Why your passwords suck, and how to fix them (pt. 3)

In this final part of the series on good password practices, we’ll take a look at how to create strong passwords.

The three keys to password strength are the number of possible characters, the length of the password, and not reusing passwords. Let’s look a bit closer at what I mean.

  • You may recall the example of the ATM card personal identification number: four spaces, 0 through 9, yielding 10,000 possible combinations. If you use a four-digit code as your password, a password cracker can break it in 11 seconds (assuming 1,000 guesses per second, which is quite feasible).
  • If you use a password like 123a, there are now 1.7 million possible combinations: 10 for the first character, 10 for the second character, 10 for the third character, and 26 for the fourth character. A password cracker will need almost 30 minutes to break this password (again, assuming 1,000 guesses per second).
  • If you use a password like 123aA, there are now 931 million possible combinations (10 for the first, second, and third characters, 26 for the fourth, and 26 for the fifth–keep in mind that in the world of computers, a and A are two different characters). The same password cracker would now need 1.5 weeks to crack it. If we’re talking about a serious hacker with top of the line crackers, though, it could take as little as .00931 seconds. Ouch.
  • If you use a password like 123aA!, there are now 742 billion possible combinations (assuming 33 possible special characters). A typical password cracker will need 23.62 years to break your password, but a high-powered cracker can do it in 7.43 seconds. Ouch again.
  • If we take that six-character passcode and double it (123aA!123aA!), there are now 546,108,
  • 599,233,516,079,517,120 (or, 5.46 times 10 to the 23rd power) possible combinations. Your average password cracker now needs 1.74 hundred billion centuries to crack it. The higher end equipment would require 1.74 thousand centuries. Even a massive cracking array setup (doing one hundred trillion guesses per second) would require 1.74 centuries to break the password. That’s pretty safe!

The lesson to be learned from these examples is that you need a long random password (at least 12 characters in length) with numbers, lower case characters, upper case characters, and special characters. Why does it have to be random? The answer is simple: because you don’t want anything even resembling a dictionary word. Password hackers often launch an attack with what’s called a dictionary attack. The cracker tries every word in the dictionary, A to Z. Even a longer word like Mississippi will be cracked in seconds.

Don’t overlook the issue of length. Earlier this year, my Gmail account was hacked, and I had a six-character random password. Fortunately, I was able to limit the damage (and Google caught the hacking and disabled the account), but it taught me an important lesson. Passwords that we used to think of as being strong are becoming weaker as computing power increases.

So, you come up with a long random password with numbers, lower and upper case characters, and a special character or two. Now what?

Do not use this password for everything. Doing so is like using the same key for your office, your car, your home, your safe deposit box, and your post office box.

You can use this password as a root for a password system, however, and add something unique on to the root for each web site you use. For example, you could use 123aA!123aA!amazondotcom as your password for Amazon. If it’s too long to type, think of a way to abbreviate it, such as amzn. If you’re a WordPress user, you could use 123aA!123aA!wrdprss (which would require trillions of centuries to crack).

A long, random password, combined with an application like 1Password or Lastpass, is your best bet to ensure your accounts–not to mention your clients’ data!–are safe.


Technorati Tags: , , , ,


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s