Size Does Matter! [Password Security]
In the past week I've spent some time reviewing Steve Gibson's (@SGgrc on Twitter) latest research and cutting-edge discovery surrounding password security.
On a page called Password Haystacks (https://www.grc.com/haystack.htm), he outlines that password length should be given more priority than password entropy (or randomness.) The theory being that in a brute force offline attack, a longer password requires more time to crack than a shorter one regardless of the randomness. Of course, he's right, and the brute force calculator proves this out.
This changes everything, plain and simple!
No longer do users need to make up complex algorithoms and memory tricks to create secure passwords, they simply need to pad them or in Steve's words, hide them in a password haystack. That is, a string of characters that add length to (or pad) an otherwise short and simple password.
My old password of: 34b28xx!
is now trumped by: c@T**********
And trumped by a lot. Like going from 5.21 seconds to 38.90 centuries to crack. And it's easier to remember! Again, this changes everything.
I noticed recently that Bank of America has increased their maximum password length from 20 characters to 32 characters. This is wonderful news and increases the potential security on my account a great deal. My new password format from above with extra padding to 32 characters would take an estimated 1.77 hundred trillion trillion trillion centuries to brute force crack. I think we can presume never.
One thing to note is that some randomness is still required. A long password of: aaaaaaaaaaaaaaaa would still be cracked in short order, because a cracking algorithom starts simple and goes complex:
First try) a
And so on. On the 16th attempt, they would be in. Not good.
Each person should pick a padding scheme, as well as a password scheme. For example a password to log into MSN.com could be:
2011Msn*********** (using * until the max password length is reached.)
Similarly, to login to Yahoo.com, a user could choose:
2011Yahoo********* (using * until the max password length is reached.)
This format meets 3 of the basic rules for creating passwords listed below:
- Use a different password for every site.
- Use a mixture of characters and the maximum length (by padding) allowed.
- Change your passwords often - at least every year, but more like every 90 or 30 days for really sensitive sites like online credit card, shopping, and banking websites.
- Use a password manager such as LastPass to encrypt and store all of your passwords.
- Be cautious when using FaceBook Connect (or similar services) to create new accounts on other sites. If anyone ever hacks into your Facebook account, they will also have access to all of those sites as well, in effect exploiting a single point of failure.
In summary, as this idea of Password Haystacks and padding catches on, security experts should see a drastic drop in hacked accounts and customer call centers should see a dramatic drop in the number of calls they take for forgotten passwords.
These are exciting times, and my hat is off to Steve Gibson and his excellent research. An accompaning podcast is available on the TWiT network: http://twit.tv/sn303 (with a shorter version available directly on Steve's Password Haystacks page, noted above.)
Stay safe and change those passwords!
Posted by Phil Spitze
- Creating Dynamite Emails Mon, November 24, 2014
- Amazon’s OTA, New Hilton & Marriott Fees, and Airbnb Protection Program Fri, November 21, 2014
- Internet Marketing Summit 2014 Key Takeaways Fri, November 14, 2014
- Google Removes Local Carousel For Hotels Fri, November 14, 2014
- Friday Fuel: Tinder for Hotels, Nano-Robot Scallops, and Virtual Balconies at Sea Fri, November 07, 2014
- Myrtle Beach Industry Overview: September 2014 Thu, October 30, 2014
- Friday Fuel - The Do’s and Don’ts of 2015, Hilton Rebrands Itself, TripAdvisor & Moon Travel Fri, October 24, 2014
- Is your Resort Talking to its Guests? Mon, October 13, 2014
- Friday Fuel – Hilton’s Big Sale, Last Minute Bookings, Hotel Reviews & Google News Fri, October 10, 2014
- Friday Fuel: Marriot Gets in Trouble & Mobile Payments Gain Momentum Fri, October 03, 2014
- Around the Analytics World September Wrap-up Tue, September 30, 2014
- Device Types And How They Are Being Used Mon, September 29, 2014
- Friday Fuel: Silence is a luxury, another OTA hits the scene, and Microsoft shows its dongle. Fri, September 26, 2014
- Friday Fuel - Google Knows What You’re Watching, Data Breaches, And The Tiniest Hotels Ever Fri, September 19, 2014
- Myrtle Beach Industry Overview: August 2014 Thu, September 18, 2014
- Friday Fuel: Robo Butlers, Chilly Cruise Ships, and Windows 9 Fri, September 12, 2014
- Friday Fuel: Turn Down For Tech Fri, September 05, 2014
- Around the Analytics World August Wrap-up Fri, September 05, 2014