September 26, 2007
Think your password is secure? Think again
If you're new here, you may want to subscribe to my RSS feed. You can even subscribe by email! Thanks for visiting!
Chilling yet fantastic advice from security expert Bruce Schneier on passwords (with hat tip to Bert):
“Offline password guessers have gotten both fast and smart. AccessData sells Password Recovery Toolkit, or PRTK. Depending on the software it’s attacking, PRTK can test up to hundreds of thousands of passwords per second, and it tests more common passwords sooner than obscure ones.”
Well, there goes my assumption that my simple eight-character password will suffice. And don’t think that using a crypto program like my beloved PGP is going to help:
“The results are all over the map. Microsoft Office, for example, has a simple password-to-key conversion, so PRTK can test 350,000 Microsoft Word passwords per second on a 3-GHz Pentium 4, which is a reasonably current benchmark computer. WinZip used to be even worse — well over a million guesses per second for version 7.0 — but with version 9.0, the cryptosystem’s ramp-up function has been substantially increased: PRTK can only test 900 passwords per second. PGP also makes things deliberately hard for programs like PRTK, also only allowing about 900 guesses per second.”
The whole article is brilliant reading. Go read it. Now.
Equally illuminating are some of the comments, and the replies by Bruce, to wit:
“Of course longer is better. If you have a 32-character password, no software cracker is going to find it.”
“A useful class of memorable passwords that are difficult to cast as a PRTK-style stereotype is equations.
For the physically or mathematically-minded, they can be very easy to remember. They also make it easy to involve symbols (memorably). And since the notation for terms can have a very broad variation, they are probably not easy to search efficiently. And, there are a lot of them, many of which are quite obscure.
An example from classical mechanics: Hamiltonian evolution with Poisson Bracket notation might yield a password like
dy/dt={H,y}
Considering the possible variations (ydot instead of dy/dt, Heisenberg evolution with commutators, replace y by a Greek letter like Psi, subtract the RHS from both sides, many more) it seems like a losing game to try to create a stereotype search for these. And in this case, obscurity does aid security.”
“Interestingly, it sounds to me like a combination of two (reasonably long) dictionary words with a small non-alpha infix would survive this attacker fairly well.”
“Seems like a shift in the root is all you need to be less predictable. The progression I often have experienced in terms of user password maturity:
1) simple root (password)
2) simple root with appendages (password123)
3) root with character-shift and appendages (p@ssW0rd123!)
4) phrase with character-shift and appendages (e.g. I wish I had a dollar for every star = iW1h@$4e*)
5) random digits generated by a program and stored securely with a level 4 password”
“I found this slide-deck on a method to create passwords interesting:
http://druid.caughq.org/presentations/Mnemonic-Password-Formulas.pdf
I wonder how well something like PRTK would be in recovering the formula used to generate the password if it had multiple passwords to compare.”
“@Simon: “how does Password Safe help?”
It helps in two ways: First, it allows you to choose different passwords for different services. Not many among us can remember 40 distinct passwords; we either have to write them down or re-use the same passwords over and over again, which becomes a nightmare with the different password choice and lifetime policies out there.
Second, it allows you to generate random passwords. Myself, I use different, random 12 character passwords for each service. In cases where I don’t care about identity, I even use a randomly generated user name.
“When away from my computer I’d not know the passwords.”
There’s not many services that I want to use when I’m away from my computer, so it’s not much of an issue for me.
Password Safe and its clones can also be installed on a USB stick, along with the password database. Although I would somewhat hesitate to trust a public computer.”
@Squyd
That just sounds like a LOT of work. Why bother? Use a password manager with a password generator built in. Done.There are plenty out there, both traditional, and online:
http://passpack.wordpress.com/2007/01/29/online-vs-offline-password-managers/
Me, I use Password Master myself (from the excellent team at Dreameesoft) so I can use it on my pda, but they are all much of a much-ness.
I’m now going through all of my different passworded accounts and randomising them with Password Master rather than relying on my old 8-character password which is the same one I use on multiple sites (very dangerous and stupid, I know, but I’m lazy!)
Currently listening to: Brian Eno - On Land - Dunwich Beach, Autumn, 1960
Stumble it!
Filed under: Uncategorized
7 Responses to “Think your password is secure? Think again”
Leave a Reply
Please note:
1. If this is your first time commenting using the email address you have given, your comment will be held in 'moderation' and won't appear until one of us here at BetterComms Towers approves it. This stops spammers from flooding our posts with garbage. It may take up to 48 hours for your comment to appear -- sorry!
2. This blog runs the WP-Cache plugin, which reduces the amount of processing our host's server has to perform on this blog. The result for you is that our site crashes less. The downside is that sometimes it might take a minute or two for your comment to appear. Please don't resubmit your comment if it doesn't appear straight away. Please be patient and try refreshing your browser after a minute or two... Thanks, Lee
September 27th, 2007 at 7:14 pm
Hi, glad to hear you’ve decided to change to lots of unique, long passwords. You’ll surely sleep better at night.
On being lazy - i can completely understand. Does Password master have an automatic login feature? That really helps.
Cheers,
Tara
September 28th, 2007 at 12:38 am
G’day Tara!
All of the various password softwares have one problem - cross-platform.
For instance, my tool of choice (because of my pda) is Password Master. But it won’t work on a U3 drive.
Something that works on a U3 drive won’t work on my pc AND my windows mobile pda.
And so it goes on…
Password Master is no different (better or worse) than any of the others, but it does have one bad habit: it DOMINATES my cpu. If it’s running, even in the background, I can forget about doing some resource-intensive stuff like creating sound files or working with Illustrator or Photoshop.
One day there will be a tool that will work across all platforms… [sigh]
September 28th, 2007 at 12:40 am
As for the automatic login feature — no. I know that some of the programs for the U3 drive do, but they don’t work on my pda…
It’s a real bugger!
October 2nd, 2007 at 10:36 pm
I was going to suggest trying PassPack for the cross-platform problem (I’m a founder). It’s an online service, so all you need is an internet connection and you can access your stuff from any computer.
Alas, we don’t have a version optimized for mobile screens quite yet. So it wouldn’t solve your PDA compatibility problem.
Lost of people choke on the idea of storing passwords online. But actually, your data is encrypted on-the-fly before leaving your browser - so once your passwords reach our server, they are fully encrypted and can’t be read by anyone (not PassPack, not hackers, not spying governments).
It’s free if you want to try it.
http://www.passpack.com
If you do give it a go, let me know what you think - I’m always open to feedback.
Cheers,
Tara
October 3rd, 2007 at 1:11 am
Thanks for that offer, Tara.
I’d take you up on it but for one small problem: several of my clients don’t allow net access from their computers, but I still need to remember a stack of passwords to access various parts of their internal worlds, hence the beauty of a pda password store.
I guess I’ll just have to keep searching and praying… {smile}
October 4th, 2007 at 7:50 pm
Wow. No net access. I think I’d pull my hair out!
Good luck to you.
Password managers have just begun a new evolution cycle. I’m sure the product you’re looking for is right around the corner.
Cheers,
Tara
December 11th, 2007 at 10:45 am
[...] little while ago I ranted about the lack of support for a secure password application that allowed me to achieve several things in one [...]