Thursday, May 24, 2007

Password Security

I spotted this article in PC World magazine which lists the ten most popular passwords. They are
  1. password
  2. 123456
  3. qwerty
  4. abc123
  5. letmein
  6. monkey
  7. myspace1
  8. password1
  9. link182
  10. (your first name)
I would expand this list to include such things as your children's/spouses name, company name and a few other common words I have encountered.

To have a secure password it should be a mix of UPPER and lower case letters and some numbers. To make it REALLY secure use some obscure characters like ^ or # or accented characters such as Ÿ. And make sure it's at least 8 characters or longer. It's easier than you think too make one up, use numbers for letters for instance, so peter becomes p3t3r or bill becomes b1ll, use a car registration plate (no not your current car) or something else you can remember or at least work out.

The reason for this is simple, that top ten list (and I would add several myself to that to make at least a top twenty) is well know to anyone who fancies trying to guess you password. On top of that password breaking software will try one of two methods:-
  1. Dictionary Attack
    Where the software literally has a dictionary of words it throws at your password one by one.
  2. Brute Force
    Where the software tries combinations of characters sequentially e.g. it tries a b c etc. then aa ab ac until it reaches it's limits.
Now you'd think that second one would guess ANY pasword but it wont, because of the time it takes to process. A simple example would be if it just tried the 26 letters of the alphabet, suppose it takes 1 second to try each combination then after the first pass with a 1 letter password it's taken 26 seconds, to do all the two letter combinations it takes 26 x 26 seconds, or 676 seconds, to do all the three letter combinations it takes 17,576 seconds and so on.

Obviously computers can process far faster than this, but because the time adds up logarithmically this kind of attack limits itself to common letters, numbers and punctuation, and restricts the length of password it can try.

I must admit this is another reason why I think microsoft DON'T GET SECURTIY as when I created a hotmail account a while ago it wouldn't let me use puctuation in my password! so as far as I was concerned the password I created was insecure.

Now you will be asking, huh, well who wants to hack ME, the fact is they don't want to hack YOU, they just pick off the low hanging fruit in the hope it might be worth it. Have you ever sent something private by hotmail? or simply something you wouldn't want making public?

One company I worked at one of the directors thought he was so clever because when I needed his password he said "it's secret" I thought he meant he wouldn't tell me, so began to explain I HAD to know it or I couldn't log in to his computer to fix it, and he stopped me and said "no, it's 'secret' that's my password" the companies financial information, all highly confidential, was secured by an eminently guessable password! Another company used password 5 on the above list for EVERYTHING, again company confidential information was secured with something easily guessable, AND everyone in the office, some 30+ people, knew what it was!

I did point out how insecure this was and I hope they have since taken steps to fix the problem, somehow though, I doubt it.


AZA43 said...

Howdy Teardrop,
My name is Al Sacco and I'm a writer with We recently posted a product review of a password manager that not only securely stores your passwords, but can also generate strong passwords of up to 14 characters. You can even set "schemas" to control the order of specific characters in the passwords the device generates. It's designed to thwart both dictionary and brute force attacks, which you mention in your entry. I thought you and your readers might be interested.

Joe said...

I remember back in the 80s the place I worked had a networked system between their branches. The amount of utterly stupid passwords set on it were laughable, I cracked a number easily myself because they were obvious like favourite football team (being Glasgow at the time you can imagine two teams came up regularly as passwords), their car, wife, kid's name... Even the group's chief accounts exec did this and, of course, they didn't take kindly to being advised that they needed to up their password ideas - my fault for pointing out their stupidity, not theirs for being eejits of course.

Even in 1988 I knew how stupid that kind of approach was, 20 years on and idiots still do it.And even more depressing and stupid are the many who have set up wifi broadband but never even added a simple password of any sort to secure it! Mind you, since the government did the same with the mess of the new junior doctor system maybe we should be easy on the poor folks who have obviously been dining exclusively on retard sandwiches again.