65 20 61 6c 77 61 79  73 20 73 70 65 61 6b 20  |re always speak |
000006d0  6f 66 20 70 61 73 73 0a  70 68 72 61 73 65 73 2c  |of pass.phrases,|
000006e0  20 72 61 74 68 65 72 20  74 68 61 6e 20 70 61 73  | rather than pas|
000006f0  73 77 6f 72 64 73 2c 20  69 6e 20 6f 72 64 65 72  |swords, in order|
00000700  20 74 6f 20 73 74 72 65  73 73 20 74 68 61 74 20  | to stress that |
00000710  74 68 65 79 20 63 61 6e  20 62 65 20 6f 66 20 61  |they can be of a|
00000720  6e 79 0a 72 65 61 73 6f  6e 61 62 6c 65 20 6c 65  |ny.reasonable le|
00000730  6e 67 74 68 2c 20 63 6f  6e 73 69 73 74 69 6e 67  |ngth, consisting|
00000740  20 6f 66 20 2a 6d 61 6e  79 2a 20 77 6f 72 64 73  | of *many* words|
00000750  20 6f 72 20 67 72 6f 75  70 73 20 6f 66 20 63 68  | or groups of ch|
00000760  61 72 61 63 74 65 72 73  2c 0a 73 65 70 61 72 61  |aracters,.separa|
00000770  74 65 64 20 28 6f 70 74  69 6f 6e 61 6c 6c 79 29  |ted (optionally)|
00000780  20 62 79 20 73 70 61 63  65 73 2e 0a 0a 48 6f 77  | by spaces...How|
00000790  20 73 74 72 6f 6e 67 20  73 68 6f 75 6c 64 20 61  | strong should a|
000007a0  20 70 61 73 73 20 70 68  72 61 73 65 20 62 65 3f  | pass phrase be?|
000007b0  0a 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |.---------------|
000007c0  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |----------------|
000007d0  2d 2d 2d 2d 0a 0a 54 68  65 20 70 61 73 73 20 70  |----..The pass p|
000007e0  68 72 61 73 65 20 69 73  20 62 79 20 66 61 72 20  |hrase is by far |
000007f0  74 68 65 20 77 65 61 6b  65 73 74 20 70 61 72 74  |the weakest part|
00000800  20 6f 66 20 6d 61 6e 79  20 63 72 79 70 74 6f 73  | of many cryptos|
00000810  79 73 74 65 6d 73 2c 20  61 74 20 6c 65 61 73 74  |ystems, at least|
00000820  0a 66 6f 72 20 6d 61 6e  79 20 75 73 65 72 73 2c  |.for many users,|
00000830  20 77 68 6f 20 75 73 65  20 61 20 77 65 61 6b 20  | who use a weak |
00000840  70 61 73 73 20 70 68 72  61 73 65 20 69 6e 20 70  |pass phrase in p|
00000850  72 61 63 74 69 63 65 2e  20 49 66 20 61 6e 20 61  |ractice. If an a|
00000860  74 74 61 63 6b 65 72 20  77 61 6e 74 73 0a 74 6f  |ttacker wants.to|
00000870  20 72 65 61 64 20 61 20  74 79 70 69 63 61 6c 20  | read a typical |
00000880  75 73 65 72 27 73 20 65  6e 63 72 79 70 74 65 64  |user's encrypted|
00000890  20 6d 65 73 73 61 67 65  73 2c 20 69 74 20 77 6f  | messages, it wo|
000008a0  75 6c 64 20 62 65 20 66  61 72 20 6d 6f 72 65 20  |uld be far more |
000008b0  65 66 66 69 63 69 65 6e  74 0a 74 6f 20 74 72 79  |efficient.to try|
000008c0  20 74 6f 20 63 72 61 63  6b 20 74 68 65 20 70 61  | to crack the pa|
000008d0  73 73 20 70 68 72 61 73  65 20 74 68 61 6e 20 74  |ss phrase than t|
000008e0  6f 20 61 74 74 65 6d 70  74 20 61 6e 79 20 72 65  |o attempt any re|
000008f0  61 6c 20 63 72 79 70 74  61 6e 61 6c 79 73 69 73  |al cryptanalysis|
00000900  2e 20 54 68 69 73 0a 69  73 20 77 68 79 20 69 74  |. This.is why it|
00000910  20 69 73 20 76 65 72 79  20 69 6d 70 6f 72 74 61  | is very importa|
00000920  6e 74 20 74 6f 20 63 68  6f 6f 73 65 20 61 20 67  |nt to choose a g|
00000930  6f 6f 64 20 70 61 73 73  20 70 68 72 61 73 65 2e  |ood pass phrase.|
00000940  0a 0a 45 76 65 6e 20 66  6f 72 20 70 6f 77 65 72  |..Even for power|
00000950  66 75 6c 20 6f 72 67 61  6e 69 73 61 74 69 6f 6e  |ful organisation|
00000960  73 20 6c 69 6b 65 20 67  6f 76 65 72 6e 6d 65 6e  |s like governmen|
00000970  74 20 61 67 65 6e 63 69  65 73 20 77 69 74 68 20  |t agencies with |
00000980  68 75 67 65 20 63 6f 6d  70 75 74 69 6e 67 0a 72  |huge computing.r|
00000990  65 73 6f 75 72 63 65 73  2c 20 69 74 20 77 6f 75  |esources, it wou|
000009a0  6c 64 20 62 65 20 6d 6f  73 74 20 63 6f 73 74 2d  |ld be most cost-|
000009b0  65 66 66 65 63 74 69 76  65 20 74 6f 20 74 72 79  |effective to try|
000009c0  20 74 6f 20 63 72 61 63  6b 20 74 68 65 20 70 61  | to crack the pa|
