Modern survival isn't just about food, water and warmth. You have to protect yourself on the your computer and on electronic systems that control most of what goes on in modern life and the first line of defense is usually setting up a password. In this some are clearly better than others. Surprisingly longer is not always better, and harder to remember passwords are not necessarily any better than easy remember ones.

http://www.baekdal.com/tips/password-security-usability

Thanks, Art. I am in the throes of making a new computer operational, and that article is very enlightening, as I sit here, surrounded by passwords written on post-it notes......

Good article, thanks, I learned something in the second half when the article discussed 2 and 3-word passwords. I guess a space is a character that's hard to decipher.

Here's a more difficult technique I have used. Make a password. Then, mentally encrypt the password to generate an encrypted password in your head. The encrypted password should look like gibberish. Use such an encrypted password for important stuff. Don't write down your encrypted password or your encryption technique.

The human element is almost always the weakest link in computer security.

art, thanks for the link to that article. some food for thought.

Hmm - "None can remember a password like "J4fS<2", which evidently mean that it will be written on a post-it note."

Tend to disagree. I've been able to remember passwords incorporating 1-3 symbol characters for better than 25 years, without writing them on post-it notes. What it takes is another potential insecurity - settle on a symbol, settle on a typical sequence of letters and numbers, and settle on a contrary sequence of letters and numbers, said sequences meaning something only to you. You can then vary these sequences over time and mandatory password resets. This becomes potentially insecure if you allow anyone to watch you enter a password, or someone can get a keylogger on your system - you'll need to change your sequences.

Better still, I like two factor authentication, something you have like a smartcard, your thumbprint, a secure token, and something you know, like a password. Either the token or the password won't get you in, you need them both. That has also worked for me better than anything else.

The easiest way to get a password is just to ask for it. Most ISPs will tell you what a persons primary email password is or reset the password without too much hassle. Sometimes they will ask for a security phrase (e.g. your favourite colour or mothers maiden name) or a billing account number and or address (a little dumpster diving) and sometimes not at all (many an ISP chicken couldn't care less). Once you have gained the email password, you will most likely be able to access their web hosting server as well (they rarely change the FTP password). You can then order domains and have them hosted on their account as many business ISP accounts rarely query their billing account. You can then setup up criminal Phishing websites and spamming operations with very little traceability. Then you can go around and try your hand with some of the big retailers such as Amazon, Ebay etc, or just perform a password reset with these companies and capture those details using webmail in real time.

All because someones favourite colour is blue.

http://en.wikipedia.org/wiki/Gary_McKinnon

Even Gary was able to access high level Pentagon and NASA servers by writing a simple script to scan .mil web sites for UN=Admin and PW=NULL. He apparently was quite successful and wouldn't have even been caught had he used a Laptop and an unsecured Wireless Access Point (remember to spoof your MAC address and factory reset the unsecured router when finished) instead of a dial up connection. So it just goes to show that even a basic password such as 'qwerty' is better than none at all.

Wireless WEP encryption is basically useless and can be cracked in minutes using a netbook. All the other wireless encryption protocols are design to be cracked by the likes of the NSA and GCHQ using portable custom ASIC logic machines.

The local university offer graduate degrees in hacking and countermeasures, where they practice walking into businesses as the computer geek (nobody is interested in the computer geek ) .

This article was written in August of 2007. Computers are dramatically faster than they used to be. Also, some bad guys are using botnets for password cracking. This means that some bad guys can apply several orders of magnitude more computing power to password cracking than they were able to when the article was written.

Unfortunately that means that some of the conclusions of the article are dangerously wrong. It's hard to get a true consensus on passwords from the thought leaders in the IT security industry, but in general an eight character password with three out of the four possible types of characters (upper case, lower case, numbers, symbols) would be considered adequate for low-security applications. Privileged accounts and higher-value targets should use longer passwords or two-factor authentication.

It's worth noting that there's a significant difference in security between offline password cracking and online password cracking. In the latter, the attacker is subject to account lockout settings and access method limitations that usually increases the time needed to crack a password such that it becomes infeasible. In offline password cracking, the attacker is not subject to any of those limitations and password security needs to be significantly greater to prevent attacks from succeeding. Many authentication systems are subject to offline attacks.

When talking to customers I tell them that insecure encryption like WEP is worse than useless, as it provides a false sense of security.

I'd be interested to learn why you say that other encryption protocols are designed to be cracked by government cryppies.

The article recommends using 2 or more words. Unfortunately, a space has NOT been an acceptable character anywhere I use a password. I'm not talking about underscore "_", and the article is not talking about underscore either. The article is talking about 2 or more words with a space between words.

