|
|
| Computers: Choosing Good Passwords |
|
| on Monday, February 05, 2007 - 12:51 AM - 1133 Reads |
 |
I love reading Bruce Schneier, one of the foremost experts on computer encryption and security. This article that he wrote on how to choose good passwords should be required reading for everyone who uses a password to keep anything they care about protected...
Choosing Secure Passwords
I'll start off with the bottom line of how to create a good password, and leave the things I find absolutely fascinating for the bottom of this post...
But first, a description of how most passwords are constructed... Common passwords have a "root" (like "password") and an "appendage" (like "1234"). A root isn't necessarily a dictionary word, but it's something pronounceable. An appendage is either a suffix (90 percent of the time) or a prefix (10 percent of the time). Most passwords include a 7-9 character root that is hard to guess, and a relatively common appendage.
Based on that, these are the recommendations for passwords:
1) Do not use anything that is phonetically pronounceable as a root
2) Mix upper & lower cases in the middle of your password
3) Add numbers & symbols in the middle of your password, and don't only use "leet speak" swaps (replacing an "e" with a "3" or an "o" with a "0," etc.)
4) Use an appendage in the middle of your root (or 2 roots separated by appendage)
These types of passwords can be particularly challenging to remember, especially since you shouldn't use the same password in multiple places. My recommendation is to come up with one very secure password, and then use it to unlock an encrypted "safe" that holds all of your passwords. Bruce wrote an excellent open source program Password Safe. I don't find it as fully featured as I would like, so I use Roboform, which can be launched from Firefox and fills forms and personal information in addition to passwords. There are versions that work on Palm, flash drives, as well as your computer.
Ok, enough with that, now onto the interesting parts describing why the above guidelines are necessary...
As background, most programs (at least the ones trying to be secure), don't store your actual password. They take your password, run it through a fancy computer algorithm (a hash function), and store that result (a hash sum). So, every time you log on to something, the computer will take the password you enter, use the fancy algorithm to generate this hash sum, and compare the result to what it has stored. The nifty thing about these algorithms, is that there is no easy way to figure out what the input was based on the result, as well as the full code for generating the hash sum!
As a side note, this is why you should be concerned about the level of security from any company or service that will email you your password to you, or can tell you your password over the phone, instead of resetting it for you. They shouldn't have any clue what your password is, because all they should have stored is the hash sum.
Now, with any "security," there ends up being a whole bunch of things working together to make something secure. As such, it makes the most sense to attack the weakest one. Since many encryption algorithms, based on our current mathematical understanding, would take umpteen gazillion years to break using "brute-force," the easiest solution is often to "guess" the password being used.
Hackers trying to get your password can use the power of current computers and specialized software to guess passwords. The most secure encryption software out there (like PGP), can limit the number of guesses to only 900 guesses per second. Most programs allow hundreds of thousands of guesses per second.
The first thing the specialized password guessing software does:
1) Tries the 1,000 most common passwords
2) Tries the 1,000 most common passwords with the 100 most common suffix appendages
The success rate of this alone is above 24%!! That's only 100,000 guesses, which on the best software means they are guessed in as little as 2 minutes, and in most cases they can be guessed in well under a second.
The software then tries the following items (the proprietary part is the order in which these are tried):
3) Root Dictionaries & appendage dictionaries
a) Common word dictionary - 5,000
b) Name Dictionary - 10,000
c) Comprehensive Dictionary - 100,000
d) Phonetic Patterns (all pronouncable, non-dictionary words)
e) All four character strings
All of the above dictionaries run:
a) All lower case (most common)
b) Initial uppercase, remaining lower case (2nd most common)
c) All upper case
d) Common substitutions - (leet speak - replacing e's with 3's, or o's with 0's, etc)
Appendage dictionaries:
a) All two digit combinations
b) Dates 1900-2006
c) All three digit combinations
d) All single symbols
e) Each Single digit with each single symbol
f) All two symbol combinations
People who really want access to your data and have a lot of resources ([cough] the government), will use networked computers and specialized hardware that can speed up password guessing on even the most secure software by 150-300 times (so 270,000 guesses per second instead of just 900).
Even without the special hardware, these password guessing attacks have an average success rate of 55-65% of all passwords within a few weeks.
This time goes down considerably when biographical data is collected. If the hacker knows your addresses, zip codes, pets, etc... The guessing time usually goes from weeks to just hours.
Also, if the hacker has control of your computer, things get worse. They can use a forensic toolkit to scan the hard drive for every printable character string - documents, registry entries, emails, swap file contents, deleted items, etc & use that for a dictionary just like the ones above. All current operating systems leave text all over the place in their normal functions of moving bits from one place to another. This dictionary will guess 50% of all passwords.
So, those with trivial passwords, might as well not even use one. If you have any kind of sensitive data to protect with a password, you need to make sure the one you use isn't in the most common attacks described above.
Note: Edited for punctuation and clarity |
|
|
| | | |
