In the past week I've spent some time reviewing Steve Gibson's (@SGgrc on Twitter) latest research and cutting-edge discovery surrounding password security.
On a page called Password Haystacks (https://www.grc.com/haystack.htm
), he outlines that password length should be given more priority than password entropy (or randomness.) The theory being that in a brute force offline attack, a longer password requires more time to crack than a shorter one regardless of the randomness. Of course, he's right, and the brute force calculator proves this out.
This changes everything, plain and simple!
No longer do users need to make up complex algorithoms and memory tricks to create secure passwords, they simply need to pad them or in Steve's words, hide them in a password haystack. That is, a string of characters that add length to (or pad) an otherwise short and simple password.
My old password of: 34b28xx!
is now trumped by: c@T**********
And trumped by a lot. Like going from 5.21 seconds to 38.90 centuries to crack. And it's easier to remember! Again, this changes everything.
I noticed recently that Bank of America has increased their maximum password length from 20 characters to 32 characters. This is wonderful news and increases the potential security on my account a great deal. My new password format from above with extra padding to 32 characters would take an estimated 1.77 hundred trillion trillion trillion centuries to brute force crack. I think we can presume never.
One thing to note is that some randomness is still required. A long password of: aaaaaaaaaaaaaaaa would still be cracked in short order, because a cracking algorithom starts simple and goes complex:
First try) a
And so on. On the 16th attempt, they would be in. Not good.
Each person should pick a padding scheme, as well as a password scheme. For example a password to log into MSN.com could be:
2011Msn*********** (using * until the max password length is reached.)
Similarly, to login to Yahoo.com, a user could choose:
2011Yahoo********* (using * until the max password length is reached.)
This format meets 3 of the basic rules for creating passwords listed below:
Use a different password for every site.
Use a mixture of characters and the maximum length (by padding) allowed.
Change your passwords often - at least every year, but more like every 90 or 30 days for really sensitive sites like online credit card, shopping, and banking websites.
Use a password manager such as LastPass to encrypt and store all of your passwords.
Be cautious when using FaceBook Connect (or similar services) to create new accounts on other sites. If anyone ever hacks into your Facebook account, they will also have access to all of those sites as well, in effect exploiting a single point of failure.
In summary, as this idea of Password Haystacks and padding catches on, security experts should see a drastic drop in hacked accounts and customer call centers should see a dramatic drop in the number of calls they take for forgotten passwords.
These are exciting times, and my hat is off to Steve Gibson and his excellent research. An accompaning podcast is available on the TWiT network: http://twit.tv/sn303
(with a shorter version available directly on Steve's Password Haystacks page, noted above.)
Stay safe and change those passwords!
Posted by Phil Spitze