000009d0  73 73 20 70 68 72 61 73  65 2e 0a 49 74 20 69 73  |ss phrase..It is|
000009e0  20 6f 66 74 65 6e 20 73  61 69 64 20 74 68 61 74  | often said that|
000009f0  20 74 68 65 20 73 69 6d  70 6c 65 73 74 20 74 65  | the simplest te|
00000a00  63 68 6e 69 71 75 65 20  66 6f 72 20 67 61 69 6e  |chnique for gain|
00000a10  69 6e 67 20 61 63 63 65  73 73 20 74 6f 20 65 6e  |ing access to en|
00000a20  63 72 79 70 74 65 64 0a  64 61 74 61 20 69 73 20  |crypted.data is |
00000a30  74 68 65 20 27 72 75 62  62 65 72 2d 68 6f 73 65  |the 'rubber-hose|
00000a40  20 61 74 74 61 63 6b 27  20 28 62 65 61 74 69 6e  | attack' (beatin|
00000a50  67 20 74 68 65 20 76 69  63 74 69 6d 2c 20 6f 72  |g the victim, or|
00000a60  20 75 73 69 6e 67 20 6f  74 68 65 72 0a 6d 65 74  | using other.met|
00000a70  68 6f 64 73 20 6f 66 20  74 6f 72 74 75 72 65 2c  |hods of torture,|
00000a80  20 75 6e 74 69 6c 20 74  68 65 20 70 61 73 73 20  | until the pass |
00000a90  70 68 72 61 73 65 20 69  73 20 72 65 76 65 61 6c  |phrase is reveal|
00000aa0  65 64 29 2e 20 41 6e 6f  74 68 65 72 20 73 75 63  |ed). Another suc|
00000ab0  68 0a 74 65 63 68 6e 69  71 75 65 20 69 73 20 74  |h.technique is t|
00000ac0  6f 20 70 6c 61 6e 74 20  61 6e 20 65 6c 65 63 74  |o plant an elect|
00000ad0  72 6f 6e 69 63 20 62 75  67 20 6f 72 20 61 20 68  |ronic bug or a h|
00000ae0  69 64 64 65 6e 20 70 72  6f 67 72 61 6d 20 69 6e  |idden program in|
00000af0  20 74 68 65 20 75 73 65  72 27 73 0a 63 6f 6d 70  | the user's.comp|
00000b00  75 74 65 72 2c 20 74 6f  20 63 61 70 74 75 72 65  |uter, to capture|
00000b10  20 61 6c 6c 20 74 68 65  20 6b 65 79 73 74 72 6f  | all the keystro|
00000b20  6b 65 73 2e 20 41 6c 74  65 72 6e 61 74 69 76 65  |kes. Alternative|
00000b30  6c 79 2c 20 77 69 74 68  6f 75 74 20 65 76 65 6e  |ly, without even|
00000b40  20 61 6e 79 0a 70 68 79  73 69 63 61 6c 20 61 63  | any.physical ac|
00000b50  63 65 73 73 20 74 6f 20  61 20 63 6f 6d 70 75 74  |cess to a comput|
00000b60  65 72 20 6f 72 20 69 74  73 20 75 73 65 72 2c 20  |er or its user, |
00000b70  61 20 73 65 72 69 6f 75  73 20 61 74 74 61 63 6b  |a serious attack|
00000b80  65 72 20 63 61 6e 20 6d  6f 6e 69 74 6f 72 2c 0a  |er can monitor,.|
00000b90  66 72 6f 6d 20 61 20 64  69 73 74 61 6e 63 65 2c  |from a distance,|
00000ba0  20 74 68 65 20 65 6c 65  63 74 72 6f 6e 69 63 20  | the electronic |
00000bb0  65 6d 69 73 73 69 6f 6e  73 20 66 72 6f 6d 20 74  |emissions from t|
00000bc0  68 65 20 63 6f 6d 70 75  74 65 72 20 61 6e 64 20  |he computer and |
00000bd0  74 68 65 72 65 62 79 0a  72 65 63 6f 72 64 20 74  |thereby.record t|
00000be0  68 65 20 70 61 73 73 20  70 68 72 61 73 65 2e 20  |he pass phrase. |
00000bf0  54 68 69 73 20 69 73 20  6b 6e 6f 77 6e 20 61 73  |This is known as|
00000c00  20 61 20 27 54 65 6d 70  65 73 74 20 61 74 74 61  | a 'Tempest atta|
00000c10  63 6b 27 2e 20 49 74 27  73 20 6e 6f 74 20 65 61  |ck'. It's not ea|
00000c20  73 79 0a 74 6f 20 67 75  61 72 64 20 61 67 61 69  |sy.to guard agai|
00000c30  6e 73 74 20 61 6e 79 20  6f 66 20 74 68 65 73 65  |nst any of these|
00000c40  20 70 6f 73 73 69 62 6c  65 20 61 74 74 61 63 6b  | possible attack|
00000c50  73 2e 20 42 75 74 20 79  6f 75 20 70 72 6f 62 61  |s. But you proba|
00000c60  62 6c 79 20 64 6f 20 6e  6f 74 20 6e 65 65 64 0a  |bly do not need.|
00000c70  74 6f 20 77 6f 72 72 79  20 61 62 6f 75 74 20 74  |to worry about t|
00000c80  68 65 6d 2c 20 75 6e 6c  65 73 73 20 79 6f 75 20  |hem, unless you |
00000c90  61 72 65 20 61 20 73 65  72 69 6f 75 73 20 74 61  |are a serious ta|
00000ca0  72 67 65 74 20 6f 66 20  67 6f 76 65 72 6e 6d 65  |rget of governme|
00000cb0  6e 74 0a 69 6e 76 65 73  74 69 67 61 74 69 6f 6e  |nt.investigation|
00000cc0  73 2c 20 6f 72 20 69 66  20 79 6f 75 20 6c 69 76  |s, or if you liv|
00000cd0  65 20 75 6e 64 65 72 20  61 6e 20 6f 70 70 72 65  |e under an oppre|
