Bishop claims the Bible can help with password security

Filed Under: Featured, Privacy

Bishop of RochesterA British Bishop claims that the Bible can provide invaluable support.. for those who want to use a better password online.

The Bishop of Rochester in Kent, is urging his congregation this Easter to use Bible quotations to help them remember their website passwords.

According to The Right Reverend James Langstaff, "The Bible offers a life-long source of new passwords, that can include both upper and lower case letters and numbers to help create memorable, secure passwords."

The Bishop has suggested that users choose their favourite passage from the Bible, take the first letter from each word in the quote, and then append the chapter and verse.

For instance,

"Father, into your hands I commit my spirit." Luke Chapter 23 Verse 46.

creates a password of

FiyhIcmsL23V46

This sounds very much like the technique for how to create a more secure password I demonstrate in this YouTube video:


(Enjoy this video? Check out more on the SophosLabs YouTube channel.)

However, there's an important difference. In my video I took a made-up phrase ("Fred and Wilma sat down for a dinner of eggs and ham") rather than one that is contained in one of the world's most famous and popular books.

If someone knew that you were an active Christian, they might twig that you'll have chosen one of the more famous Bible quotes as the basis of your password.

You can also imagine that if the Bishop's password advice became popular, hackers would simply create a database of Bible quotes which they would use to break into your account.

Furthermore, you should really be using different passwords on different sites - otherwise if a hacker steals your password from one place, they could use that same password to break into your other accounts.

So, my best advice would actually to be to use a decent password management program which would both generate random hard-to-crack passwords, and also store them securely.

Hat-tip: Kent News via TechEye.

Image of Bishop of Rochester, courtesy of YourMedway

, , ,

You might like

41 Responses to Bishop claims the Bible can help with password security

  1. Glenn · 942 days ago

    The biggest problem with this that I see: if it were to gain popularity, one simply needs to ask their victim "What's your favorite bible quote?" - a question many would emphatically respond to truthfully. "That's beautiful, which book and chapter?"

    *hands the keys*

  2. Fionacat · 942 days ago

    Whilst it looks good let's break that down,

    FiyhIcmsL23V46

    14 characters long no punctuation and what was that quote again, Father into your hands ... uh let children .... make soup? even the 23/46 could be hard to recall in time.

    It's a nice idea but there are stronger methods of generating a password.

    Oh and again, Oblig XKCD ref: https://xkcd.com/936/
    http://passphra.se/ does this for you, four random but longer words it looks weak to a human brain but the computer doesn't get to play mastermind a dictionary hacker might crack a 12 character word (with numbers and punctuation) after about 3 weeks but a 24 character word with only a number is going to take decades.

    • lakawak · 942 days ago

      The people who would use this method would obviously KNOW the quote by heart. It certainly is an easier to remember quote than "Fred and Wilma sit down for a dinner of eggs and ham" though that also makes it slightly easier to guess.

    • mittfh · 940 days ago

      Slightly OT, but every time I see a reference to that xkcd cartoon, I can't help but wonder how many cracking dictionaries now contain "CorrectHorseBatteryStaple" (because you can bet some people will use that example verbatim as their password)? :)

      As for the Bishop's method, as others have said, to add all the possible combinations would require a considerable amount of work for what's likely to be a small minority of passwords.

      I expect the same method could also be applied to other religious texts, and a variant could even work with fiction: possibly something along the lines of quote, author, page, line.

  3. Xolile · 942 days ago

    Thank you for this. It will help us to keep more quotes

  4. Kreitsauce · 942 days ago

    See, I thought he was going to recommend doing something genius like transliterating Greek, Hebrew, Latin, or Chaldean words from the original languages of the Bible and then replace vowels with numbers or unusual characters. His way only works provided you keep your faith an absolute secret, which most Christians don't.

    • ascension2020 · 942 days ago

      @Kreitsauce: Side note because I can't resist: Latin and Chaldean were not original languages of the Bible. It was written in Hebrew, Greek, and Aramaic.

