Wednesday, January 31, 2007

Strong Passwords

Usually, when creating an account you will have to provide a user name and a password. I say “usually” as sometimes these are generated automatically and sent to you. Most users choose a regular ID (username), something representative (in the case of automatically generated IDs, it will usually be your email address).

With passwords, things are a bit more complicated as the protection of a sensitive content is one feature that should be available.

When it comes to cracking a password, hackers use two methods: password recovery and “brute force” repetitive. The first one consists in making the system believe that the hacker is an authorized user or administrator. Brute force is actually a software that repetitively processes letter, number and symbol combinations for finding the right elements of your password (it can try hundreds of passwords per minute). Given the adequate dictionary (sometimes the hacker may know a little about your habits and way of thinking) and enough time, any password can be cracked.

So why password protection if it is impossible to keep your data safe by simply applying a countersign? The only element that will discourage hackers from cracking your password is time. A weak password can be learned in just a few minutes (that is something any hacker has) while a very strong



one can take up to days. The stronger the password, the more time will be needed to crack it. After a couple of hours, most criminals give up if the "pot" is not important enough.

A weak password is actually any word or expression. But the key to an excellent countersign is for it to be lengthy and incorporate as many symbols (“@”, “#”, “*” etc.) or special characters, period, comma, hyphen, space bar) and letters (both upper and lower case) as possible. The difficulty resides in the fact that one has to use all of these elements in a password that is easy to remember.

Creating a weak password is easy, as you can choose any word you want. Browsing over the Internet I learned that a six characters password is only OK, which in my opinion means it is fallible. A ten characters pass key is considered to be good by the majority, while a 15 characters long countersign is unanimously considered to be the best (at 14 characters and less Windows passwords are scrambled as hashes and stored in hidden Windows system files, but Windows will not store hashed passwords of 15 or longer characters). Even Microsoft acknowledges that a 15-character password with only random letters and numbers is 33,000 times stronger then an 8 characters pass with elements from the entire keyboard.

Unfortunately, some computers or online systems have a limit in what concerns the length of the countersign and a 15-character password is not supported. However, you can use all sorts of tricks for creating a strong, memorable countersign with less then 15 characters (you have the keyboard and your imagination to use).

First of all, think of a word or multi-word phrase that is meaningful to you. It doesn't matter how lengthy it is, but don't turn it into a paragraph. In my example, I will stat from “softpedia”. This password, despite the fact that it has 9 characters, reached only weak level on the strength scale provided by Microsoft. By making different combinations of characters on my keyboard, I will try to pump it up to strong level.

The first step is combining upper case letters with lower case ones, so the result should look like this: “SoFtPeDia”. This simple trick already pumped it to medium level. Combining and replacing the letters with symbols and special characters will contribute to enforcing your password. Changing “e” with “3”, “a” with “@”, “1” or “i” with “!” or turning “g” into “6”, “s” into “$” and “o” into “0” (zero) can result in creating strong passwords.

By following the above mentioned strategy and replacing the letters with other characters I should now get “$0FtP3D!@”. It looks good and the effects of the changes brought my password to strong a level of security. And to get it to best security level all I have to do is add “eez#1”. This way, I have turned a phrase (“Softpedia is number one”) into a very hard to crack password (“$0FtP3D!@eez#1”). There are 14 characters, but by adding spaces between the words, you can ensure it not to be hashed and deposited in Windows hidden system folders.

Generally, you should avoid creating passwords by using repetitive (1111) or sequential numbers (123456). It has been proven that a blank password (no password at all) is more effective. Just misspelling a word or typing it by replacing the letters with symbols or numbers will not fool a good hacker, but used together will definitely concur to creating a strong countersign.

Contrary to the popular belief that passwords should not be stored on paper, it has been proven that countersigns saved this way benefit from a better protection then if stored in password managers or somewhere on the computer. Of course, writing the password on a piece of paper and not keeping it in a safe place will also result in weak security and all the trouble of making it strong will be useless.
Post a Comment