Strength in Numbers

According to Gawker, the top three most popular passwords are:


The thirteenth most popular is “trustno1,” which was Agent Mulder’s password on The X-Files.  It’s definitely a cooler choice than “qwerty” (number 5 on the list), but not exactly adequate to keep the FBI from sneaking a peek.

At An Associate’s Mind, Keith Lee addresses the extant reality that the government can seize and search laptops that cross the border, no reason needed.  The arguments against this bastardization of the border search rationale notwithstanding, it remains that the courts have held no Fourth Amendment prohibition applies.  Recognizing this, Keith gets technical with how to protect one’s data.

For people of a certain age, computer passwords are a nightmare.  We struggle to remember our children’s names, even our own age.  Maybe it’s because the file cabinet is filled to overflowing, or maybe our parents were right that abusing our bodies in our teen years would come back to haunt us.  Whatever, we suffer from CRS in a big way.  Of the things we struggle to recall, passwords are the least of our problems.

The best we can hope for in this age where everything demands a password is to come up with something we are reasonably likely to remember and offers some small amount of security.  Our comprehension of the latter, however, is based on images of American cryptographers working night and day to break Japan’s secret codes in World War II.

Keith has disabused me of my romantic delusion.

Simple passwords are subject to brute-force cracking in a matter of minutes by the average desktop machine, never mind a workstation or cluster systems that a computer forensic lab will have available to crack a system.
For example, below is the time needed to crack a password consisting of 36 characters: The full alphabet, either upper or lower case (not both in this case) plus numbers.

0123456789 and either ABCDEFGHIJKLMNOPQRSTUVWXYZ or abcdefghijklmnopqrstuvwxyz

Password LengthCombinationsClass AClass BClass CClass DClass EClass F
346,6564 SecsInstantInstantInstantInstantInstant
41.6 million2½ Mins16 Seconds1 SecondInstantInstantInstant
560.4 million1½ Hours10 Mins1 MinInstantInstantInstant
Versus the time to crack a password that contains 96 characters: Mixed upper and lower case alphabet plus numbers and common symbols.

0123456789AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz <SP>!”#$%&’()*+,-./:;<=>[email protected][\]^_`{|}~

Password LengthCombinationsClass AClass BClass CClass DClass EClass F
3884,73688½ Secs9 SecsInstantInstantInstantInstant
485 Million2¼ Hours14 Mins1½ Mins8½ SecsInstantInstant
58 Billion9½ Days22½ Hours2¼ Hours13½ Mins1¼ Mins8 Secs
6782 Billion2½ Years90 Days9 Days22 Hours2 Hours13 Mins
775 Trillion238 Years24 Years2½ Years87 Days8½ Days20 Hours
87.2 Quadrillion22,875 Years2,287 Years229 Years23 Years2¼ Years83½ Days
Note: Class D is a typical desktop machine, or next year’s high-end smartphone.
Taken from:  Password Recovery Speeds. A full breakdown of password security is available from

So as should be painfully clear, choose a strong password.

What has become painfully clear is that there is no chance whatsoever that I will be able to remember a password that can’t be broken instantaneously.  If you can, you’re a better man than I am, Gunga Din.  There’s also a matter of encryption, and Keith provides some suggestions for that as well.

There are three alternatives, however, worthy of consideration.  The first is to have nothing incriminating or private on your electronic device as you enter the United States, making the search and seizure nothing more than wrong and inconvenient.  The second is to continue to argue that laptop searches bear no connection to the historic bases for causeless border searches in the hope that the federal courts will eventually apply the rationale rather than the rubric and distinguish opportunistic law enforcement searches that properly fall under the ambit of the Fourth Amendment.  Good luck with that.

The third is to fundamentally undermine the scheme concocted by the government to subvert and circumvent the reasonable expectation of privacy in our papers and effects by employment of special tools designed to thwart the government’s efforts to use any excuse to delve into our secret computer life:  A pen and paper.

No, Apple doesn’t make the iPen, and you won’t need a password to use one.