While I don't really use it at the moment my degree was in CompSci, and I still stay up to date with things. Even with the advance in computers, you can't check that many passwords a second, and most all systems have limits. There are at least 96 different characters you can type (lowercase, caps, numbers, symbols, and punctuation). So at 6 characters long, you're at 782,757,789,696 combinations. Even trying to brute-force at 1,000,000 passwords a second (completely infeasible on pretty much every system out there), your looking at days of time to crack it. Government agencies might be able to, depending on the system. If you're talking about data encryption, with reasonable key-length this is more than enough for a password (the math involved to check keys, or even to compute a key from a given password takes time).
If you're really paranoid, bump it up to 8 characters long (your up to hundreds of years at 1,000,000 a second). Just make sure its random. I know its hard to memorize, but just take some extra time. (I would also tend to disagree with his conclusion to use combinations of words).

It can be done much quicker though through the use of rainbow tables so it doesn't require those thousands of guesses per second to crack.

Being an IT type in a past life, and having had several classes on security and hacking --

I've found that im most cases, I can either find or guess a password in under 2 minutes, if I know the person. One friend was flabbergasted when I guessed his password, then totally freaked when I guess his second one on the first try (hint: his son was in cub scouts - the passwords were webelos and tuocs, not really toughies, as he had some scout stuff in his office).

I can't stress enough having characters in your password. Even just two numbers in there will take the probability of guessing from maybe to no way Jose'.

I am a network security consultant. I don't crack passwords except in the course of a security assessment, which always includes written authorization from the customer.

My desktop PC has a quad-core 2.8 GHz processor. I can typically crack 95% or more of a 500-user Active Directory domain's passwords in one day or less. Frequently the first 80% or more are cracked in the first few minutes.

Password complexity has a significant impact on the time it takes and the success rate.

Rainbow tables are only useful in certain circumstances, namely when the password to something is hashed and stored somewhere that is accessible to the person wishing to find your password. Proper security measures prevent anyone from gaining access to the hashed password. If they have the access needed to gain the hash of the password, why would they really need to crack it? They already have access to the data.

For encrypted data, they would be useless, as proper encryption software wouldn't need to store a password. For web passwords, if they don't have access to the server where the passwords are stored, rainbow tables would again be useless.

Just to add something: Nearly all real life methods of gaining a persons password revolve around some workaround, mainly because trying every single password is so time consuming. IMO, bringing things up like that in a discussion of password complexity tends to be counter-productive because it makes people think there is no point in a complex password if it can still be cracked so quickly.

I should have said for example rainbow tables, thats just one method. My point is that it doesn't take forever to crack passwords now, yes a longer or more complex password will make it take longer to some extent but don't rely on it to make that much of a difference.

Interesting to add that there is now 4 factor authentication.
1. Something you know - password, pin
2. Something you have - smartcard, token
3. Something you are - biometrics
4. Somewhere you are - location based.

Interesting thread!

A somewhat related article that may be of interest:

"Amazon servers can help hack WiFi networks: expert

A security researcher says he has figured out a quick and inexpensive way to break a commonly used form of password protection for wireless networks using powerful computers that anybody can lease from Amazon.com Inc."

http://www.theglobeandmail.com/news/tech...article1861706/

A lot of data breaches are related to "social engineering" like just asking for passwords, as AFLM points out. It's a point Kevin Mitnick often made about how he penetrated so many networks. Or how many times do you walk down the hall of some office and see an unattended PC that hasn't been logged off or locked in some way? The human element will likely always be the weakest link in computer security.

Are cracking passwords even that necessary anymore? How many secret, zero-day (i.e. not yet publicly known) vulnerabilities are out there in actual software right now, like in the operating system or applications? You don't even need to log in to burrow into a network. You have a lot of highly educated computer science folks from Russia, Ukraine, China, Brazil, etc. who are hired to work on penetrating just about anything on behalf of governments and criminals alike. The trend for computer services, even for corporations, out into "the cloud" is worrying to me from a security/privacy standpoint.

I've personally learned to assume that computer networks will be hacked and have tried to adjust my expectations accordingly for my personal online activities. Like storing important computer files in external hard drives or thumb drives, unconnected to the Internet, when they aren't needed. Not keeping highly sensitive information in my webmail account for long. I try to use those one-time disposable credit card numbers for online purchases so that when--not if--someone steals a million credit cards from an online merchant or credit card processor, it won't do anyone else any good.

I'm not paranoid. It's not like I put tinfoil on my windows and sweep for listening devices every morning. I'm just accepting the situation and reducing my exposure to risk. I have no pretense that I'm somehow invulnerable to having my webmail or credit card account hacked or that my PC might become part of some spam network someday. It happens.

