Sign in with
Sign up | Sign in

A pentesters advice on creating strong passwords

This Tutorial addresses:
  • Windows
  • Windows 7
  • Security
  • Strong
  • Reset Password
So I have seen a lot of guides on websites like this for creating and managing passwords, and to be quite on honest they are all very very poor. So I wanted to give you guys a guide on creating strong passwords. I have been a pentester for over 15 years, I have done penetration tests for both big, and small companies. Their are two different types of attacks that I normally do, the first one is a physical security test, are users leaving things like computers unlocked, passwords hidden under their keyboards, are their employees that are completely unaware of a physical threat that could cause a company to lose their valuable date. I normally go through what is called a social engineering attack, calling companies and trying to con employees to give out valuable information. Being completely honest 90% of the time the employees fail this test, and they give out information without evening realizing what they just did.I won't go into to much more detail on this because other researchers have posted about this in the past on infosec forums. Now onto the part that most people are concerned about, how can I create a super strong easy to remember password? Well for someone like me it is quite easy but first lets take a quick look at some ways on how not to create a strong password.

Lets say your name is John, and you really like going duck hunting, so john has been using the the password sillyduck for the past 10 years.Now how would we make this strong, I bet I know your answer.
John could make his password like this
sillyduck123 or how about sillyduck1 or sillyduck89 for the year he was board etc.. Oh man now lets get really creative Sillyduck89 now see how creative we just got? we just made the S at the beginning of the sentence upper cased. Now we are uncrackable! Sadly that is not the case, a lot of companies that I have pentested for have these polices and this is the most common way that people create their supposedly stronger password. Now this is the mistake, all that I would need to do is extract the hash and create a word list to try and crack all of their passwords. Well lets say my first attempt I cracked all of their passwords without any rules being set in 12 hours using a gpu based cracking program.Now with the security implementation, it may take me longer and I might miss a lot of them, but a hacker might just simply say hey just add an upper case to the first part of every password on the list and then add some random number 1-999 and then what it would do is it will create a list using the one that just cracked all of the old ones, but this time it will add all of the other passwords that we just generated with that new rule. Lets start up our program..... ding 99.9% cracked. Hmmm are these passwords really all that secure. Now lets look at the password that we didn't crack, oh look someone used an uppercase letter L and an upper case C is sillyduck123 instead of at the beginning. This is good, but not the best. Now how I like to create passwords and how I advice others to create passwords especially for those with any type of power on a website such as an admin or moderator. Is make the password the least be relevant to you as possible. and also don't use just one word. I recommend a password that is at least 15 characters long. Lets get into creating this super password. What I like to do is think of a sentence like lets say something like

My wife hates it when I eat spicy food at the taco place before I go to bed. Now how do we make this long sentence a password.

My we can have that be an m
wife can be a W or to vv but lets make it a capital W
hates lets make that an h
it well the i looks kinda of like a ! so lets use ! and when ever we run into an i lets change it to an !
When lets make that an uppercase W
I yet again lets make it an !
eat lets make it a lowercase e
spicy lets make it a $ and use the $ when ever we run into an S
food lets use a lower case f
at lets use a uppercase A or we could use @ but I feel we have to many symbols already
the lets just have it be capital and remember to use that rule for all T's that we have T
Taco so yet again another capital T
place lets make that a lowercase p
before lets also make that lowercase b
I lets use ! because we always will use ! for anything that has an I !
Go lets make the G a capital and always use G as an uppercase in all of our other passwords G
To yet again we are going with an uppercase T
and then bed lower case b

So are new password is

mWh!W!e$fATTpb!GTb now doesn't that look confusing just looking at the password and seemingly impossible to remember without our sentence password creating system.

I really would advise anyone to use this system for creating strong passwords.
I'm not just a gamer, I do this for a living, so take it from a professional that actually pentests and cracks websites, networks, and users passwords for a living.

If you have any questions just send me a pm on tomshardware, and as always thanks for reading.


Can't find your answer ? Ask !