00000ce0  73 73 69 76 65 20 72 65  67 69 6d 65 2e 0a 0a 49  |ssive regime...I|
00000cf0  74 20 6d 61 6b 65 73 20  73 65 6e 73 65 20 74 6f  |t makes sense to|
00000d00  20 63 68 6f 6f 73 65 20  61 20 70 61 73 73 20 70  | choose a pass p|
00000d10  68 72 61 73 65 20 77 68  69 63 68 20 69 73 20 65  |hrase which is e|
00000d20  71 75 61 6c 20 69 6e 20  73 74 72 65 6e 67 74 68  |qual in strength|
00000d30  20 74 6f 20 74 68 65 0a  63 72 79 70 74 6f 73 79  | to the.cryptosy|
00000d40  73 74 65 6d 20 62 65 69  6e 67 20 75 73 65 64 2c  |stem being used,|
00000d50  20 73 69 6e 63 65 20 61  6e 79 20 73 75 63 68 20  | since any such |
00000d60  73 79 73 74 65 6d 20 69  73 20 6f 6e 6c 79 20 61  |system is only a|
00000d70  73 20 73 74 72 6f 6e 67  20 61 73 20 69 74 73 0a  |s strong as its.|
00000d80  77 65 61 6b 65 73 74 20  6c 69 6e 6b 2e 20 54 68  |weakest link. Th|
00000d90  69 73 20 64 6f 63 75 6d  65 6e 74 20 65 78 70 6c  |is document expl|
00000da0  61 69 6e 73 20 73 6f 6d  65 20 73 69 6d 70 6c 65  |ains some simple|
00000db0  20 74 72 69 63 6b 73 20  77 68 69 63 68 20 63 61  | tricks which ca|
00000dc0  6e 20 68 65 6c 70 20 74  6f 0a 61 63 68 69 65 76  |n help to.achiev|
00000dd0  65 20 74 68 61 74 20 67  6f 61 6c 2e 0a 0a 48 6f  |e that goal...Ho|
00000de0  77 20 63 61 6e 20 49 20  63 68 6f 6f 73 65 20 61  |w can I choose a|
00000df0  20 73 74 72 6f 6e 67 20  70 61 73 73 20 70 68 72  | strong pass phr|
00000e00  61 73 65 3f 0a 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |ase?.-----------|
00000e10  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |----------------|
00000e20  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 0a 0a 49 6e 20  |-----------..In |
00000e30  67 65 6e 65 72 61 6c 20  74 65 72 6d 73 2c 20 74  |general terms, t|
00000e40  68 65 20 61 69 6d 20 73  68 6f 75 6c 64 20 62 65  |he aim should be|
00000e50  20 74 6f 20 63 72 65 61  74 65 20 61 20 70 61 73  | to create a pas|
00000e60  73 20 70 68 72 61 73 65  20 74 68 61 74 20 69 73  |s phrase that is|
00000e70  20 65 61 73 79 20 74 6f  0a 72 65 6d 65 6d 62 65  | easy to.remembe|
00000e80  72 20 61 6e 64 20 74 6f  20 74 79 70 65 20 77 68  |r and to type wh|
00000e90  65 6e 20 6e 65 65 64 65  64 2c 20 62 75 74 20 76  |en needed, but v|
00000ea0  65 72 79 20 68 61 72 64  20 66 6f 72 20 61 6e 79  |ery hard for any|
00000eb0  6f 6e 65 20 65 6c 73 65  20 74 6f 20 67 75 65 73  |one else to gues|
00000ec0  73 2c 0a 65 76 65 6e 20  66 6f 72 20 73 6f 6d 65  |s,.even for some|
00000ed0  6f 6e 65 20 77 68 6f 20  6b 6e 6f 77 73 20 79 6f  |one who knows yo|
00000ee0  75 20 77 65 6c 6c 2e 20  49 74 20 73 68 6f 75 6c  |u well. It shoul|
00000ef0  64 20 61 6c 73 6f 20 62  65 20 6c 6f 6e 67 20 65  |d also be long e|
00000f00  6e 6f 75 67 68 20 74 6f  20 6d 61 6b 65 0a 61 6e  |nough to make.an|
00000f10  79 20 64 69 63 74 69 6f  6e 61 72 79 20 61 74 74  |y dictionary att|
00000f20  61 63 6b 20 6f 72 20 62  72 75 74 65 2d 66 6f 72  |ack or brute-for|
00000f30  63 65 20 61 74 74 61 63  6b 20 69 6d 70 72 61 63  |ce attack imprac|
00000f40  74 69 63 61 6c 2e 0a 0a  4f 6e 65 20 77 65 6c 6c  |tical...One well|
00000f50  20 6b 6e 6f 77 6e 20 6d  65 74 68 6f 64 20 69 73  | known method is|
00000f60  20 74 6f 20 73 65 6c 65  63 74 2c 20 62 79 20 73  | to select, by s|
00000f70  6f 6d 65 20 72 61 6e 64  6f 6d 20 70 72 6f 63 65  |ome random proce|
00000f80  73 73 2c 20 61 20 73 65  74 20 6f 66 20 77 6f 72  |ss, a set of wor|
00000f90  64 73 0a 66 72 6f 6d 20  61 20 64 69 63 74 69 6f  |ds.from a dictio|
00000fa0  6e 61 72 79 2e 20 54 68  69 73 20 74 65 63 68 6e  |nary. This techn|
00000fb0  69 71 75 65 20 69 73 20  73 6f 6d 65 74 69 6d 65  |ique is sometime|
00000fc0  73 20 63 61 6c 6c 65 64  20 27 64 69 63 65 77 61  |s called 'dicewa|
00000fd0  72 65 27 2e 20 54 68 69  73 20 69 73 0a 77 68 61  |re'. This is.wha|
