Advice about passwords is frequently pedantically correct, yet useless. Let’s face it, you are not likely to use a password like ‘!r4%^s2A’. And, even if you do, you have still failed to create a strong one unless you are on a system with an 8 character limit for the password. The keys to strong passwords lie in length – size really does matter. Equally important is not using any word that exists in the dictionary – not even a long one. Conventional wisdom dictates using passwords that you cannot remember, should not write down, and probably will not use.
Seems like a dilemma. But, good passwords are actually easy. The problem with a password like ‘!r4%^s2A’ is that it is too short. A password like ‘I really hate passwords’ is actually much better. To understand why, let’s take a look at how passwords are guessed or “brute force” cracked.
The easiest approach to guessing a password is to harvest information about someone and go from there. Spouses name? Pet names? Talk to people and you will find out how truly easy it is to get this information from someone. People who use these passwords are easy pickings. Passwords that are short and pertain to ones personal or even business life are commonly used and easily guessed. Attacks on such passwords are accomplished with simple “social engineering,” or with stolen data.
Dictionary attacks try a variety of words found in the dictionary. If you choose the password “January” it will be guessed in a couple of seconds or less by a computer program. You can still use proper words, as long as you use several of them. The art is in combinations, but more on that later.
Any password can eventually be cracked with brute force. Brute force simply means trying every possible combination of characters that can be in a password. This is where size really matters. If the password is long enough, a brute force attack will take months or even years.
If you use only lowercase letters and have a seven-letter password there are roughly 8 billion combinations for a brute force cracking program to try. This may sound like a lot but, even so, it can be cracked extremely quickly with a computer. If you use uppercase letters, lower case letters, numbers, punctuation, and special characters such as ¥ or © you are now up to almost 70 trillion combinations. This is still a trivial task for a computer to solve. Now take a look at a password such as “isthisgood”. A 10 character password with only lower case letters has about 141 trillion possibilities. So your 10 character lower case password is better than any 7 character password. However, it is still advisable to use more than just lower case letters.
A password such as “8 Resolutions this year!” is 24 characters long, easy to remember, uses 4 different character sets (upper case, lower case, numbers, and punctuation) and is a very hard password to crack with brute force.
One of my favourite techniques uses math equations. Can you remember that 49+51=100?
This is too short, but what about “Forty9 and 51=One hundred ”. That’s 27 characters! The spaces are legal characters, and if you remember a space at the end you could write the password on a piece of paper as “Forty9 and 51=One hundred”. Note that there was a space at the end of the password that is not seen on the paper reminder. Add 2 to 8 spaces at the end and it is killer.
How about “Was I was born in 1960?” Easy for me to remember (I was), but hard for a computer to crack.
Lengthy passwords mean take a very long time to crack, but it can be done. It is important to periodically change your password. Mark Burnett, the author of Perfect Passwords (Syngress Publishing, ISBN: 1597490415) recommends that once or twice a year all computer users have a “password day”. Change all of your passwords across your company or system. If you change only some passwords, an attacker has time to work on the others. It can take only one known password for a skilled hacker to gain access to the entire network.
To give credit where it is due, it must be pointed out that much of this information has come from a variety of sources including Burnett’s Perfect Passwords and articles by Jesper Johansson, formerly of Microsoft, and from numerous discussions with security professionals.
Oh, and remember: do not use any of the password examples mentioned above, as they are now public!
> Randy Abrams is director of technical education at Essential Security against Evolving Threats (ESET) Software
Eset Software will be one of 300 exhibitors at Infosecurity Europe 2007 in London from April 24 to 26 in the Grand Hall, Olympia. www.infosec.co.uk
Subscribers 0
Fans 0
Followers 0
Followers