Passwords, Security and the New Reality

In the Internet Age, all that stands between you and the seeming hordes of internet thieves is your password. Identity theft, drained bank accounts, maxed out credit cards and worse; the only thing that guards against those evil outcomes is the difficulty the crooks have in guessing your password. You’d think we would all give more thought and care to the creation and protection of our passwords. You’d be wrong.

In the last five years or so, password-guessing algorithms have been developed that have ferocious power. You can find algorithms on the web that can break any random nine letter password in a maximum of 5.5 hours. That’s a maximum, not an average.

But wait, you say. If I don’t get bank account password right on three tries, I’m locked out of trying for an hour. If I don’t get my Facebook password right, I’m challenged by a hard to read series of letter I have to type in to make another try. How, you ask, does a password-guessing algorithm get around that?

The answer, of course, is that the password-guess program is running behind the firewall. It’s attacking from the computer where the passwords are stored. Because they are stored in a highly encrypted file, there’s not much change the database of passwords can be cracked directly. But when it is the CPU talking directly to the CPU, the password-guessing program can make billions of guesses per second.

The problem is compounded because too many of us use the same password in multiple places. So when the thief gets your password to, say, Amazon they automatically get you password to all the other sites you use.

What to do?

Well, you could just live in a cave some where and not use the internet. It would be inconvenient, you’d miss a lot of cool stuff, but you’d be safe.

Or, you can follow WC’s handy rules for password security.

It’s all about password entropy, password security and using password tools.

Password entropy is a cryptography term for how hard something is to guess. It’s a combination of the length of the password (the number of characters), the number of characters that compose the password (the number of possible characters) and the ordering of the characters (the sequence of the characters). Password entropy is illustrated brilliantly by XKCD:

Password Strength, by Randall Munroe

Password Strength, by Randall Munroe

Length of a password is the easiest factor for a user to control. And, as Munroe shows, much more difficult to crack. So the first tip is to use random words, which are easier to remember, but use a strong of them, which is harder for a computer to guess. Maximize entropy by using a long password. Remember, the password-guessing program doesn’t know that you are only using lowercase, alphabetic letters. It’s throwing the full QWERTY keyboard at them. There’s a number of sites that can evaluate password strength. This one gives some pretty good detail (and demonstrates just how quickly computers can analyze these things).

The second tip is password security. Never use the same password twice, if you can possibly help it. And avoid variants. The password-guessing programs have figured out and been adjusted to handle the use of embedding the service name in your password. WC used to use “correct amazon battery staple” for Amazon and “correct facebook battery staple” for Facebook and so on. But once the algorithm has your password for one site, it’s trained to test the trick on other sites.

If you want to avoid having the bad guys get the keys to all of your on-line goodies, it’s important to use a different strong password for each secure website you use.

But, you say, how can I ever memorize and keep straight a dozen or more passwords. That’s the third tip. There are excellent password management tools out there. At the risk of sounding like an advertising slogan, there’s an app for that. Find one that works for you, that stores your database of passwords in an encrypted form with convenient links to the sites you want to access. And never, never use the password to your password storage application anywhere else on the web.

Does WC need to tell you to back the password vault up? Didn’t think so.

Joe Kissell at Tidbits has a nice article that discusses these issues in more detail. Recommended. And then, please, update your passwords.



One thought on “Passwords, Security and the New Reality

  1. I’m not being obstreperous, just dense.
    After having read both this blogpost and Joe Kissell’s recommended linked article, I still am not understanding WHY having Out There Somewhere a file that contains every one of your wonderfully randomized, strong passwords isn’t any less moronic than hiding the key to Fort Knox in a site no one is likely to find.

Comments are closed.