Saturday, November 16, 2013

Good passwords guide

Since I trashed talked biometrics in my last post, I decided I should offer some advice regarding passwords.

What makes a password good? Well, the main feature of a good password is that it is hard to guess.
In the worst case, the hacker has somehow managed to get hold of the password database, which means they can guess passwords as fast as their computer will run through them. I believe the current record is roughly 350 billion guesses in one second. That was on a miniature super computer. A box with special cards designed for performing advanced computations rapidly. It’s a fairly expensive setup, Most hackers are not likely to have that kind of power available to them currently, so it makes a good top end number. For now (Moore’s law suggests that the rate of calculation will double every two years or less ).

So now it is a numbers game. It goes something like this. First pass guessing will be the easy stuff. They will try common passwords, dictionary words (yes, any language), two words together, words with a number… Once those are used up, it’s time to start checking for random passwords. That means trying every possible combination of letters, numbers and symbols (aaaa, aaab, aaac, aaad,…). Since most systems now require at least a 6 character password, that is what will be tried first – every possible combination of  letters, numbers, and symbols six characters long. Then they will try seven characters, then eight, and so on.

Treating this as a game of averages, the hacker is on average going to have to try one half of all those possible combinations in order to correctly guess your password. So you want to pick a password from a pool with enough possible combinations that is will take the hacker longer to try half of them before it is time for you to change your password. That way, by the time he has guessed your password, you have changed it.

There are two factors then that increase the complexity of the password. The number of possible characters in each position, and the number of positions. Below is a chart showing the effects of increasing the possible character types, and the number of characters.

possible combinations
# of chars
6 characters
8 characters
12 characters
20 characters

If we take our guess rate of 350 billion per second:

An eight character password - utilizing upper and lower case letters, numbers and symbols - will be guessed (on average) in 1.5 hours.

A twelve character password using just letters and numbers (no symbols) will take on average 145 years to guess. If you add in the symbols that number goes to 10 thousand years

A twenty character password using the full range of characters will take on average 30 quintillion years to guess. It is going to be a while before computing power is sufficient to bring that number down to a practical time to brute force attack.

So the first rule of good passwords, make them at least twelve characters long, random, composed of a mix of small and capital letters, numbers, and symbols.

The second rule is don’t use the same password for different systems.Why? Say the hacker sets up a fake page that looks like the facebook login, and captures your password. That stinks. He’s got access to your facebook. It stinks even more if you used that same password for all your banking sites, and he starts transferring money, making paypal purchases, using your credit card…
You might cheat with you social and email sites, but never never never use the same password for financial sites.

The third rule is to change your passwords regularly. There is still that risk that someone might catch a glimpse over your shoulder or capture it using some social engineering scam. So it is a good practice to change them once in a while, just as a precaution. How often? Most paranoid experts aim for every 30-90 days. I lean more toward every 6-12 months personally. Realistically, if you are using long, random passwords, and you are good about applying safe computing practices, you should be safe going several years between password changes on some systems. I'd still err on the side of caution when it comes to financially related sites, or sites with sensitive information.

But those rules which make for good passwords do create a rather serious problem. How does one manage a whole bunch of long, hard-to-guess passwords?

I’ll share some strategies next time.

No comments:

Post a Comment