00000fe0  74 20 21 52 4e 44 70 61  73 73 20 64 6f 65 73 2e  |t !RNDpass does.|
00000ff0  0a 0a 57 69 74 68 20 61  20 64 69 63 74 69 6f 6e  |..With a diction|
00001000  61 72 79 20 61 73 20 6c  61 72 67 65 20 61 73 20  |ary as large as |
00001010  74 68 65 20 6f 6e 65 20  69 6e 63 6c 75 64 65 64  |the one included|
00001020  20 69 6e 20 21 52 4e 44  70 61 73 73 2c 20 61 20  | in !RNDpass, a |
00001030  70 61 73 73 20 70 68 72  61 73 65 0a 63 6f 6e 73  |pass phrase.cons|
00001040  69 73 74 69 6e 67 20 6f  66 20 36 20 6f 72 20 6d  |isting of 6 or m|
00001050  6f 72 65 20 72 61 6e 64  6f 6d 20 77 6f 72 64 73  |ore random words|
00001060  20 69 73 20 6c 69 6b 65  6c 79 20 74 6f 20 77 69  | is likely to wi|
00001070  74 68 73 74 61 6e 64 20  61 6e 79 20 63 6f 6e 63  |thstand any conc|
00001080  65 69 76 61 62 6c 65 0a  61 74 74 61 63 6b 2c 20  |eivable.attack, |
00001090  62 65 63 61 75 73 65 20  6f 66 20 74 68 65 20 65  |because of the e|
000010a0  6e 6f 72 6d 6f 75 73 20  6e 75 6d 62 65 72 20 6f  |normous number o|
000010b0  66 20 70 6f 73 73 69 62  6c 65 20 63 6f 6d 62 69  |f possible combi|
000010c0  6e 61 74 69 6f 6e 73 2c  20 65 73 70 65 63 69 61  |nations, especia|
000010d0  6c 6c 79 0a 69 66 20 69  74 27 73 20 6d 6f 64 69  |lly.if it's modi|
000010e0  66 69 65 64 20 69 6e 20  73 6f 6d 65 20 75 6e 70  |fied in some unp|
000010f0  72 65 64 69 63 74 61 62  6c 65 20 77 61 79 20 74  |redictable way t|
00001100  6f 20 70 72 65 76 65 6e  74 20 61 20 70 75 72 65  |o prevent a pure|
00001110  20 64 69 63 74 69 6f 6e  61 72 79 0a 61 74 74 61  | dictionary.atta|
00001120  63 6b 2e 0a 0a 53 6f 6d  65 20 73 69 6d 70 6c 65  |ck...Some simple|
00001130  20 74 69 70 73 20 66 6f  72 20 27 64 69 73 74 6f  | tips for 'disto|
00001140  72 74 69 6e 67 27 20 61  20 70 61 73 73 20 70 68  |rting' a pass ph|
00001150  72 61 73 65 20 61 72 65  20 64 65 73 63 72 69 62  |rase are describ|
00001160  65 64 20 62 65 6c 6f 77  2e 20 49 66 20 74 68 65  |ed below. If the|
00001170  79 0a 61 72 65 20 61 70  70 6c 69 65 64 20 77 69  |y.are applied wi|
00001180  74 68 20 61 20 6c 69 74  74 6c 65 20 69 6e 67 65  |th a little inge|
00001190  6e 75 69 74 79 2c 20 74  68 65 79 20 77 69 6c 6c  |nuity, they will|
000011a0  20 77 6f 72 6b 20 77 65  6c 6c 20 65 76 65 6e 20  | work well even |
000011b0  69 66 20 74 68 65 20 75  73 65 72 0a 73 74 61 72  |if the user.star|
000011c0  74 73 20 77 69 74 68 20  61 20 27 6e 6f 72 6d 61  |ts with a 'norma|
000011d0  6c 27 20 70 61 73 73 20  70 68 72 61 73 65 20 69  |l' pass phrase i|
000011e0  6e 20 70 6c 61 69 6e 20  45 6e 67 6c 69 73 68 20  |n plain English |
000011f0  28 69 6e 73 74 65 61 64  20 6f 66 20 72 61 6e 64  |(instead of rand|
00001200  6f 6d 0a 77 6f 72 64 73  2c 20 61 73 20 67 69 76  |om.words, as giv|
00001210  65 6e 20 62 79 20 21 52  4e 44 70 61 73 73 29 20  |en by !RNDpass) |
00001220  61 6e 64 20 64 69 73 74  6f 72 74 73 20 69 74 20  |and distorts it |
00001230  69 6e 20 73 75 63 68 20  61 20 77 61 79 20 74 68  |in such a way th|
00001240  61 74 20 69 74 20 62 65  63 6f 6d 65 73 0a 71 75  |at it becomes.qu|
00001250  69 74 65 20 75 6e 70 72  65 64 69 63 74 61 62 6c  |ite unpredictabl|
00001260  65 2e 0a 0a 41 20 66 65  77 20 73 70 65 63 69 61  |e...A few specia|
00001270  6c 20 6d 65 74 68 6f 64  73 20 6f 66 20 64 6f 69  |l methods of doi|
00001280  6e 67 20 74 68 69 73 20  63 61 6e 20 62 65 20 61  |ng this can be a|
00001290  75 74 6f 6d 61 74 65 64  20 69 6e 20 21 52 4e 44  |utomated in !RND|
000012a0  70 61 73 73 2c 20 61 73  20 61 6e 0a 6f 70 74 69  |pass, as an.opti|
000012b0  6f 6e 2e 20 27 52 61 6e  64 6f 6d 27 20 28 63 6f  |on. 'Random' (co|
000012c0  6d 70 75 74 65 72 2d 67  65 6e 65 72 61 74 65 64  |mputer-generated|
000012d0  29 20 64 69 73 74 6f 72  74 69 6f 6e 73 20 6f 66  |) distortions of|
000012e0  20 61 20 70 61 73 73 20  70 68 72 61 73 65 0a 63  | a pass phrase.c|