As far as picking passwords goes, I have been a longtime fan of Diceware--using dice plus a word or symbol list to create random, secure passwords that aren't just gobbledygook, like Rx5KL+q. I think most IT folks are realizing that from a real world perspective, those kind of gobbledygook passwords just aren't practical because they are difficult to remember, especially when our lives often have so many different resources that require a password. And the use of dice avoids the second most common method of getting your password--guessing based on knowing something about you.

Our IT guys have written a script that checks for password security and awards points based on the complexity. My passwords are usually based on the quantity of characters, gibberish, upper/lower case, numbers and symbols and get high marks on this "system".

The downside - I need to write down the passwords so I can refer to it the first half dozen times. After that it becomes more and more automatic to enter. Then the *^$D@%!s at IT force me to change the password every 60 days and it can't be the same as my previous 6 passwords. The computers time out after 15 minutes of non-usage. Not only that but all the data on the machine is encrypted! All this makes for a royal pain in the touche' considering that there is no data stored locally (except in the memory cache) and everything is on the network!

Compare this to an online site like Amazon and they will allow passwords that are simple, easy and short. They do billions of dollars of business a day and yet private/public firms which are much less likely to be attacked have the most wicked security!

This all makes as much sense as parking on a driveway and driving on a parkway!

I guess I could have clarified myself better. Assuming we are talking only about strength of password (as the OP was) and ignoring the specific system, then my examples are sound. You aren't going to brute force a random 6 character password, there are simply too many combinations.

Depending on the system that is using this password, there is quite possibly some way to recover that password. We could go on all day talking about different techniques for cracking different systems, and most of them will be successful regardless of strength of password.

Unless you are encrypting your data, it isn't truly secure. Physical access to the machine renders pretty much all authentication pointless.

For those systems you don't control, there isn't much point worrying about all the what if's of how it could be compromised. The only thing you can do is use a secure password, which goes back to the original topic.

I have myself successfully brute-forced thousands of six character and longer passwords, using John the Ripper on a multicore PC. One 6 character password typically takes under a minute. I'd be surprised if a completely random 6 character password with all four character types would take an hour. Feel free to post the Unix or Windows hash of a 6 character random password, and I'll be glad to take a (forgive me) crack at it.

Six character passwords are too short.

It's worth stating again that I only crack passwords with written authorization from my customers.

The speed, processing power, of the computer used to crack a password doesn't make any difference. The process is not CPU dependent and is simply the input of a simple list of logical guesses. As mentioned in the article the main limitation is the speed with guesses can be made. The two main limitations are the speed of the connection and any limitation placed on how many attempts can be made in any set amount of time by the securing system. The basics are as relevant now as they were in 2007.

Like I said, IGNORING THE SYSTEM. You're talking about a specific program that is cracking a password file. Not to mention, a program like that requires access to the machine in the first place, which would probably make it a pointless endeavor to recover passwords, you already have access to the data.

We could go on all day about specific circumstances where this works, and that doesn't. In the end, it doesn't help at all because most people will tend to form the opinion that it doesn't matter and they will keep using weak passwords.

You want a specific example where a 6 character password will work? Try and crack 256 (try 128 for that matter) bit AES where the key was hashed from a 6 character password. Never going to happen.

In the end, if you want true data security, authentication to prevent access to the system is not the answer. Encryption is the only thing that will prevent access to your data, and even that depends on the implementation of the algorithm itself (plenty of examples of encryption software with holes).

You don't need access to the system, you can gather the password hash over the network.
And yes a 6 charcter is pretty eacy to crack, 8, 10, 12, etc take longer but not all that much longer.

This is true for online password attacks, and not true for offline password attacks. Many systems are vulnerable to offline password attacks.

There are offline password attacks that do not depend on prior access to the system. There have also been ways to use unprivileged access to obtain hashed passwords, which can lead to successful privilege escalation attacks.



That's where policy, enforcement, security education and token-based authentication can help. I have customers who use and enforce strong password policies. In many cases it took significant effort to implement due to end-user resistance.



Cracking AES is exceptionally difficult and expensive, and likely to be infeasible for some time to come. But we weren't talking about encryption keys, we were talking about account passwords. These are frequently stored as hashes. While there are no hash-reversal attacks that I'm aware of, there are some good attack modalities. These attacks work a lot better with six character passwords than they do with longer passwords of roughly equivalent complexity.



Encryption plays a critical part of information security in many systems. As you say, most successful attacks against encryption work because of weak implementation rather than weak encryption (WEP being a notable counterexample).

Unfortunately encryption by itself does not result in secure systems. While I'd put software and configuration vulnerabilities ahead of authentication issues, weak authentication continues to pose a significant threat to information security. Data secured by strong encryption but weak authentication can be quite vulnerable.