This article was originally published in the newsletter of the MacinTech Users Group, a Mac user group in Denver. This is not intended to be a comprehensive coverage of passwords, let alone computer security. This simply contains some hints about using good passwords, and discusses an article circulating on the web that gives some potentially bad advice.
Passwords are always a concern for people. Passwords are the most obvious factor in maintaining computer security, and can be the most important. Especially when you use bad passwords.
Other aspects of security are out of your control. We have all heard of large banks allowing employees to carry and subsequently lose laptops carrying unencrypted data for thousands of customers. Passwords become even more important; if you ever have an indication that some institution has handled your password poorly, change the password!
So, how should we select good passwords? A user group member recently sent me this URL http://www.baekdal.com/tips/password-security-usability, an article purporting to tell you how to select good passwords. Unfortunately, the analysis is wrong. I won't go into all the details, but the author claims you can use easy to remember pass phrases (a password containing more than one word) almost impossible to break simply because it uses multiple words. The author also seems to think bad guys will try just one of the "proven ways" to crack your password. He even seems to think dictionary attacks only use words found in Webster's Dictionary.
He is wrong on all counts. Adding spaces to a pass phrase isn't a big deal to a computer; a space is just one more character, even though it may seem to add complexity according to the human eye. It's a little like saying "hey, my password is now unbreakable, because I put a bunch of z's or !'s in it."
Bad guys use all of the mentioned attack methods, combined using "heuristics." Heuristic rules are created based on analysis of millions of passwords taken from stolen bank laptops. The bad guys are much more sophisticated than they used to be. Those dictionary attacks are powered by dictionaries containing all of those stolen passwords and phrases. When large groups of people are analyzed, patterns emerge.
Commenters to the referenced article think their passwords are hard to break because they spell their words backwards, and use leeting (substituting "3" for "e", and so on). Sorry, all of these methods of disguising a password are now part of the cracker's dictionary.
To cap it all off, the article's author is wrong about how many passwords can be tested per second. The author says 100 passwords can be tested per second. Well, this is generous if we assume the attack is being performed by amateurs we call "script kiddies." But, there are many more ways to break into accounts than with brute-force attacks on a single web page. The professional attackers have many ways to attack that effectively raises the tests from 100 passwords per second to orders of magnitude more.
So, how do you protect your accounts? First, never use the same password for each critical account. I don't care what password you use to protect your Twitter account; I am talking about accounts connecting you to your money. Your bank, iTunes Store account, and so on. Never use passwords similar to each other.
Next, use a series of random letters and numbers. Use both upper and lower case. Go crazy and use additional characters, such as ! or spaces if allowed. Make the passwords at least 11 or 12 characters long. In time, we will need even longer passwords.
Yes, those random character passwords cannot be remembered. But, they are much, much safer than any password you can remember. It's much better to have some passwords written down at home, than have a password that can be broken online. Thieves will try to break into your online accounts at some time. The odds of them breaking into your house are much less. If you don't want someone else in your home to know those passwords, obfuscate them; that is, disguise them by leaving the first character off or changing certain characters.
Should you put your passwords in a file on your computer? Hmmm…. That's much more difficult to determine. Older Windows systems can be hacked. As for Macs or Windows 7, we have been hearing more and more ways to hack into computers using exploits in Adobe Flash, and so on. And, if you travel with your computer, it could always be stolen.
And, I should point out that those passwords used to log into your computer are very easy to break, no matter how long or random they may be. If someone steals your computer, they will break in. You can completely encrypt your drive, but the rules for good passwords remain, and encrypting entire hard drives can cause loss of data
So, time for the blatant plug. All of the above ideas for passwords led to my creation of an app for the iPhone, iPod touch and iPad called Power Passwords, using a technique I created for the Feds back in the 80s. It allows you input an easy to remember password or key, and the program hashes or generates unique and hard to break passwords. Those are the passwords you use for your bank account, and they are never saved. Next time you need the same password, you just input the same key in Power Passwords. Power Passwords allows you to input notes, so you can remember which password you used for each account. So, Power Passwords is both a password generator and manager, all in one.
You can check out Power Passwords at http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=302952997&mt=8. Or just search on the App Store using the term "Azarhi".
If you want to read more about passwords, a pretty good rebuttal to the original article is at http://www.troyhunt.com/2011/04/bad-passwords-are-not-fun-and-good.html.
No comments:
Post a Comment