000012f0  6f 6e 73 69 73 74 69 6e  67 20 6f 66 20 6e 6f 72  |onsisting of nor|
00001300  6d 61 6c 20 77 6f 72 64  73 20 61 72 65 20 75 6e  |mal words are un|
00001310  64 6f 75 62 74 65 64 6c  79 20 6d 6f 72 65 20 73  |doubtedly more s|
00001320  65 63 75 72 65 20 74 68  61 6e 20 64 69 73 74 6f  |ecure than disto|
00001330  72 74 69 6f 6e 73 0a 61  64 64 65 64 20 62 79 20  |rtions.added by |
00001340  68 61 6e 64 20 69 6e 20  61 6e 20 69 6e 74 75 69  |hand in an intui|
00001350  74 69 76 65 20 6d 61 6e  6e 65 72 2c 20 62 75 74  |tive manner, but|
00001360  20 69 74 20 6d 61 79 20  74 61 6b 65 20 6d 6f 72  | it may take mor|
00001370  65 20 65 66 66 6f 72 74  20 74 6f 0a 72 65 6d 65  |e effort to.reme|
00001380  6d 62 65 72 20 74 68 65  6d 2e 0a 0a 48 6f 77 20  |mber them...How |
00001390  63 61 6e 20 61 20 27 6e  6f 72 6d 61 6c 27 20 70  |can a 'normal' p|
000013a0  61 73 73 20 70 68 72 61  73 65 20 62 65 20 64 69  |ass phrase be di|
000013b0  73 74 6f 72 74 65 64 20  74 6f 20 6d 61 6b 65 20  |storted to make |
000013c0  69 74 20 73 74 72 6f 6e  67 65 72 3f 0a 2d 2d 2d  |it stronger?.---|
000013d0  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |----------------|
*
00001400  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 2d 2d 0a 0a 8f  |-------------...|
00001410  20 46 69 72 73 74 20 6f  66 20 61 6c 6c 2c 20 79  | First of all, y|
00001420  6f 75 20 6d 61 79 20 73  74 61 72 74 20 77 69 74  |ou may start wit|
00001430  68 20 65 69 74 68 65 72  20 61 20 73 65 74 20 6f  |h either a set o|
00001440  66 20 72 61 6e 64 6f 6d  20 77 6f 72 64 73 20 6c  |f random words l|
00001450  69 6b 65 20 74 68 6f 73  65 0a 67 65 6e 65 72 61  |ike those.genera|
00001460  74 65 64 20 62 79 20 21  52 4e 44 70 61 73 73 20  |ted by !RNDpass |
00001470  28 6d 6f 72 65 20 73 65  63 75 72 65 2c 20 62 75  |(more secure, bu|
00001480  74 20 68 61 72 64 65 72  20 74 6f 20 72 65 6d 65  |t harder to reme|
00001490  6d 62 65 72 29 20 6f 72  20 61 20 6d 65 61 6e 69  |mber) or a meani|
000014a0  6e 67 66 75 6c 0a 73 65  71 75 65 6e 63 65 20 6f  |ngful.sequence o|
000014b0  66 20 77 6f 72 64 73 20  28 6c 65 73 73 20 73 65  |f words (less se|
000014c0  63 75 72 65 2c 20 62 75  74 20 65 61 73 69 65 72  |cure, but easier|
000014d0  20 74 6f 20 72 65 6d 65  6d 62 65 72 29 2e 20 49  | to remember). I|
000014e0  66 20 79 6f 75 20 63 68  6f 6f 73 65 20 74 68 65  |f you choose the|
000014f0  0a 6c 61 74 74 65 72 20  61 70 70 72 6f 61 63 68  |.latter approach|
00001500  2c 20 64 6f 20 6e 6f 74  20 75 73 65 20 61 6e 79  |, do not use any|
00001510  20 66 61 6d 6f 75 73 20  71 75 6f 74 61 74 69 6f  | famous quotatio|
00001520  6e 73 2c 20 70 72 6f 76  65 72 62 73 20 6f 72 20  |ns, proverbs or |
00001530  73 61 79 69 6e 67 73 2e  20 41 6c 6c 0a 74 68 65  |sayings. All.the|
00001540  73 65 20 65 78 69 73 74  20 69 6e 20 64 69 63 74  |se exist in dict|
00001550  69 6f 6e 61 72 69 65 73  2c 20 69 6e 63 6c 75 64  |ionaries, includ|
00001560  69 6e 67 20 73 6f 6d 65  20 69 6e 20 65 6c 65 63  |ing some in elec|
00001570  74 72 6f 6e 69 63 20 66  6f 72 6d 2c 20 77 68 69  |tronic form, whi|
00001580  63 68 20 63 61 6e 20 62  65 0a 75 73 65 64 20 66  |ch can be.used f|
00001590  6f 72 20 63 72 61 63 6b  69 6e 67 20 70 75 72 70  |or cracking purp|
000015a0  6f 73 65 73 2e 20 4f 6e  65 20 70 6f 73 73 69 62  |oses. One possib|
000015b0  69 6c 69 74 79 20 77 6f  75 6c 64 20 62 65 20 74  |ility would be t|
000015c0  6f 20 73 65 6c 65 63 74  20 61 20 70 68 72 61 73  |o select a phras|
000015d0  65 20 66 72 6f 6d 0a 61  20 62 6f 6f 6b 20 61 74  |e from.a book at|
000015e0  20 72 61 6e 64 6f 6d 2c  20 70 72 65 66 65 72 61  | random, prefera|
000015f0  62 6c 79 20 61 76 6f 69  64 69 6e 67 20 61 6e 79  |bly avoiding any|
00001600  20 63 6f 6d 70 6c 65 74  65 20 73 65 6e 74 65 6e  | complete senten|
