Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

What you don’t know about passwords might hurt you

Joe Kissell | Nov. 28, 2012
Your password strategy, if you have one at all, might be seriously out of date

Appending a number to a common word (password1 or baseball9) is a frequently used method to comply with must contain a digit rules. And so is substituting numbers or symbols for lettersyou know, things like p@ssw0rd or b4s3b411and using patterns of keys on the keyboard such as edcrfvtgb. Problem is, hackers are well aware of such techniques. As soon as someone invents a new method for creating better passwords (such as padding a shorter password with repeated punctuation), the bad guys adapt their methods accordingly, erasing whatever advantage the new method may have offered. So, dont count on cleverness to protect your password. It might take a few milliseconds longer to guess 1d0ntkn0w than Idontknow but remember, youre up against machines that can make any imaginable substitution in the blink of an eye.

You want to make your passwords unguessable, even by someone smarter than you! The best way to do this is to make them random strings of characters, including uppercase and lowercase letters, numbers, and punctuation. However, its very hard for a human to create a truly random password, but its easy for a computer to do. So, once again, relying on a password manager instead of your brain is the way to go.

14 is the new 8

Suppose an attacker is determined to get into your account, and the quick-and-easy hacks (such as checking dictionary words, along with common mutations) have failed. What then? The next step is to use brute force to try every possible password one at a time. Unfortunately, its becoming easier and easier to find a match using this technique. A few years ago, a reasonably powerful system might have been expected to check a million potential passwords per second. Today, a single off-the-shelf PC can check several billion passwords per second, and a network of computers can check many times that amount. Many systems have safeguards in place that limit how frequently passwords can be guessed, or shut down after a certain number of incorrect attempts. But if an attacker gets direct access to the password-protected data and no longer has to go through the front door, as it were, those safeguards become moot.

As a result, the advice youve read in the past about what counts as a secure password may no longer be valid. For example, in order to protect against a brute-force attack, a password with eight or nine random characters is no longer sufficient. Experts now routinely recommend longer passwords, often in the 12-to-14 character range. And thats for passwords randomly generated by a computer. Passwords you create by hand must almost always be longer to have the equivalent strength.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.