|Kurt Muhl (right), an ethical hacker with RedTeam Security|
"One of the easiest ways to give yourself a strong password would be using a full sentence," said Kurt Muhl of RedTeam Security.
Based in St. Paul, Minn, the cybersecurity firm of ethical "white hat" hackers helps companies find security flaws before the bad guys do.
The full-sentence technique works like this: Think of an everyday phrase that you can remember, like "My #1 favorite thing in the world is my family," or as Muhl gives as an example, "I bought my house for $1."
Then you take that sentence and convert it to a password by grabbing the first letter of each word. "I bought my house for $1" then becomes Ibmhf$1.
"That's going to give your uppercase, lowercase, a number, and special characters in there," Muhl said. "It's something that's easy to remember. All you gotta do is remember that sentence."
It seems simple, yet many people still resort to weak passwords, which hackers can easily guess using free software tools like John the Ripper. A password that has a word found in a dictionary with a number thrown on the end is something that a tool like "John" could break in about an hour, Muhl explained.
Passwords like "123456" or "password" — consistently found on worst password lists — would only take seconds to crack.
"That is the first thing that we try to go after," Muhl said.
As Muhl explained, John works off dictionary lists — massive text files you can find on any number of hacker forums — that contain words, phrases, numbers, and other password possibilities. It basically keeps trying combinations of words and numbers until it gets it right, which wouldn't take long if the password is particularly weak.
But Muhl's technique makes a dictionary attack fairly impossible, since it's not a word at all. The password becomes even stronger if you have more characters, since the added length ups the number of possibilities.
"The longer your passwords could possibly be," Muhl said. "The more guesses it's gonna take for me to get it right."