00001610  63 65 2e 20 54 72 79 20  74 6f 20 61 76 6f 69 64  |ce. Try to avoid|
00001620  0a 70 68 72 61 73 65 73  20 77 69 74 68 20 61 20  |.phrases with a |
00001630  63 6f 6e 76 65 6e 74 69  6f 6e 61 6c 2c 20 70 72  |conventional, pr|
00001640  65 64 69 63 74 61 62 6c  65 20 67 72 61 6d 6d 61  |edictable gramma|
00001650  74 69 63 61 6c 20 73 74  72 75 63 74 75 72 65 2e  |tical structure.|
00001660  20 49 66 0a 6e 65 63 65  73 73 61 72 79 2c 20 72  | If.necessary, r|
00001670  65 70 6c 61 63 65 20 73  6f 6d 65 20 77 6f 72 64  |eplace some word|
00001680  73 20 77 69 74 68 20 73  69 6c 6c 79 2c 20 75 6e  |s with silly, un|
00001690  65 78 70 65 63 74 65 64  20 77 6f 72 64 73 2e 0a  |expected words..|
000016a0  0a 8f 20 57 68 65 6e 20  27 64 69 73 74 6f 72 74  |.. When 'distort|
000016b0  69 6e 67 27 20 61 20 27  6e 6f 72 6d 61 6c 27 20  |ing' a 'normal' |
000016c0  70 61 73 73 20 70 68 72  61 73 65 2c 20 69 74 20  |pass phrase, it |
000016d0  69 73 20 62 65 73 74 20  74 6f 20 61 76 6f 69 64  |is best to avoid|
000016e0  20 74 68 65 20 75 73 65  20 6f 66 0a 6f 6e 6c 79  | the use of.only|
000016f0  20 64 69 63 74 69 6f 6e  61 72 79 20 77 6f 72 64  | dictionary word|
00001700  73 2c 20 69 6e 20 6f 72  64 65 72 20 74 6f 20 66  |s, in order to f|
00001710  6f 69 6c 20 61 6e 79 20  70 6f 73 73 69 62 6c 65  |oil any possible|
00001720  20 64 69 63 74 69 6f 6e  61 72 79 20 61 74 74 61  | dictionary atta|
00001730  63 6b 2e 0a 0a 8f 20 59  6f 75 20 63 61 6e 20 75  |ck.... You can u|
00001740  73 65 20 6e 6f 6e 2d 61  6c 70 68 61 62 65 74 69  |se non-alphabeti|
00001750  63 20 63 68 61 72 61 63  74 65 72 73 2c 20 73 75  |c characters, su|
00001760  63 68 20 61 73 20 6e 75  6d 62 65 72 73 20 6f 72  |ch as numbers or|
00001770  20 61 6e 79 20 6f 74 68  65 72 0a 73 79 6d 62 6f  | any other.symbo|
00001780  6c 73 20 6f 6e 20 79 6f  75 72 20 6b 65 79 62 6f  |ls on your keybo|
00001790  61 72 64 2e 20 54 68 65  73 65 20 63 61 6e 20 62  |ard. These can b|
000017a0  65 20 69 6e 73 65 72 74  65 64 20 69 6e 20 75 6e  |e inserted in un|
000017b0  65 78 70 65 63 74 65 64  20 70 6c 61 63 65 73 2e  |expected places.|
000017c0  20 46 6f 72 0a 65 78 61  6d 70 6c 65 2c 20 79 6f  | For.example, yo|
000017d0  75 20 63 61 6e 20 63 68  61 6e 67 65 20 74 68 65  |u can change the|
000017e0  20 77 6f 72 64 20 27 63  6f 6d 70 75 74 65 72 27  | word 'computer'|
000017f0  20 74 6f 20 27 63 30 6d  70 75 74 65 72 27 2c 20  | to 'c0mputer', |
00001800  27 39 38 25 63 6f 6d 70  75 74 65 72 27 2c 20 6f  |'98%computer', o|
00001810  72 0a 27 63 6f 6d 70 75  74 23 27 2e 20 54 68 65  |r.'comput#'. The|
00001820  20 75 73 65 20 6f 66 20  61 64 64 69 74 69 6f 6e  | use of addition|
00001830  61 6c 20 63 68 61 72 61  63 74 65 72 73 20 63 61  |al characters ca|
00001840  6e 20 69 6e 63 72 65 61  73 65 20 74 68 65 20 6e  |n increase the n|
00001850  75 6d 62 65 72 20 6f 66  0a 70 6f 73 73 69 62 6c  |umber of.possibl|
00001860  65 20 70 61 73 73 20 70  68 72 61 73 65 73 20 65  |e pass phrases e|
00001870  6e 6f 72 6d 6f 75 73 6c  79 2c 20 77 69 74 68 6f  |normously, witho|
00001880  75 74 20 6d 61 6b 69 6e  67 20 74 68 65 6d 20 6d  |ut making them m|
00001890  75 63 68 20 68 61 72 64  65 72 20 74 6f 0a 72 65  |uch harder to.re|
000018a0  6d 65 6d 62 65 72 2e 20  49 74 20 69 73 20 62 65  |member. It is be|
000018b0  73 74 20 74 6f 20 70 75  74 20 74 68 65 6d 20 69  |st to put them i|
000018c0  6e 20 75 6e 65 78 70 65  63 74 65 64 20 70 6c 61  |n unexpected pla|
000018d0  63 65 73 2e 20 41 6e 20  61 74 74 61 63 6b 65 72  |ces. An attacker|
000018e0  20 6d 61 79 0a 67 75 65  73 73 2c 20 66 6f 72 20  | may.guess, for |
000018f0  65 78 61 6d 70 6c 65 2c  20 74 68 61 74 20 79 6f  |example, that yo|
00001900  75 20 72 65 70 6c 61 63  65 64 20 27 6f 27 20 62  |u replaced 'o' b|
00001910  79 20 27 30 27 2e 0a 0a  8f 20 50 61 73 73 20 70  |y '0'.... Pass p|