25 thoughts on “Strength in Numbers

  1. Keith Lee

    [Note to SHG, you’ll want to strip the formatting tags I have on that text, it’s breaking your page. Migrate your blog to a modern platform! 🙂 ]

    A suggestion for the more, err, distinguished among us – learn to transpose letters with numbers and symbols.

    For example:
    @ = a
    # = h
    $ = s
    3 = e
    1 = l

    Then choose a word: Dogleash

    Using the above becomes: [email protected]$#

    Now you’re in the 7.2 Quadrillion range of password combinations.

    I know it’s against the rules but, for more see 133t: [Edit. Note: Fail.]

  2. Mark Draughn

    Uhm, excuse my ignorance of the law, but are you telling me in that last paragraph that pen-and-paper records are NOT subject to a search at the border? Because that would mean the the Court’s ruling is not merely troubling but positively delusional.

  3. SHG

    Yes. They can look to see that it’s just a pen and paper (as opposed to a bazooka, a new Rolex on which duty is due or an anthrax infected posey), but that’s as far as it goes.

  4. Stephen

    re: the iPen. Would crossing the border with a thick stack of paper be considered suspicious?

    I’m particularly thinking of the “cryptowars” when the US classed some forms of strong encryption as munitions (with the export restrictions that entails) and the source code was printed out, literally smuggled to Canada in someone’s car and typed back in.

  5. Keith Lee

    This is still the case as far as I’m aware, see 22 U.S.C. Section 2778.

    You’re probably thinking of the hoopla surrounding PGP/RSA back in the 90s. People were putting the perl scripts for key generation on t-shirts and wearing them in airports and the like – to point out how ridiculous it was. You can probably still buy them.

  6. A Voice of Sanity

    You can put a copy of Keepass on a MicroSD card which is easily hidden. As a master password for that, you can memorize two or more 7 character passwords with punctuation marks and add them together to make one 14 character password. As the sources say, billions of years!

    ** It helps to learn mnemonics for punctuation marks like ‘bang’ for ‘!’.

  7. Mark Draughn

    When the PGP/RSA smuggling got started, they would print the source code, carry it across the border, scan it, and use OCR software to convert it back to a computer-readable format. This was error-prone and had to be hand-corrected, which was very time-consuming. They eventually switched to a process in which the source code would be pre-processed into a format that was less likely to be mis-converted on the receiving end, then reverse-converted to get the source code back. (e.g. “a=2*b;” would be printed as something like “name a equalsign number 2 asterisk name b semicolon”) The process got pretty fast and automated. Eventually, I think the Clinton administration un-designate the software as a controlled munition, perhaps because it was silly, or perhaps under pressure from privacy groups, but probably because businesses wanted to use it for secure communication with their foreign partners.

    I don’t remember RSA key generation on T-shirts, but I do remember that video content providers had used the DMCA to try to block distribution of the source code for a program called DeCSS that could crack DVD decryption without a licensed hardware chip. As a joke to illustrate how idiotic this was, some people printed the DeCSS code on a T-shirt and dared the media companies to sue to block distributing DeCSS that way. Which they did.

    I still have my DeCSS T-shirt somewhere…

  8. Mark Draughn

    I guess this is one of those cases where Orin Kerr’s “technology neutral” approach would actually be an improvement over current practice. Sheesh.

  9. SHG

    On the contrary, this IS technology neutral, the fault being that they can’t see what’s inside the computer thereby justifying the search and seizure.  After all, there could be an anthrax infected posey in there or a Rolex.  Or pictures.  They couldn’t possibly know and thereby protect society without searching.

  10. A Voice of Sanity

    Everything? No, but this is the sort of password Keepass generates AND remembers for you (it’ll even type it in for you):


    THIS I can’t remember!

  11. Mike

    I was locked out of my place last night. It took a lock smith less than 15 seconds to get in. If a hacker wants into my account, he’s going to get in.

    Passwords are mainly to keep non-pro snoops out. As a lawyer and reader, you have a lot of good options. E.g., “Title42USC1983” or “Title18USC201”. I also use book titles + publication dates. E.g., “Catch221961”.

