Since I trashed talked biometrics in my last post, I decided
I should offer some advice regarding passwords.
What makes a password good? Well, the main feature of a good
password is that it is hard to guess.
In the worst case, the hacker has somehow managed to get
hold of the password database, which means they can guess passwords as fast as
their computer will run through them. I believe the current record is roughly
350 billion guesses in one second. That was on a miniature super computer. A
box with special cards designed for performing advanced computations rapidly.
It’s a fairly expensive setup, Most hackers are not likely to have that kind of
power available to them currently, so it makes a good top end number. For now
(Moore’s law suggests that the rate of calculation will double every two years or less ).
So now it is a numbers game. It goes something like this.
First pass guessing will be the easy stuff. They will try common passwords,
dictionary words (yes, any language), two words together, words with a number…
Once those are used up, it’s time to start checking for random passwords. That
means trying every possible combination of letters, numbers and symbols (aaaa,
aaab, aaac, aaad,…). Since most systems now require at least a 6 character
password, that is what will be tried first – every possible combination of letters, numbers, and symbols six characters
long. Then they will try seven characters, then eight, and so on.
Treating this as a game of averages, the hacker is on
average going to have to try one half of all those possible combinations in
order to correctly guess your password. So you want to pick a password from a
pool with enough possible combinations that is will take the hacker longer to
try half of them before it is time for you to change your password. That way,
by the time he has guessed your password, you have changed it.
There are two factors then that increase the complexity of
the password. The number of possible characters in each position, and the
number of positions. Below is a chart showing the effects of increasing the
possible character types, and the number of characters.
possible combinations
|
|||||
Characters
|
# of chars
|
6 characters
|
8 characters
|
12 characters
|
20 characters
|
a-z
|
26
|
308915776
|
2.08827E+11
|
9.5429E+16
|
1.99281E+28
|
a-z,A-Z
|
52
|
19770609664
|
5.34597E+13
|
3.90877E+20
|
2.08962E+34
|
a-z,A-Z,0-9
|
62
|
56800235584
|
2.1834E+14
|
3.22627E+21
|
7.04423E+35
|
a-z,A-Z,0-9,!@#$%^&*()[]{},.<>;:'"-_=+
|
88
|
4.64404E+11
|
3.59635E+15
|
2.15671E+23
|
7.75628E+38
|
If we take our guess rate of 350 billion per second:
An eight character password - utilizing upper and lower case
letters, numbers and symbols - will be guessed (on average) in 1.5 hours.
A twelve character password using just letters and numbers (no
symbols) will take on average 145 years to guess. If you add in the symbols
that number goes to 10 thousand years
A twenty character password using the full range of
characters will take on average 30 quintillion years to guess. It is going to
be a while before computing power is sufficient to bring that number down to a
practical time to brute force attack.
So the first rule of good passwords, make them at least
twelve characters long, random, composed of a mix of small and capital letters,
numbers, and symbols.
The second rule is don’t use the same password for different
systems.Why? Say the hacker sets up a fake page that looks like the
facebook login, and captures your password. That stinks. He’s got access to
your facebook. It stinks even more if you used that same password for all your
banking sites, and he starts transferring money, making paypal purchases, using
your credit card…
You might cheat with you social and email sites, but never
never never use the same password for financial sites.
The third rule is to change your passwords regularly. There
is still that risk that someone might catch a glimpse over your shoulder or
capture it using some social engineering scam. So it is a good practice to
change them once in a while, just as a precaution. How often? Most paranoid
experts aim for every 30-90 days. I lean more toward every 6-12 months
personally. Realistically, if you are using long, random passwords, and you are good about applying safe computing practices, you should be safe going several years between password changes on some systems. I'd still err on the side of caution when it comes to financially related sites, or sites with sensitive information.
But those rules which make for good passwords do create a
rather serious problem. How does one manage a whole bunch of long,
hard-to-guess passwords?
I’ll share some strategies next time.
No comments:
Post a Comment