INFORMATION

This website uses cookies to store information on your computer. Some of these cookies are essential to make our site work and others help us to improve by giving us some insight into how the site is being used. For further information, see our Privacy Policy. Continuing to use this website is acceptance of these cookies.

How secure are your passwords?

...on serious topics that don't fit anywhere else at present.
Post Reply
Message
Author
User avatar
Alan H
Posts: 24067
Joined: July 3rd, 2007, 10:26 pm

How secure are your passwords?

#1 Post by Alan H » November 13th, 2008, 11:03 am

********************************************************************************
Read me first: Passwords are not broken, but how we choose them sure is | Technology | The Guardian
http://www.guardian.co.uk/technology/20 ... -passwords
~~~~~~~~~~~~~~~~~~~

Passwords are not broken, but how we choose them sure is

* Bruce Schneier
* guardian.co.uk, Thursday November 13 2008 00.01 GMT
* The Guardian, Thursday November 13 2008
* Article history

I've been reading a lot about how passwords are no longer good security. The reality is more complicated. Passwords are still secure enough for many applications, but you have to choose a good one. And that's hard. The best way to explain how to choose a good password is to describe how they're broken. The most serious attack is called offline password guessing. There are commercial programs that do this, sold primarily to police departments. There are also hacker tools that do the same thing.

As computers have become faster, the guessers have got better, sometimes being able to test hundreds of thousands of passwords per second. These guessers might run for months on many machines simultaneously.

They guess intelligently. They don't run through every eight-letter combination from "aaaaaaaa" to "zzzzzzzz" in order. That's 200bn possible passwords, most of them very unlikely. They try the most common password first: "password1". (Don't laugh; the most common password used to be "password".)

A typical password consists of a root plus an appendage. The root isn't necessarily a dictionary word, but it's something pronounceable. An appendage is either a suffix (90% of the time) or a prefix (10% of the time). One guesser I studied starts with a dictionary of about 1,000 common passwords, things like "letmein," "temp," "123456," and so on. Then it tests them each with about 100 common suffix appendages: "1", "4u", "69", "abc", "!" and so on. It recovers about 24% of all passwords with just these 100,000 combinations.

Then the guesser tries different dictionaries: English words, names, foreign words, phonetic patterns and so on for roots; two digits, dates, single symbols and so on for appendages. It runs the dictionaries with various capitalisations and common substitutions: "$" for "s", "@" for "a", "1" for "l" and so on. With a couple of weeks to a month's worth of time, this guessing strategy breaks about two-thirds of all passwords. But that assumes no biographical data. Any smart guesser collects whatever personal information it can on the subject before beginning. Postal codes are common appendages, so they're tested.

It also tests names and addresses from the address book, meaningful dates, and any other personal information. If it can, the guesser indexes the target hard drive and creates a dictionary out of every printable string, including deleted files. If you ever kept an email with your password, or saved it in an obscure file somewhere, or if your program ever stored it in memory, this process will grab it. And it will recover your password faster.

So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary. Of course, don't use this one, because I've written about it. Choose your own sentence - something personal.

Strong passwords can still fail because people are sloppy. They write them on Post-it notes stuck to their monitors, share them with friends, or choose the same passwords for multiple applications. (I don't care about low-security passwords here, only about ones that matter: your bank accounts, your credit cards, etc.) Websites are sloppy, too, allowing people to set up easy-to-guess "secret questions" as a backup password or email them to customers.

If you can't remember your passwords, write them down and put the paper in your wallet. But just write the sentence - or better yet - a hint that will help you remember your sentence. Or use a free program like Password Safe, which I designed to help people securely store all their passwords. Don't feel this is a failure; most of us have far too many passwords to be able to remember them all.

Passwords can still provide good authentication if used properly. The rise of alternate forms of authentication is more because people don't use passwords securely, and less because they don't work any more.

• Bruce Schneier is a security technologist and author

[Retrieved: Thu Nov 13 2008 11:01:56 GMT+0000 (GMT Standard Time)]

###################
Alan Henness

There are three fundamental questions for anyone advocating Brexit:

1. What, precisely, are the significant and tangible benefits of leaving the EU?
2. What damage to the UK and its citizens is an acceptable price to pay for those benefits?
3. Which ruling of the ECJ is most persuasive of the need to leave its jurisdiction?

kbell
Posts: 1146
Joined: July 3rd, 2007, 11:27 pm

Re: How secure are your passwords?

#2 Post by kbell » November 17th, 2008, 12:33 pm

My advice is to take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary. Of course, don't use this one, because I've written about it. Choose your own sentence - something personal.
:clap: Excellent piece of advice and something I never thought of. I had a password guessed by one of my colleagues - I used my cat's name! It was only because she needed access to my pc in an emergency but it did make me a bit paranoid about passwords for more important things but I find a real problem in remembering passwords that don't have a personal meaning to me. Now I'm off to find a sentence like 'this little piggy...' only one that's meaningful...
Kathryn

User avatar
Alan H
Posts: 24067
Joined: July 3rd, 2007, 10:26 pm

Re: How secure are your passwords?

#3 Post by Alan H » November 17th, 2008, 12:45 pm

Another piece of advice: don't say your sentence out loud when you're tapping the keyboard...
Alan Henness

There are three fundamental questions for anyone advocating Brexit:

1. What, precisely, are the significant and tangible benefits of leaving the EU?
2. What damage to the UK and its citizens is an acceptable price to pay for those benefits?
3. Which ruling of the ECJ is most persuasive of the need to leave its jurisdiction?

Ted Harvey
Posts: 172
Joined: September 10th, 2007, 4:41 pm

Re: How secure are your passwords?

#4 Post by Ted Harvey » November 18th, 2008, 11:25 am

Doh! Alan H - I wish you had advised me about that before I started my regular oral logging in, in the middle of busy Mitchell Library :)

User avatar
Alan H
Posts: 24067
Joined: July 3rd, 2007, 10:26 pm

Re: How secure are your passwords?

#5 Post by Alan H » November 18th, 2008, 11:44 am

:laughter:
Alan Henness

There are three fundamental questions for anyone advocating Brexit:

1. What, precisely, are the significant and tangible benefits of leaving the EU?
2. What damage to the UK and its citizens is an acceptable price to pay for those benefits?
3. Which ruling of the ECJ is most persuasive of the need to leave its jurisdiction?

User avatar
Alan H
Posts: 24067
Joined: July 3rd, 2007, 10:26 pm

Re: How secure are your passwords?

#6 Post by Alan H » December 7th, 2008, 9:30 pm

OK, you've got different passwords for every site and you've got IE or Firefox to remember them for you (not very safe!), but what do you do when you do need to type one in and you just can't remember it? You write them down somewhere, but it's not very secure just to put them in a Word document...but you could password protect the document so you need to remember just one password to get access to all of them.

This works, but it's not very convenient if you've got a big list of sites, usernames and passwords.

There are, however, several programs to do it all for you. For free, there is KeePass. The version 2 of this seems to work fairly well, but I've not got to grips fully with it.

If you're prepared to pay a little, there's Password Keeper or Password Agent.
Alan Henness

There are three fundamental questions for anyone advocating Brexit:

1. What, precisely, are the significant and tangible benefits of leaving the EU?
2. What damage to the UK and its citizens is an acceptable price to pay for those benefits?
3. Which ruling of the ECJ is most persuasive of the need to leave its jurisdiction?

Post Reply