Coding Horror’s Jeff Atwood posted today about Elcomsoft’s new technology which uses your video card’s GPU to increase the speed of its password cracking by a factor of 25. A factor of 25 is nothing to sneeze at, however, that 25 is quickly dwarfed by the orders of magnitude of increase in amount of time it takes to crack your password when you start adding characters and complexity to it. Basically, it all boils down to some tried and true laws in the security world:

Don’t use short passwords with a small character set.

Short single case passwords are simply insecure, but there are several good ways to increase the security of your password:

1. Use multiple words. It can be a sentence or a simple phrase. It can be a lyric from a song or your favorite quote (unless you’ve already posted that on FaceBook of course). It’s something you already remember, so why not use it here too?

2. Mix in some numbers and special characters. You can use l33t sp34k and substitute similar numbers or special characters for their alphabetic equivalent. You can add in punctuation or substitute characters 4 words. It’s easy + not that hard 2 remember.

3. Use a different language. If your first language is English, use Spanish, French or one of the other Romance languages. Dictionary attacks aren’t real productive if the bad guy is using the wrong dictionary! Better yet, use a relatively unknown language. As long as it’s using the Latin alphabet, it’s fair game for use in passwords. That would even include something like romanized Japanese. You could learn a few words to create a passphrase that’s relatively easy to remember and virtually impossible for anyone to guess.

4. Don’t use short passwords! As much as you may want to believe it, eight characters aren’t enough. With Elcomsoft’s new technology and an eight character password you have:

	528 / 200,000,000 pps / 60 / 60 / 24 =  3.1 days

So you have to change your password every three days. Ten characters offer a little more of a cushion:

	5210 / 200,000,000 pps / 60 / 60 / 24 / 365 =  23 years

And with twelve or more… well, you’re pretty much set for life:

	5212 / 200,000,000 pps / 60 / 60 / 24 / 365 =  61,973 years

On the flash drive I carry on my keychain, I use TrueCrypt with a password 21 characters long. That may seem unreasonable but using all the principles above makes it very manageable.

5. For website passwords, mix in the name of website or domain in some formulaic manner. If you’re creating a password for your shiny new profile at Virb, intermix a common password starting point with “virb”. For instance, say you like gargoyles. You could do something like:

…where you repeat either the domain or the starting point until the other is done. Another method is taking the domain and applying a transform to it. Say our transform was 1 key to lower right, then 3 keys to the right with edge wrapping. If we applied to that our account at delicious, we would result in nhx’u'a;b

Anyway, those are just a few ways to strengthen your passwords. Use just one of them for a little bump or use them in combination for extra insurance. It’s up to you to set your own password policy. So…

What password methodologies do you use?