      @All: You're being a bit too hard on the bishop. His method works fine. The number of potential combinations of phrases in the Bible, combined with the variables of whether you add a book, chapter, and verse at all, and if you do whether or not you capitalize them or punctuate them or include a ":" between the chapter and verse, etc etc etc, creates way too many variables for anyone to attack in a reasonable amount of time.

      Add to this the fact that different translations will have different words for even the most popular phrases and you have a really good password management system. For example:

      "For God so loved the world that he gave his one and only Son, that whoever believes in him shall not perish but have eternal life." - John 3:16 NIV

      "“For God so loved the world, that he gave his only Son, that whoever believes in him should not perish but have eternal life." - John 3:16 ESV

      "For God loved the world so much that he gave his one and only Son, so that everyone who believes in him will not perish but have eternal life." - John 3:16 NLT

      "For God so loved the world, that He gave His only begotten Son, that whoever believes in Him shall not perish, but have eternal life." - John 3:16 NASB

      "This is how much God loved the world: He gave his Son, his one and only Son. And this is why: so that no one need be destroyed; by believing in him, anyone can have a whole and lasting life." - John 3:16 The Message

      Trying to create a dictionary combining all of these variables is not reasonable. The only way it might work is if someone knew you used the bishop's method AND they were able to determine your favorite phrase in the Bible. If you let someone know that much information about your password management, though, then that's not the system's fault, it's yours.

      • Mike · 942 days ago

        The problem is that once you make the method public it becomes less effective.

        Which he has, and now it is.

        Putting a couple of hundred bible quotes generated passwords using this method into a brute force dictionary isn't going to ruin someone's week with a good script. The book is very neatly organized and well suited to be processed in that way The entire King James is just a 1.2 MB text file. You could probably do the whole thing and add it to a brute force list. There are only 31,102 verses which would mean that many passwords. Given that that there are currently brute force dictionaries with 40 million potential passwords including these isn't going to make any real difference to the effectiveness of those programs.

        Its that best explained by the joke "My favorite password is g4rfl3sn4cks3np11ss:44, no one will ever guess that!"

        • ascension2020 · 941 days ago

          Mark,

          Your assumption that 31,102 verses means 31,102 passwords is incorrect. First, you have to take the different wording of translations into account. Not only is the wording different, but sometimes the verses themselves are different. For example, some popular translations like The Message string multiple verses together. If a person is memorizing from that translation then an attack on phrases pulled from the KJV or NIV wouldn't work. Additionally, many people don't choose an entire verse as their phrase. Some people like a portion of a verse or two or three verses strung together.

          On top of that you have to take other things like punctuation into account. Did I put the chapter / verse reference into my password? What about the book? Did I abbreviate it? Is the reference portion of my password Luke11, Luke1:1, Luk1:1, Lu1:1, luke11, luke1:1...luk1-1, lu1:1...and on and on.

          There are way, way more than 40,000,000 potential passwords from the bishop's system. 10 people could choose the same phrase as their base for creating their password and they could easily come up with 10 different passwords. It's going to be unique to the individual.

          Now, if someone already knows you're using that system then it does give them a base for attacking your password, but the majority of the time people aren't going to know your system. We don't even know how many members of the bishop's congregation adopted it. So I maintain that the bishop's system is just fine unless a person happens to be targeting you individually (something that is very rare unless you're a celebrity, CEO, government member, or other high profile target) AND they know with certainty that you are using this system.

  5. Tondalayo · 942 days ago

    Don't use your favorite Bible verse. Use one that only has real meaning to you and then don't share it.

  6. Nick · 942 days ago

    All that hackers would have to do is make a "bible" dictionary, and fill it with every verse or popular verse and bam, easily able to brute force any of their accounts. This guy has no idea what he's talking about, and should stay out of the cyber world of hackers. His logic seems nice, but to any hacker, it's just too simple.

  7. Lex · 942 days ago

    sophos ;labs said do not use dictionary words. whats the difference between a dictionary and a bible? as far as words go. i mean does the bishop have a link for us all to go learn babble?