00001920  68 72 61 73 65 73 20 69  6e 20 6d 61 6e 79 20 70  |hrases in many p|
00001930  72 6f 67 72 61 6d 73 2c  20 73 75 63 68 20 61 73  |rograms, such as|
00001940  20 50 47 50 2c 20 61 72  65 20 63 61 73 65 2d 73  | PGP, are case-s|
00001950  65 6e 73 69 74 69 76 65  2e 20 54 68 69 73 20 6d  |ensitive. This m|
00001960  65 61 6e 73 0a 74 68 61  74 20 69 74 20 69 73 20  |eans.that it is |
00001970  61 20 67 6f 6f 64 20 69  64 65 61 20 74 6f 20 6d  |a good idea to m|
00001980  69 78 20 75 70 70 65 72  20 61 6e 64 20 6c 6f 77  |ix upper and low|
00001990  65 72 20 63 61 73 65 2e  20 46 6f 72 20 65 78 61  |er case. For exa|
000019a0  6d 70 6c 65 2c 20 27 63  6f 6d 70 75 74 65 72 27  |mple, 'computer'|
000019b0  2c 0a 63 6f 6d 50 55 54  65 72 20 61 6e 64 20 43  |,.comPUTer and C|
000019c0  4f 4d 50 55 54 45 52 20  77 6f 75 6c 64 20 61 6c  |OMPUTER would al|
000019d0  6c 20 62 65 20 74 72 65  61 74 65 64 20 61 73 20  |l be treated as |
000019e0  64 69 73 74 69 6e 63 74  2e 0a 0a 8f 20 49 66 20  |distinct.... If |
000019f0  79 6f 75 20 6b 6e 6f 77  20 61 6e 79 20 77 6f 72  |you know any wor|
00001a00  64 73 20 66 72 6f 6d 20  66 6f 72 65 69 67 6e 20  |ds from foreign |
00001a10  6c 61 6e 67 75 61 67 65  73 2c 20 79 6f 75 20 63  |languages, you c|
00001a20  61 6e 20 69 6e 63 6c 75  64 65 20 73 6f 6d 65 20  |an include some |
00001a30  69 6e 20 79 6f 75 72 0a  70 61 73 73 20 70 68 72  |in your.pass phr|
00001a40  61 73 65 2e 0a 0a 8f 20  59 6f 75 20 63 61 6e 20  |ase.... You can |
00001a50  69 6e 76 65 6e 74 20 79  6f 75 72 20 6f 77 6e 20  |invent your own |
00001a60  6e 6f 6e 73 65 6e 73 65  20 77 6f 72 64 73 2c 20  |nonsense words, |
00001a70  6c 69 6b 65 20 74 68 65  20 66 61 6d 6f 75 73 20  |like the famous |
00001a80  77 6f 72 64 20 27 6a 61  62 62 65 72 77 6f 63 6b  |word 'jabberwock|
00001a90  79 27 0a 63 6f 69 6e 65  64 20 62 79 20 4c 65 77  |y'.coined by Lew|
00001aa0  69 73 20 43 61 72 72 6f  6c 6c 2e 0a 0a 8f 20 59  |is Carroll.... Y|
00001ab0  6f 75 20 63 61 6e 20 63  72 65 61 74 65 20 63 6f  |ou can create co|
00001ac0  6d 70 6c 65 74 65 6c 79  20 6d 65 61 6e 69 6e 67  |mpletely meaning|
00001ad0  6c 65 73 73 20 27 77 6f  72 64 73 27 20 63 6f 6e  |less 'words' con|
00001ae0  73 69 73 74 69 6e 67 20  6f 66 20 61 70 70 61 72  |sisting of appar|
00001af0  65 6e 74 6c 79 0a 27 72  61 6e 64 6f 6d 27 20 63  |ently.'random' c|
00001b00  68 61 72 61 63 74 65 72  73 2c 20 62 75 74 20 77  |haracters, but w|
00001b10  68 69 63 68 20 61 72 65  20 65 61 73 79 20 74 6f  |hich are easy to|
00001b20  20 72 65 6d 65 6d 62 65  72 2e 20 46 6f 72 20 65  | remember. For e|
00001b30  78 61 6d 70 6c 65 2c 20  27 69 6c 72 6f 27 0a 6d  |xample, 'ilro'.m|
00001b40  69 67 68 74 20 73 74 61  6e 64 20 66 6f 72 20 27  |ight stand for '|
00001b50  49 20 6c 6f 76 65 20 52  49 53 43 20 4f 53 27 2e  |I love RISC OS'.|
00001b60  0a 0a 8f 20 42 65 61 72  20 69 6e 20 6d 69 6e 64  |... Bear in mind|
00001b70  20 74 68 61 74 20 79 6f  75 20 63 61 6e 20 75 73  | that you can us|
00001b80  65 20 61 6e 79 20 70 72  69 6e 74 61 62 6c 65 20  |e any printable |
00001b90  41 53 43 49 49 20 63 68  61 72 61 63 74 65 72 73  |ASCII characters|
00001ba0  2c 20 6e 6f 74 20 6a 75  73 74 20 74 68 65 0a 6f  |, not just the.o|
00001bb0  6e 65 73 20 74 68 61 74  20 61 70 70 65 61 72 20  |nes that appear |
00001bc0  6f 6e 20 74 68 65 20 6b  65 79 62 6f 61 72 64 2e  |on the keyboard.|
00001bd0  20 46 6f 72 20 65 78 61  6d 70 6c 65 2c 20 74 68  | For example, th|
00001be0  65 20 63 6f 70 79 72 69  67 68 74 20 73 79 6d 62  |e copyright symb|
00001bf0  6f 6c 20 a9 20 63 61 6e  20 62 65 0a 6f 62 74 61  |ol . can be.obta|
00001c00  69 6e 65 64 20 62 79 20  68 6f 6c 64 69 6e 67 20  |ined by holding |
00001c10  64 6f 77 6e 20 74 68 65  20 41 4c 54 20 6b 65 79  |down the ALT key|
00001c20  2c 20 74 79 70 69 6e 67  20 31 36 39 20 6f 6e 20  |, typing 169 on |
