Password security tips

by subacati

Whenever you register an account anywhere on the Internet these days, you need to choose a password. But how do you know if your password is secure?

If we have a look at the password cracking techniques that are used, we can get a few good hints. The first thing to know is that personal information is freely available these days! Using names, dates of birth or other information that is directly associated with you is a bit like keeping the key to your front door on a keyring hanging outside that door!
Internet standards expert, CEO of web company iFusion Labs John Pozadzides wrote an article in 2007 wherein he gives a list the the 'top ten' bad choices for passwords! These are the passwords that are easy to guess and yet more common than you'd think! :insane:.
Here is that list!

1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
2. The last 4 digits of your social security number.
3. 123 or 1234 or 123456.
4. “password”
5. Your city, or college, football team name.
6. Date of birth – yours, your partner’s or your child’s.
7. “god”
8. “letmein”
9. “money”
10. “love”

Now I know that no body reading this has used any of those as their password right? right? :insane:.

Now, if that list doesn't include your password, it doesn't mean that you're safe, yet! The most common method for hacking a password is the brute force attack. Some sites will block an account or temporarily limit access from an IP address that has entered a wrong password more than three times! But many sites will allow an unlimited number of re-tries! So the would be hackers is only limited by the time it would take to 'guess' the correct password.
A brute force attack uses an automated script to try thousands of potential passwords until the correct password is found! It uses a 'dictionary' file that is filled with virtually every 'password' that the hacker can think of and then some. (hackers have been known to use actual dictionaries to load these files)
Now, if you think that using 1337 speak helps, then think again! hackers will usually incude leet speak versions in their dictionaries for this very reason!

But what if the password is not a word at all? Well then, the next stage of the brute force attack is to try every combination of letter, number and special character that is allowed in sequence. Starting with the minimum number of characters allowed for the password! This is the original brute force attack and it's guaranteed to find your password,,, eventually! :left:.
But how long will that take? well, the following graphic illustrates how long it could take, depending on how long the password is!

As you can see, the longer the password is the more time it takes. From this you can deduce that by using random mixed upper and lower case letters, Your password must still be at least eight characters long before it is 'safe'. but remember that this is calculated according to the power of a single computer in 2007 (when the original article was written)
Using modern equipment assembled into a ten node beowulf cluster, we can do that at least a thousand times faster! :insane:.

But the main point here is that longer is better! If the password is long enough, not even NASA or the CIA can crack it within one lifetime! :knight:. At least, not with a brute force attack that is! :left:.

(the original article is linked below! However, be warned that a friend of mine received dire threats and warnings from his anti-virus at that site)
http://onemansblog.com/2007/03/26/how-id-hack-your-weak-passwords/

Advertisements