  8. DAG · 942 days ago

    I agree with all of you, however, considering the kinds of passwords I see people using *now*...I'd say the Bishop is on the right track by at least bringing awareness to those who listen to him. More power to 'em. Of course, I'm not sure where this leaves Atheists... :)

    • Tim · 942 days ago

      Couldn't help but think of Steve Martin's "Atheists ain't got no songs"

  9. Karoli · 942 days ago

    I personally think that it's a better idea than using '1234567890' or such, as it may be common with the older generation of church goers. Using Bible quotes in this case can be a good thing, because it seems easier to remember than a random sentence. I think that the Bishop is doing a good thing by warning his congregation of the dangers of weak passwords.

  10. gazza · 942 days ago

    I like his idea. I have not seen the article, but if a bit of extra advice offered by experts is followed too then it is ok. 2012FGs0LTWtHgH0S! (which is taken from John 3:16) and used numbers and punctuation to mix it up a little. Note I did not add chapter and verse this time. Next time I might just say J0hn3.16 for a password. I may have selected this one because it is not my favourite, but one that I wrote in my journal, say on the 16th of a month that has a family birthday in it. I never used these - I'm not that naive !
    My point is ... his advice mixed with wisdom ... It would take a MIRACLE to guess or to use a dictionary attack. As for wisdom, pick this one: 6T4oTL0rd.IsTboW

  11. I already use his method for one of my passwords. It involves the initial letters of a line in one of my favorite poems with a bit of dual case and punctuation. And I thought that I had invented that method.

    The problem with randomly generated strings is that I can't memorize them, so I have to write them down. Where better to store them than on my computer in a file called passwords. But wait . . Doh! See what I mean?

    • Robert Wurzburg · 941 days ago

      Use a good old typewriter to print out your passwords, when not in use keep
      it under lock and key. That's how I can easily use completely random pass-
      words, with usernames and websites listed.
      It's not created or stored on any computer. Any password management pro-
      gram on any computer is also a VERY BAD idea. That leaves you with one
      attack surface for all of your passwords! Only one password to crack, the one
      for the password management program, and you're done for.

      • ascension2020 · 941 days ago

        Cracking a password isn't as easy as the movies make it out to be. Using a randomly generated password of, say, 12 characters (made of letters, numbers, and special characters) is more than enough to protect the password file of an average individual if it's stolen. As long as you're using a password manager with good encryption then you're golden.

  12. Peter Abraham · 942 days ago

    I recently published http://www.dynamicnet.net/2012/03/weak-passwords-... which uses the concept of picking four to five words to form a pass phrase.

    Picking words from the Bible works; though with any form of social hacking, you do want to be cautious for what you say or write as hackers can find out your favorite words to brute force test.

    The sad part about those picking on Reverend James Langstaff is that he's just trying to find a form of compromise between those who care more about convenience than security; so please applaud he effort and time spent as we all benefit when more people chose more secure passwords.

  13. Machin Shin · 942 days ago

    I really think this is a pretty good idea so long as it is done properly. You can then actually use different passwords for different accounts and not worry about forgetting them. So long as you base it off the KJV then you can find them just about everywhere you go in hotels.

    Instead of remembering long passwords you remember versus. This same kind of idea could also be used with other books. A dictionary that you toss in your computer bag for example. You can pick words and remember what word goes to what account. So long as you don't mark the pages in the dictionary it is not likely someone will crack it easily.

  14. whocares · 942 days ago

    Never ceases to amaze me how the they will attempt to insinuate themselves (the religious that is) into everything.

    I suppose when you are fighting being irrelevant you will try anything- including a pusillanimous and transparent attempt at getting his congregation to read and memorise the bible.

    What next we must all pray for guidance and protection before going online- gimme a break

    • ascension2020 · 942 days ago

      Never ceases to amaze me how they will attempt to insinuate themselves (those who hate religion that is) into everything.

      I suppose when you feel like you are fighting to make sure everyone finds religion irrelevant you will try anything-including an unwelcome and transparent attempt at weaving your views on religion into a tech discussion that has nothing to do with it.

      What next we must all debate theology every time we go to a security conference- gimme a break.

    • R0nin · 942 days ago

      Whoa, you're right! How dare a minister try to get his congregation to read and memorize the Bible! Who does he think he is, a... a minister or something?

      Looks to me like your anti-religious bias is showing. Might want to get that checked out. While you're at it, you might want to check your vocabulary. I don't think pusillanimous means what you think it means.

