Size Does Matter! [Password Security]
In the past week I've spent some time reviewing Steve Gibson's (@SGgrc on Twitter) latest research and cutting-edge discovery surrounding password security.
On a page called Password Haystacks (https://www.grc.com/haystack.htm), he outlines that password length should be given more priority than password entropy (or randomness.) The theory being that in a brute force offline attack, a longer password requires more time to crack than a shorter one regardless of the randomness. Of course, he's right, and the brute force calculator proves this out.
This changes everything, plain and simple!
No longer do users need to make up complex algorithoms and memory tricks to create secure passwords, they simply need to pad them or in Steve's words, hide them in a password haystack. That is, a string of characters that add length to (or pad) an otherwise short and simple password.
My old password of: 34b28xx!
is now trumped by: c@T**********
And trumped by a lot. Like going from 5.21 seconds to 38.90 centuries to crack. And it's easier to remember! Again, this changes everything.
I noticed recently that Bank of America has increased their maximum password length from 20 characters to 32 characters. This is wonderful news and increases the potential security on my account a great deal. My new password format from above with extra padding to 32 characters would take an estimated 1.77 hundred trillion trillion trillion centuries to brute force crack. I think we can presume never.
One thing to note is that some randomness is still required. A long password of: aaaaaaaaaaaaaaaa would still be cracked in short order, because a cracking algorithom starts simple and goes complex:
First try) a
And so on. On the 16th attempt, they would be in. Not good.
Each person should pick a padding scheme, as well as a password scheme. For example a password to log into MSN.com could be:
2011Msn*********** (using * until the max password length is reached.)
Similarly, to login to Yahoo.com, a user could choose:
2011Yahoo********* (using * until the max password length is reached.)
This format meets 3 of the basic rules for creating passwords listed below:
- Use a different password for every site.
- Use a mixture of characters and the maximum length (by padding) allowed.
- Change your passwords often - at least every year, but more like every 90 or 30 days for really sensitive sites like online credit card, shopping, and banking websites.
- Use a password manager such as LastPass to encrypt and store all of your passwords.
- Be cautious when using FaceBook Connect (or similar services) to create new accounts on other sites. If anyone ever hacks into your Facebook account, they will also have access to all of those sites as well, in effect exploiting a single point of failure.
In summary, as this idea of Password Haystacks and padding catches on, security experts should see a drastic drop in hacked accounts and customer call centers should see a dramatic drop in the number of calls they take for forgotten passwords.
These are exciting times, and my hat is off to Steve Gibson and his excellent research. An accompaning podcast is available on the TWiT network: http://twit.tv/sn303 (with a shorter version available directly on Steve's Password Haystacks page, noted above.)
Stay safe and change those passwords!
Posted by Phil Spitze
- Friday Fuel: Amazon Twitched, Apple Teases, and China Levels Up Fri, August 29, 2014
- Friday Fuel: Nooks, Bings and Cyborg Moths Oh My! Fri, August 22, 2014
- Myrtle Beach Industry Overview: July 2014 Thu, August 14, 2014
- Friday Fuel: The Robot Sharknado Edition Fri, August 01, 2014
- Around the Analytics World July Wrap-up Thu, July 31, 2014
- Friday Fuel: In-App Purchases, New SHIELD Tablet, How Adblock Can Protect You, and More Fri, July 25, 2014
- Friday Fuel: Google+ Gets Better, Microsoft’s Nokia Changes, Amazon Releases, Tesla’s Reveal & More! Fri, July 18, 2014
- Are You CASL Compliant? Wed, July 16, 2014
- Friday Fuel – Google, Amazon, and the Worlds Largest Flying Bird Fri, July 11, 2014
- Myrtle Beach Industry Overview: June 2014 Fri, July 11, 2014
- 4th of July Fireworks Photography Guide Wed, July 02, 2014
- Around the Analytics World June Wrap-up Mon, June 30, 2014
- Friday Fuel: Link Removal in Europe, Package Delivering Drones are Illegal, and More Fri, June 27, 2014
- Friday Fuel: We Didn’t Start The Fire, The Government Starts To Wake Up, Facebook Shenanigans & More Fri, June 20, 2014
- Friday Fuel - Priceline & OpenTable, Netflix & Verizon, and Google & Virgin Fri, June 13, 2014
- Creating a Customized Navigation in Adobe SiteCatalyst Fri, June 13, 2014
- Myrtle Beach Industry Overview: May 2014 Wed, June 11, 2014
- Friday Fuel: OS Updates & Net Neutrality Nonsense Fri, June 06, 2014