Picking Passwords that Defeat Hackers and Spies

It is hard to pick good passwords if you don't know what one looks like. It helps to see the mistakes others make.

MySpace Passwords Aren't So Dumb

http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300

MySpace password exploit: Crunching the numbers (and letters)

http://www.infoworld.com/d/security-central/myspace-password-exploit-crunching-numbers-and-letters-983

Password Security: What Users Know and What They Actually Do

http://psychology.wichita.edu/surl/usabilitynews/81/Passwords.asp

How I’d Hack Your Weak Passwords

http://onemansblog.com/2007/03/26/how-id-hack-your-weak-passwords/

Check your password—is it strong?

https://www.microsoft.com/security/pc-security/password-checker.aspx?WT.mc_id=Site_Link

(Warning: Although this password strength-testing page claims that your password is not transmitted over the internet, there is no way to guarantee this. You may want to use new, made-up passwords to see how the strength tester responds, then create your real password that you don't type into the strength tester.)

Secure Passwords Keep You Safer

http://www.schneier.com/essay-148.html

This article by Bruce Schneier has an excellent overview of PRTK and its strategy for cracking passwords. PRTK ("Password Recovery Toolkit") is software containing a smart guessing system. For more on this commercial product, try:

PRTK

http://accessdata.com/

Once you understand what PRTK is doing you can greatly improve your passwords, perhaps to the point that PRTK no longer has a chance at cracking them. Although PRTK is not the same as the NSA, understanding how to defeat a PRTK attack probably gives you 90% to 99% of the awareness and skills needed to create passwords that would defeat government-based password cracking.