Gibson Research Company (GRC) wrote a fun password program, the "Password Haystack."
Link: https://www.grc.com/haystack.htm
In this program, type a password and it reports roughly how secure it is.
Try a variation of your own passwords. (GRC is a trustworthy site and I have full-faith in his honesty and security. I used my own password*, as illustrated below.) The results will be interesting. Note my password has a mixture of upper and lower-cased values, digits, but no special characters.
click illustration to see a larger view; click right-x to return
In my case, at 1,000 attempts per second, my password would take about 27 million years to hack. That is for all password combinations, but technically, you should divide the result by half to get an average attack. This means my password could be discovered in a mere 13 million years. Of course, the hackers might get it on the first try, especially if they use the password illustrated above*.
Notice how the second type of attack, which uses a computer clusters, needs about 3 months to hack, at 100 billion guesses per second -- a preposterous number. I have no earthly-idea if any computer can generate *and apply* passwords a billion times per second.
The "Massive" cluster array only needs 2 hours to hack my password. That is, *if* it could test at an unbelievable 100 Trillion attempts per second (I think the fiber-optic cables would melt before then and no system would allow that many attempts). It is probably safe to ignore this statistic.
In other words, I believe my password is "secure enough."
*No, not my real password, but it might be close.
But Wait, there is more!
Look what happens when you add a 'special character' to the password - I used a predictable [space]. This added one more digit to the length and theoretically changed the character set from 62 possible values to 95. According to GRC, the ubber-cluster now needs about 2 years to hack. An eternity!
These obscenely large calculations are flawed. If I were hacking, I'd add a space (a common character) to the first Search Space Depth, bringing the number of testable characters from 62 to 63 (not 95). I would also test for a first-letter-capitalized, with the remaining as lower-case (because I know that is what most of you are doing). And I would search dictionary-words first. These would vastly simplify the search combinations and these changes alone would probably cut the search times by a factor of 10,000. If I still didn't find a match, then I'd have to do the brute-force calculations recommended by the charts above.
But even with these faults, these numbers are still fun to look at and still give a general behavior to the passwords.
"Through 20 years of effort,
we have successfully trained everyone to use passwords that are hard for humans to remember,
but easy for computers to guess." -xkcd.com
we have successfully trained everyone to use passwords that are hard for humans to remember,
but easy for computers to guess." -xkcd.com
So What
And consider this: A friend of mine hacked a co-worker's password in 5 attempts, without resorting to any gimmickry. The password he found was predictable (at least for them): "Harley Davidson". Guess who owned a new bike. When I worked at corporate IT helpdesk, I could find a user's current password about 10% of the time by just looking at the yellow-sticky under the keyboard.
All of this is well-and-good. But there is still a problem with any password. If you write it down or unwittingly type it in a nefarious site, any password can be compromised. Imagine in a phishing scam, you log into your bank's website, not realizing the fake. You type your super-complex, 87-character password.
No matter how long, no matter how complex, no password is safe if you give it away. Of course, passwords are hackable with this xkcd.com method:
Google 2-Step Authentication
For my Gmail and Blogspot account, I have been using Google's 2-step authentication.
With this two-stage (2-step) authentication, my login has become nearly impossible to hack from a remote location. Even if you have my password, you can't login without my phone.
In practice, using the two-stage authentication is a nuisance -- I now always need my cellphone to log in -- but I have become accustomed to it. After 3 months, I accept this as the norm and I wish I could use this method for all of my accounts.
What if I loose my cell phone? Without going into details, Google has a moderately secure, alternate method for logging in. See this article for full details on the 2-step authentication. Unfortunately, this only works on Google products.
20 Years of Password Nonsense
And this now famous xkcd comic, although only a month old, has circled the Earth about a million times. This explains GRC's idea a little more succinctly:
Click for a larger view, click right-x to return.
Password Recommendations:
Short of using a 2-step authentication, what are two simple things you can do for better password security:
1. Use a password phrase (two or more words).
2. Use a different password for each site. If one password is compromised, you won't loose everything. But this admittedly makes passwords nearly impossible to remember. Consider this trick, which uses the same password on each site/program, but adds a suffix, making it unique.
For example:
If your normal password were "ab doggie barks"
use "ab doggie barks hotm" for your hotmail account.
use "ab doggie barks goog" for your google account
use "ab doggie barks bank" for your banking account
If the password were compromised, it would at least slow down automated programs from guessing the other accounts. Naturally, a human would see through this in a heart beat.
Recommend taking the time to download & listen to the podcast on the page. GREAT info. Good article.
ReplyDelete