Some of my blog friends (and relatives) and I have previously posted concerning online security and privacy issues. Yesterday, on Slashdot.org, I read an article concerning password security. It led me to a marvelous website that discusses password security and provides easy ways of making a person's passwords more secure. If you don't think that password security is an issue, you can skip this posting; but, to me it is huge. Perhaps I am a bit more paranoid than some because I have worked in areas (physical and virtual) that required it - most recently with my email accounts on FEMA servers and servers provided by the non-governmental organization (NGO) for which I do volunteer work.
One of the above-mentioned servers, the one at the NGO, experienced "issues" all through the month of May. Finally, about a week ago, the "issues" were tracked to multiple infestations of the server by viruses that originated in China. While password insecurity may not have contributed to the ability of the hacker(s) in China to infest the server (and, hey, if no one ever told you...a server is just a specialized computer - in this case, the one on which our emails reside), I think it just as likely that one or more password insecurities may have been involved. I must admit that the passwords that I use on my NGO email and LAN account are much less secure than those that I use on my FEMA accounts. FEMA sees to that!
The NGO and FEMA systems both require that I periodically change my password. This is good. However, FEMA's system will not accept change to a password that doesn't pass its definition of "goodness". In fact, I normally get so frustrated trying to come up with an acceptable password that I end up letting the system issue me a password. Such password will normally look like a random selection of key strokes - probably because it is (pseudo-random, at least). Think of something that looks like this: UaP|v8iT. (To see outputs from a 64-character pseudo-random generator of key strokes, see Perfect Passwords.)
Now, through the miracle of Slashdot.org, I have found a website that helps me evaluate the form of a password (I don't trust the website enough to put in a "real" password! lol) and gives me advice on how to make my passwords stronger, but easily remembered. How can I beat that? Answer: I can't! Thus, I have added a link to Gibson Research Corporation's How Big is Your Haystack:...and How Well Hidden is Your Needle webpage to the For Enlightenment listing of URLs on the left-hand sidebar.
From an article, How many seconds would it take to break your password? at IT World's website:
Security breaches of mind-numbing size like those at LinkedIn and EHarmony.com set crypto- and security geeks to chattering about weak passwords and lazy users and the importance of non-alphanumeric characters to security.
But you've never met any non-alphanumeric characters. Sure, you befriended a couple of street people who were a little off kilter when you were in college, and there was that hottie in a Provincetown bar that wasn't what he/she appeared to be at first. They qualified as characters, but denying them alphanumericity is pretty harsh. [I read this to mean rejecting a "friend" request, for instance. CC]
________________________________________________________________________
And insisting on a particular number of characters in a password is just pointless security-fetish control freakishness, right?
Nope. The number and type of characters make a big difference.
________________________________________________________________________
How long would it take to crack my password: (Includes letters and numbers, no upper- or lower-case and no symbols)
6 characters: 2.25 billion possible combinations
- Cracking online using web app hitting a target site with one thousand guesses per second: 3.7 weeks.
- Cracking offline using high-powered servers or desktops (one hundred billion guesses/second): 0.0224 seconds
- Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second: 0.0000224 seconds
10 characters: 3.76 quadrillion possible combinations
- Cracking online using web app hitting a target site with one thousand guesses per second: 3.7 weeks.
- Cracking offline using high-powered servers or desktops (one hundred billion guesses/second): 10.45 hours
- Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second: 37.61 seconds.
Add a symbol, make the crack several orders of magnitude more difficult:
6 characters: 7.6 trillion possible combinations
- Cracking online using web app hitting a target site with one thousand guesses per second: 2.4 centuries.
- Cracking offline using high-powered servers or desktops (one hundred billion guesses/second): 1.26 minutes
- Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second: 0.0756 seconds
10 characters: Possible combinations: 171.3 sextillion (171,269,557,687,901,638,419; 1.71 x 1020)
- Cracking online using web app hitting a target site with one thousand guesses per second: 54.46 million centuries.
- Cracking offline using high-powered servers or desktops (one hundred billion guesses/second) 54.46 years
- Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second: 2.83 weeks.
Take Steve's advice: go for 10 characters, then add a symbol.
From Slashdot.org:
MD5crypt Password Scrambler Is No Longer Considered Safe197
from the risky-busy-ness dept.
Let's see. I got an email from LinkedIn today that I had to change my password because their database was hacked. I could have had the strongest password in the world, but if the database is hacked, they get it anyway. Fortunately it was a password that I use for just stupid things (forums mostly), so I don't have to go around and change passwords at other places.
PayPal was hacked last year and someone in China tried to use my account, but they were vigilent and closed it then notified me of it. Oh, and they tried to blame me by saying that the hackers must have used a password they found thru hacking some other site. Hu, that was an independant password, so wrong.
I now have lists of passwords that I have to keep on several different devices because I never know when I'll need it. So, if someone hacks one device, I'm screwed as I'll have to change everything.
Jeeze, I just hate hackers and passwords!
Posted by: bogie | June 09, 2012 at 06:07 AM
Bogie--Passwords, like most of the expensive systems that we in the USA have bought/had developed for the military during the past 60 years, are deterrants. A deterrant works by convincing someone/some country that it is much more worth their while to attack somewhere/someone else. Thus, as can be inferred from your comment, the weakest password determines the security of a system. As Grandma D would have said, "Oh, shit!"
As to hackers: If they didn't exist, we wouldn't really need passwords, would we? Too bad that we can't decree that there be no more hackers. *sob*
You have a bigger challenge to remember all of your passwords than I ever had to remember all of the combinations to classified materials container locks. Better you than me! *smiling* At least, I think it was easier. Usually, at any given time, I had to remember no more than a dozen combinations - usually, fewer.
Posted by: Cop Car | June 09, 2012 at 09:28 AM
A dozen? Shoot, I have a dozen for work. Okay, I exagerate - I have my computer log in, then there are 3 seperate databases (web-based), then there is the email password. Oh, and a couple for specific documents. Oh shot, there is the phone on too. Between the user name differences and the different passwords, it can be a real pain.
Then there are all the services: health insurance (which we have already switched twice), FSA (had an HSA previously), 401(k) (had a simple IRA last year), Dental insurance (changed twice), on-line pharmacy (that just got bought out by another pharmacy so have to re-do everything). And I've only been at this job for a year!
This can get nucking futs!
Posted by: bogie | June 10, 2012 at 05:27 AM
10 characters, then add a symbol?
You mean like "shibboleth?" - we've known that for millenia, it's even in the Old Testament ;-)
Posted by: Ole Phat Stu | June 10, 2012 at 03:11 PM
Thanks for the info. I've certainly been concerned about security simply for my personal computing. Google keeps asking if I want them to remember my password(s) and I keep declining. Can be a bit more challenging to the memory than the letters and numbers of recalling phone numbers years ago. I always use upper and lower case, numbers and symbols, but clearly if someone wants to hack me looks like they can with the right equipment.
Posted by: joared | June 11, 2012 at 09:19 PM
And then there's this :- http://music.failblog.org/2012/06/11/music-fails-security/
Posted by: Ole Phat Stu | June 11, 2012 at 11:04 PM
Joared--It's one of the challenges of our times.
Stu--I definitely did not see that coming. Thanks for the guffaw!
Posted by: Cop Car | June 12, 2012 at 07:13 AM