Size Does Matter! [Password Security]
In the past week I've spent some time reviewing Steve Gibson's (@SGgrc on Twitter) latest research and cutting-edge discovery surrounding password security.
On a page called Password Haystacks (https://www.grc.com/haystack.htm), he outlines that password length should be given more priority than password entropy (or randomness.) The theory being that in a brute force offline attack, a longer password requires more time to crack than a shorter one regardless of the randomness. Of course, he's right, and the brute force calculator proves this out.
This changes everything, plain and simple!
No longer do users need to make up complex algorithoms and memory tricks to create secure passwords, they simply need to pad them or in Steve's words, hide them in a password haystack. That is, a string of characters that add length to (or pad) an otherwise short and simple password.
My old password of: 34b28xx!
is now trumped by: c@T**********
And trumped by a lot. Like going from 5.21 seconds to 38.90 centuries to crack. And it's easier to remember! Again, this changes everything.
I noticed recently that Bank of America has increased their maximum password length from 20 characters to 32 characters. This is wonderful news and increases the potential security on my account a great deal. My new password format from above with extra padding to 32 characters would take an estimated 1.77 hundred trillion trillion trillion centuries to brute force crack. I think we can presume never.
One thing to note is that some randomness is still required. A long password of: aaaaaaaaaaaaaaaa would still be cracked in short order, because a cracking algorithom starts simple and goes complex:
First try) a
And so on. On the 16th attempt, they would be in. Not good.
Each person should pick a padding scheme, as well as a password scheme. For example a password to log into MSN.com could be:
2011Msn*********** (using * until the max password length is reached.)
Similarly, to login to Yahoo.com, a user could choose:
2011Yahoo********* (using * until the max password length is reached.)
This format meets 3 of the basic rules for creating passwords listed below:
- Use a different password for every site.
- Use a mixture of characters and the maximum length (by padding) allowed.
- Change your passwords often - at least every year, but more like every 90 or 30 days for really sensitive sites like online credit card, shopping, and banking websites.
- Use a password manager such as LastPass to encrypt and store all of your passwords.
- Be cautious when using FaceBook Connect (or similar services) to create new accounts on other sites. If anyone ever hacks into your Facebook account, they will also have access to all of those sites as well, in effect exploiting a single point of failure.
In summary, as this idea of Password Haystacks and padding catches on, security experts should see a drastic drop in hacked accounts and customer call centers should see a dramatic drop in the number of calls they take for forgotten passwords.
These are exciting times, and my hat is off to Steve Gibson and his excellent research. An accompaning podcast is available on the TWiT network: http://twit.tv/sn303 (with a shorter version available directly on Steve's Password Haystacks page, noted above.)
Stay safe and change those passwords!
Posted by Phil Spitze
- Around the Analytics World February Wrap-up Sat, February 28, 2015
- Friday Fuel: Hotel Robot Staff, Towel Crime Fighting, and Rent your own Island! Fri, February 20, 2015
- Friday Fuel: OTA Takeovers & Movie Makeovers Fri, February 13, 2015
- The Southeast’s Most Romantic Travel Destinations Wed, February 11, 2015
- Friday Fuel: 50 Shades of Awesome Fri, February 06, 2015
- Around the Analytics World January Wrap-up Mon, February 02, 2015
- Friday Fuel: Release the WiFi, Meet Castro, and 7 more exciting links! Fri, January 30, 2015
- The Basics to Facebook Advertising Tue, January 27, 2015
- Facebook Marketing For Hotels Fri, January 23, 2015
- Friday Fuel: Better Late Than Never Edition Mon, January 19, 2015
- Around the Analytics World December Wrap-up Wed, December 31, 2014
- Friday Fuel: MOAR MOBILE. And More. Fri, December 19, 2014
- The Hotel SERP Real Estate Game Mon, December 08, 2014
- The 2014 Top 5 “Must Have” Techie Gift Guide Tue, December 02, 2014
- Creating Dynamite Emails Mon, November 24, 2014
- Amazon’s OTA, New Hilton & Marriott Fees, and Airbnb Protection Program Fri, November 21, 2014
- Internet Marketing Summit 2014 Key Takeaways Fri, November 14, 2014
- Google Removes Local Carousel For Hotels Fri, November 14, 2014