Monday, January 21, 2013

What makes a good password 4U

Solving the Password Problem

What makes a good password, how do you keep track of all the different ones you're supposed to have, and is there hope for a future free of passwords?

Read more: Solving the Password Problem - Popular Mechanics 

Getting hacked is becoming an Internet rite of passage. Consider 2012 alone: First Zappos was hacked, its customers' passwords and other personal information exposed. Then LinkedIn announced that its users' passwords had been compromised. Then eHarmony. Then Yahoo. More than 30 million users' passwords were stolen. The growing, painful password problem is twofold: Hackers have gotten very good at what they do, with more capable tools than ever, and those tools can work so well because we are still really bad at choosing—and remembering—passwords. 

Coming up with a password is a compromise between security and convenience. Very complex passwords are highly secure but difficult to remember. To make them work, users end up in a constant loop of resetting forgotten passwords or relying on writing them down on sticky notes. Simpler passwords are easier for us to remember but all too easy for others to discern. Even if you think your pet's name is rare and choose SenorFluffypants as a password, that information would be easy for an adversary to find on, say, Facebook. Because passwords are annoying and tedious to keep track of, most of us resist changing our obvious passwords, many of which can be found in leaked databases. The top passwords of 2012 remain what they have been for years: password, 123456, and 12345678. 

Passwords like those are especially easy to crack, says Peter Theobald of KLG Computer Forensics. "Anyone with a password that can be found in the dictionary, even if it's a minor variation followed by a number, gets found quickly," he says. 

It's possible that one or more of your passwords has already been stolen (you can check PwnedList, an online database with more than 966 million compromised passwords on file), but even if it hasn't, relying on weak passwords is a fool's game. Once hackers get into an account, they immediately start searching for any linked or related accounts. Before long, a complete stranger could be wreaking havoc on your social reputation, credit rating, and finances. If you suspect that one of your online accounts has been hacked, immediately change the passwords on any other important account you have; hackers have programs designed to try the cracked password at other sites. Even if you've been smart enough to maintain separate passwords for different accounts, hackers will leverage access to your email to reset passwords for other sites. ("Forgot your password? Have a new one sent to your email account.") But when you do reset passwords, don't repeat mistakes of the past. There are ways to make passwords both secure and memorable. 

The Bad Guys

Before we examine what good passwords look like, it helps to know your adversary. Using a PC with inexpensive multicore graphics processing units (GPUs), a hacker can try about 8 billion password combinations in a second—thousands of times faster than just a few years ago, when the processing depended on just the CPU. Because they're designed for parallel computing, GPUs are much better at the large-scale mathematical operations needed for cracking passwords. Powerful password-cracking software is available for free, and hackers also have access to growing shared lists of millions of actual user passwords. 

By analyzing these lists, professional password crackers know that when forced to pick a password with a mix of upper- and lowercase letters, a number, and a special character, users tend to choose a familiar word or a dictionary word, capitalize the first letter, and add the number and special character at the end (such as Fido1*). The geekiest among us may replace vowels with numbers (leetspeak), such as F1d01, or shift our hands on the keyboard to mask the actual password. But hackers know this, and a simple algorithm is all they need to get past it. 

Even passwords that combine more than one strategy are vulnerable. Take, for example, the password MyS3cr3t!. It meets typical security guidelines, and online password-strength meters would call it strong. With faster processing, and programming rules that add characters and punctuation to a word list, a hacker could crack that password in just 12 hours. 

Don't Be an Idiot: Make a Bad Password Good

It's not all that hard to turn a mediocre password into a great one. All it takes is the addition of some strategically placed numbers and symbols—and a good base word or phrase in the first place (which means saying goodbye to pet names and favorite sayings). Below, we chart a password's journey from weak to strong, showing how long it would take for a commonly used algorithm to crack each version. 

Password: Aquarius
Time to Crack: 9.08 Mintues 

Password: Aquarius1
Time to Crack: 1.59 Days 

Password: Aquar$ius1
Time to Crack: 19.24 Years 

Password: Aqu57ar$iu3s
Time to Crack: 17,400,000 Years 

Read more: Solving the Password Problem - Popular Mechanics 

Password tips

There are two key components to password strength: length and complexity. An ideal password should be long and contain a combination of letters, numbers as well as special characters. The greater the character variety in a password the better off you are. We suggest you make your passwords as long as you can. If possible use no less than 14 characters.
It is prefered to maintain separate passwords for all your accounts, as much of a hassle as it may seem. This way you are guaranteed account isolation so if one of your account logins gets compromised chances are no others will since login credentials are not shared. This is easily accomplished by using one of the many password manager apps available on the internet.

No comments:

Post a Comment