Passwords coming out of my ears

Jeffrey Pyne plug-discuss@lists.plug.phoenix.az.us
Wed, 14 May 2003 11:32:32 -0700


On Tuesday, May 13, 2003 10:41 PM, foodog wrote:

> For secure passwords, two suggestions to start with: 1, 
> learn to write in 1337 (Leet), 2, choose a passphrase 
> and misspell it in leet. Combine those techniques with 
> a host-specific prefix or suffix and you're on the road 
> to using good passwords.

I do something pretty similar to this.  I take my base 37337 password (e.g.
"I love pie." ==> "! 1Uv p!3."), and prepend the first character of the
hostname or domain name in lowercase and postpend (?) the last character of
the hostname or domain name in uppercase.  So my password to www.hotmail.com
(if I had one) would be "h! 1Uv p!3.L", and my logon to appserver would be
"a! 1Uv p!3.R".  So, you would have a different password for every web site
or host, but you'd really only have to remember one.

I used to feel good about this scheme until I read on l0phtcrack's site:

"Consider that at one of the largest technology companies, where policy
required that passwords exceed 8 characters, mix cases, and include numbers
or symbols... 

* L0phtCrack obtained 18% of the passwords in 10 minutes 
* 90% of the passwords were recovered within 48 hours on a Pentium II/300 
* The Administrator and most Domain Admin passwords were cracked"

So what is a "good" password, really?  Does anyone have an example of a
password that would not be easily cracked by a tool such as l0phtcrack?

~Jeff