paper: Basic Password Security

Thread created automatically to discuss a document in CD-Media.

Basic Password Security
by: Don Rotolo

Brief tutorial on creating a secure password system

The need for password security is explained. A simple and flexible but very powerful system for creating very strong passwords is presented. A method to ensure no two passwords are the same, while making each password easily memorized, is given. Anyone who uses passwords should read this!

Basic Password Security.doc (23.5 KB)

Good topic.
You may also want to listen to episode 4 of Security Now. They discuss this same topic and coming up with a personal password policy.
Edit: They talk more in episode 5 also.

Admittedly, I use about 3 or 4 passwords for all my different accounts. I’m going to try and come up with a good password policy.

brings up some good points. i personally have a weak password for all the sites that do not matter as much but i have a stronger form of it (using capitalization and numbers) for the websites like my email and stuff like that. i think i will change them.

thanks, vivek

The problem of having a basic password with variations based on the site, account, etc is that some sites have their own rules for passwords. It must be exactly X characters long or some other such restriction. I like the concept though - I sure have difficulty remembering all my passwords when I go to pay my monthly bills online.

I’ve been using the same password since I started the internet and my father gave me my first E-mail account. Than for gaming i started using another set of passwords due to security reasons. I think now that I have quit gaming I need to mod up my regular passwords. I like the ‘system’ you mentioned. Its a great idea, and even if you have a ‘core’ word and you don’t modify it between sites, at least remember there are different types of security involved with different types of sites. Although even if somebody gets your password on CD they can ruin your name, most of us might know who you are, or we have logs to check. But certain sites have strict systems of instant banning and at that, for many sites it is hard to vouch who you really are in the first place. And than don’t get me started on your banks and other VERY important passwords. Those should be a class all of their own and should never be copied anywhere. That might be part of my system if I get tired of 100000 passwords: three or four levels of security requiring different types of passwords. EX: L1 - Same pass, L2 - Different but similar, L3 - Different, no link what so ever.
Also keep in mind that although it has been common for gaming and clans, there has been an exponential increase in the amount of brute force programs being created and being used, so keep that in mind next time you make your password, characters like "Æ, æ, ™ " are not usually put in those algorithms. For more information on ALT + NUM keys click here.**


Thanks for the site. This opens up lots of new password opportunities, as now I can put in symbols formed by ALT + (Team number).


I personally prefer using a md5 hash of an md5 hash of a word for my passwords. Yes, bit harder to memorize, but quite difficult to crack.
Such as, the md5 of “test”
The md5 of that:

i may try doing that. sounds like fun memorizing hashes.

also i set up a website one time and when i went into phpmyadmin to look at the user table. the passwords were in PLAIN TEXT:eek:. that means that any admin or even a hacker that got access to that table in the database would have all of the user names, passwords, emails etc of the users. anyway i decided to not use that script for the login.


Yep, there might be some excpetions - but I never have trouble remembering any of my passwords, so far…

Yes, and if you’re dumb enough to use the same password for everything, they can do quite a bit more… Maybe not to a high school kid, but think mid-life engineer and what “ruined” might entail.

Also, with no extra effort - actually less effort than your layer system - you can use strong and unique passwords everywhere. Why not then?

You, my friend, win the Uber-geek award for today.:stuck_out_tongue:
(Anyone who knows what he means is a runner-up)


I don’t care how “strong” a password you use… if someone wants the info enough they will get it. There are always backdoors the industry and government agencies have embedded into your O/S.

If theres something you don’t want someone to see… don’t trust it to the internet or a computer thats hooked up to it.