Passwords are a very weak form of authentication, mainly due to
the difficulty users have in choosing strong and memorable passwords.
Here I discuss four ways to
improve your password choices.
This is the best advice I can
give to help people choose stronger passwords.
A bit about poor password
choice
Often users choose simple
passwords, and use the same password for all their services, both at work and
at home. These are both bad ideas.
Simple passwords are easy and
fast to crack with widely available automated tools. I know from experience, as
I have cracked many passwords recently under test conditions, many in under a
second, and certainly most in under 5 minutes.
Using the same password in
multiple places means that once a password is compromised on one system, say
your home computer, an attacker could then be able to access your work login,
your email account, Twitter, Facebook, YouTube, PayPal, eBay, Amazon, and any
other online services you use with the same password.
Attackers would not be targeting
you personally. Modern malware can automate many hacking techniques and attack
many thousands of users at once, globally.
Malicious hacking is big
business, and there is a whole criminal subculture geared-up to make money from
stolen credentials.
Many people store a lot of
information online these days. Imagine if you lost access to your personal
accounts and profiles, or worse; someone copied, added or removed information,
or sent messages to all your friends containing clever scams or viruses, or
transferred some of your money through a series of stolen bank accounts.
So what can users do to
choose better passwords?
Having cracked many passwords
with a variety of different tools and techniques, here are the four best pieces
of advice I can offer.
Ä Password
length is the most important factor. Try to use a "pass-phrase", i.e.
a group of words that is longer than 15 characters.
· This is a
sufficient length to make brute-force and hybrid attacks unfeasible with
today’s computing power.
· Using 15
characters or more also means that the password cannot be stored as an LM hash.
(This is one of the weakest forms of password storage, that Microsoft still
include on Windows systems today - for historical reasons, but it is a really
big weakness)
Ä Add some
numbers and symbols
· Though
this does not affect password strength as much as length does, it can be
helpful in making your password more unique, by using more of the available
key-space.
· Here are
some examples
· Friday%is&a4great*day!
· #thisisareallyeasyonetoremember!
Ä Use
different passwords for the accounts you have
· It may be
impractical to use a different password for every login to every system, but
try to use unique passwords for your core services such as
· Home
computer login
· Email
access
· Bank
accounts
· Work login
· Social
networking
Ä Test your
choices, to see if the types of password you are choosing are strong
· Try the
Microsoft password strength checker, to get an idea of what makes a password
stronger.
· Try
putting your current password in. If it comes up "Weak" you're not
doing very well with your password choices currently.
· You
should be aiming to get at least in the strong category for passwords you use
for important accounts.
· See if
you can pick a memorable password that meets the "BEST" category. Try
several attempts so you will know what is important in choosing a strong
password.
Now choose similar passwords for
your own use.
PS: I use several password
dictionaries of commonly used passwords, totalling over 200 million entries.
I find these very effective for
password cracking, before attempting hybrid, rainbow-table, and brute-force
attacks. They only take a few seconds to run for hash-cracking.
Most of these dictionaries are
available on the web if you look, but if you are interested in me providing
some copies, let me know in the feedback section.
0 comments:
Post a Comment