00001c30  74 68 65 20 6e 75 6d 65  72 69 63 20 6b 65 79 70  |the numeric keyp|
00001c40  61 64 2c 20 61 6e 64 0a  74 68 65 6e 20 72 65 6c  |ad, and.then rel|
00001c50  65 61 73 69 6e 67 20 74  68 65 20 41 4c 54 20 6b  |easing the ALT k|
00001c60  65 79 2e 20 44 65 74 61  69 6c 73 20 6f 66 20 68  |ey. Details of h|
00001c70  6f 77 20 74 6f 20 67 65  74 20 61 6c 6c 20 73 75  |ow to get all su|
00001c80  63 68 20 63 68 61 72 61  63 74 65 72 73 20 63 61  |ch characters ca|
00001c90  6e 20 62 65 0a 66 6f 75  6e 64 20 69 6e 20 79 6f  |n be.found in yo|
00001ca0  75 72 20 63 6f 6d 70 75  74 65 72 27 73 20 55 73  |ur computer's Us|
00001cb0  65 72 20 47 75 69 64 65  2e 0a 0a 8f 20 59 6f 75  |er Guide.... You|
00001cc0  20 63 61 6e 20 64 69 73  67 75 69 73 65 20 64 69  | can disguise di|
00001cd0  63 74 69 6f 6e 61 72 79  20 77 6f 72 64 73 20 62  |ctionary words b|
00001ce0  79 20 75 73 69 6e 67 20  73 74 72 61 6e 67 65 20  |y using strange |
00001cf0  61 6e 64 20 75 6e 65 78  70 65 63 74 65 64 0a 73  |and unexpected.s|
00001d00  70 65 6c 6c 69 6e 67 73  2e 20 46 6f 72 20 65 78  |pellings. For ex|
00001d10  61 6d 70 6c 65 2c 20 74  68 65 20 77 6f 72 64 20  |ample, the word |
00001d20  27 63 6f 6d 70 75 74 65  72 27 20 63 61 6e 20 62  |'computer' can b|
00001d30  65 20 63 68 61 6e 67 65  64 20 74 6f 20 27 6b 6f  |e changed to 'ko|
00001d40  6d 70 75 74 74 61 27 2e  0a 0a 8f 20 44 69 63 74  |mputta'.... Dict|
00001d50  69 6f 6e 61 72 79 20 77  6f 72 64 73 20 63 61 6e  |ionary words can|
00001d60  20 61 6c 73 6f 20 62 65  20 68 69 64 64 65 6e 20  | also be hidden |
00001d70  62 79 20 75 73 69 6e 67  20 65 78 74 72 61 20 73  |by using extra s|
00001d80  70 61 63 65 73 2c 20 6f  72 20 6f 6d 69 74 74 69  |paces, or omitti|
00001d90  6e 67 0a 73 70 61 63 65  73 2c 20 61 73 20 69 6e  |ng.spaces, as in|
00001da0  20 27 63 6f 6d 20 70 75  74 65 72 27 20 6f 72 20  | 'com puter' or |
00001db0  27 41 63 6f 72 6e 63 6f  6d 70 75 74 65 72 27 2e  |'Acorncomputer'.|
00001dc0  0a 0a 8f 20 54 68 65 20  74 65 63 68 6e 69 71 75  |... The techniqu|
00001dd0  65 73 20 73 75 67 67 65  73 74 65 64 20 61 62 6f  |es suggested abo|
00001de0  76 65 20 62 65 63 6f 6d  65 20 65 76 65 6e 20 6d  |ve become even m|
00001df0  6f 72 65 20 65 66 66 65  63 74 69 76 65 20 77 68  |ore effective wh|
00001e00  65 6e 20 75 73 65 64 20  69 6e 0a 63 6f 6d 62 69  |en used in.combi|
00001e10  6e 61 74 69 6f 6e 2e 20  41 6e 20 65 78 61 6d 70  |nation. An examp|
00001e20  6c 65 20 6d 69 67 68 74  20 62 65 20 74 68 65 20  |le might be the |
00001e30  27 77 6f 72 64 27 20 27  4d 59 32 63 30 6d 70 75  |'word' 'MY2c0mpu|
00001e40  74 61 73 40 68 6f 6d 65  27 2e 0a 0a 41 20 66 69  |tas@home'...A fi|
00001e50  6e 61 6c 20 77 6f 72 64  20 6f 66 20 61 64 76 69  |nal word of advi|
00001e60  63 65 3a 20 57 68 61 74  65 76 65 72 20 79 6f 75  |ce: Whatever you|
00001e70  20 64 6f 2c 20 64 6f 6e  27 74 20 65 76 65 72 20  | do, don't ever |
00001e80  77 72 69 74 65 20 64 6f  77 6e 20 79 6f 75 72 20  |write down your |
00001e90  70 61 73 73 0a 70 68 72  61 73 65 20 6f 72 20 73  |pass.phrase or s|
00001ea0  74 6f 72 65 20 69 74 20  69 6e 20 61 6e 79 20 63  |tore it in any c|
00001eb0  6f 6d 70 75 74 65 72 20  66 69 6c 65 2e 20 49 66  |omputer file. If|
00001ec0  20 79 6f 75 20 64 6f 2c  20 69 74 27 73 20 61 73  | you do, it's as|
00001ed0  6b 69 6e 67 20 66 6f 72  20 74 72 6f 75 62 6c 65  |king for trouble|
00001ee0  2e 20 0a 59 6f 75 72 20  70 61 73 73 20 70 68 72  |. .Your pass phr|
00001ef0  61 73 65 20 73 68 6f 75  6c 64 20 65 78 69 73 74  |ase should exist|
00001f00  20 6f 6e 6c 79 20 69 6e  20 79 6f 75 72 20 68 65  | only in your he|
00001f10  61 64 21 0a 0a 0a                                 |ad!...|
00001f16

© Dominic Ford 2021–2025.

Our privacy policy is here.
Last updated: 01 May 2025, 21:49 UTC
Website designed by .