    Even if I forget when Catch-22 or Great Gatsby or whatever was published, I can look it up.

    What’s annoying is every site is adding PIN requirements and requiring me to change passwords and make unique (to them) passwords. This is especially true of my student loan accounts. What could possibly happen to me if someone hacked into my student loan account? It’s not as if I can borrow more. So a hacker or snoop would know what I owe? Big whoop. Running my credit, which every employer and landlord does, shows the same thing. Who cares.

    Every “IT security” geek has to justify his existence, and so they make our lives miserable by imposing worthless password requirements on us.

  12. SHG

    It’s funny you should say that.  The bill game the other day for my New York Giants season tickets.  On the face of the bill was my name and password, written out for anyone looking at the bill to see.  It seemed like an incredibly stupid thing to do, so I gave them a call.

    A young guy who answered the phone listened diligently to me and said, “so if somebody steals your mail, rips open your bill, gets hold of your name and pasword and pays for your season tickets, what exactly is the problem?”  The only think you can do online without email confirmation is pay for the tickets.

    My wife still didn’t like it, and was even more infuriated that I just started laughing.  The young guy had a point.  It reminded me of the guy whose wife’s credit card was stolen but never reported it because the thief spent less than his wife.

    The last time I got locked out of my house, I broke a small window to get in.  It cost less to fix the window then get a locksmith at night. 

  13. Kathleen Casey

    Which is why when I drive over to Canada I might take my Daytimer but never a laptop, Ipod, anything with chips.

  14. Wilbon Davis

    Encryption can be employed on laptops in two ways. You can encrypt single files and then decrypt them as needed for use. You can encrypt the hard drive and let the operating system deal with encrypting upon storage and decrypting on retrieval. The first may be more flexible and the second is more convenient.

    In the context of border searches, consider that if you use the second method, only one password must be discovered.
    A little known fact is that if your laptop is in ‘sleep’ mode or even if it has been turned off for only a short time, the main memory contents may be retrievable by those with the appropriate resources. (NSA has them.) That memory image may contain the decryption key for the hard drive.

    Now for some password advice:

    -The easiest passwords to crack are those that are based on words. To understand this, you should know how passwords are stored. Your password is not stored anywhere on the system. Rather, an encrypted form is stored. When you enter your password, it is encrypted and the encrypted form is compared to the stored version. If they match, you’re in. The trick is that it is very difficult to go from the encrypted form to the original password. Now for the vulnerability. The bad guys harvest dictionaries in all languages from the web. They even examine pages that talk about building passwords and record all the suggested good ones. Then, in a few seconds, they encrypt the dictionaries, all the combinations of two words, words with various capitalization schemes, combinations with a couple of digits appended, words with ! substituted for i, etc. and store the results in a database. Then, if the stored encrypted forms can be obtained, it is a matter of microseconds to find the corresponding password. So, DON’T use dictionary based passwords even with character substitutions, especially those based on visual simularity.

    -My favorite password scheme that avoids many of the problems is to use a memorable phrase, not a word. For example, I might use HMRMamwd remembering it as “How many roads must a man walk down?” If I need a digit, I’ll append some number such as a friend’s street address as in HMRMamwd243. I’ve also been known to use a friend’s address directly as in 243mitchell. Some folks use geometric schemes on the keyboard as in qazxswyhnmju.

    -Most folks tend to use the same passwords for multiple sites. If allowed to choose both user name and password, I generally add a consistent site identifier to both. If this site required an account, I’d use sjwilbondavis as user name and HMRMamwdsj as the password.

    -Be sure to never use any password example above. Within a few weeks, it will be in the cracking databases.

    If you’ve gotten this far, thanks for letting a retired professor profess a bit.

  15. David

    That photograph is of Colossus, which was used by mainly British cryptanalysts to break the German Lorenz cipher.

    Just sayin’.

  16. SHG

    Yeah, I know, but I couldn’t find the pic I was looking for and figured that nobody would bust my hump for my using the wrong one. My bad.

Comments are closed.