  15. Security · 942 days ago

    Well, it WAS a good idea... before it was published and suggested to a congregation. Now the hackers simply add that to their arsenal.

  16. R0nin · 942 days ago

    It looks to me like most of those who are criticizing this as being too simple, are unfamiliar with the Bible. This very much reads like you can only think of one or two verses from the Bible, so you assume those are the ones other people would use. Those who actually read the Bible will have dozens (if not hundreds) of "favorite verses", and of course there are thousands (millions?) of others to choose from as well.

    Don't be down on something just because you're not up on it.

  17. Jenny · 942 days ago

    Yes you did mean to, or you wouldn't have added the 'but ...'. Classic method to offend/disrespect/disagree etc while pretending not to.
    Sure he may have read your post, but then he may just have thought of it anyway.
    Many ppl struggle to remember passwords that are also strong. Good on him for sharing an idea that may assist other fellow Bible readers.

  18. Shandooga · 942 days ago

    "Claims"? How hard would it be to verify it? Why bother when you can cast doubt on the Bible at every opportunity?

  19. Mackaber · 941 days ago

    I might create a dictionary attack for this :)

  20. I've used variations of this for years! The key is to vary the exact implementation (words or first letters or even just references) and more importantly, use obscure verses that mean something to you and no-one else.

  21. Robert Wurzburg · 941 days ago

    The best password system is completely random, at least 15 characters, uses 4 or
    more special characters and symbols, upper/lower case, and numerics. It would not
    be created or stored on any computer system either. I use a typewriter to do this, and
    because it has electronic memory features can update it at any time and print it out.
    It's not connected to the Internet either.
    This is the Cisco Complex Password Specification, which everyone should follow to
    the extent websites allow you to do so. At least I can remember the ones I use every
    day using this system. This is an example of a very secure password:

    Cx#g&14$sT7*9Zy

    This meets the current Cisco Complex Password Specification and is extremely hard
    to hack. I recommend everyone use this system, and a typewriter to create/print them.
    When not in use keep it under lock and key.

    • R0nin · 941 days ago

      Not to argue, but the "best" password is one that people will actually use. It doesn't matter how secure it is, if people can't remember it or if they have to look it up and laboriously copy it out each time they use it-- because your average person simply won't use such a complex system.

      So while what you recommend is a very secure type of password, many/most people won't use it. And depending on what the password is for, it may not be important enough for the average user to go through the level of hassle involved in order to use it (say, for my logon for these comments, for example).

      I don't think anyone is saying that this "Bible" system is the best way to come up with a secure password. But it's probably far better than what a lot of people do, and it has the advantage of being somewhat random while still being memorable. Especially if you add your own variations such as upper/lowercase letters, varying where the order of the chapter/verse, etc.

      • mittfh · 940 days ago

        Alternatively, especially if you're registered on numerous different sites and your memory can only cope with a handful of passwords, use a password manager to set unique, complex passwords for the sites you visit combined with a secure mnemonic-based password as the master password.

        Obviously also ensure you don't use your master password for any online sites - particularly forums where the password database may not be as secure as, say, your bank.

  22. peter · 941 days ago

    Why use the Bible when you could be closer to the action by using

    Il Principe !!

  23. Security through obscurity = no security at all.

    Then again, decode these delightfully obscure Bible versions. Hint: KJV.

    AadrthvsafrthfP2611

    VEmbiahm&iaasmG2711

  24. Johann · 939 days ago

    This is actually very good advice as long as you choose a fairly obscure verse. The Bible is huge and to create dictionary attacks for every verse would take a while. Just run your choice against a googled "Top 100 Popular Bible Verses" and you should be fine. I similarly use quotes (fairly obscure ones) to create passwords. That being said, the method could use a little tweaking to make it more secure.

  25. Chromoy · 936 days ago

    The ridiculous thing about it is that such passwords can be easily cracked by Passcape recovery software. They have a phrase attack that guesses passwords by using a wordlist with phrases and bible wordlist is available for online retrieval from their web site.

  26. Devon · 698 days ago

    or use any other book/game/film/song thats available out there

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.