Jump to content


Photo

Passwords


  • Please log in to reply
11 replies to this topic

#1 Bobbi Flekman

Bobbi Flekman

    The computer whisperer.

  • Retired Staff
  • PipPipPipPipPip
  • 1,357 posts

Posted 14 October 2005 - 04:48 AM

All of us are well aware of the bane of today's society. Everywhere you go, you must prove who you are. You get a card from your bank that you can use to access your money. You need a passport to go from one country to the other. A driver's license says you are authorized to drive a car. You may even have cards and badges to get into work each day.
And above that, to access your computer, or the network, you also have to identify yourself by typing in a username and a password.

To minimize the strain of not forgetting a password, many people use something simple to remember. Maybe your kid's name? Or your pet's? Your date of birth?… Or the one from your significant other? It might even be something foolish like secret or password! And apart from that, you may even use this password everywhere you have to login… After all, that minimizes the tension of remembering tens, if not hundreds, of passwords.

If you are one of those people, think of what it takes to crack your password! I assume that you only used single cased alphabetic characters. This is because most password checkers are case sensitive and, remembering the proper case of the characters is an extra burden. I also assume that your password is 8 characters in length. This means that a password consists of 8 characters out of 26 possible choices, or in mathematical form 26^8. This means that there are 208,827,064,576 possible combinations. This looks like much, but remember the speed of a computer. At a million attempts per second it would take less that 60 hours to try all the combinations. Ergo, your password will be cracked within 60 hours!

If you use case sensitivity and the numeric characters (0 to 9) this would mean 62 possible characters and increase the possible combinations to 218,340,105,584,896. At the same million attempts per second this would take 6.9 years to crack it. That is a lot better then 60 hours!

Normally people do not make random passwords like "Vj7K;Z<w1576". They take something they can remember. And that usually means it is a normal word…. From a dictionary. So password crackers like Rainbow Crack use lists from dictionaries to enumerate as possible passwords. This program uses other methods to crack passwords too, such as using the number 1 more frequently than others or appending numbers to dictionary words. All of these are flaws in the way humans create passwords.

All these search algorithms guarantee that given enough time, all passwords can be cracked. All you can do is use strong passwords. What comprises a strong password? A strong password is made up of at least three of these five categories:

· English uppercase letters (A, B, C,…Z)
· English lowercase letters (a, b, c,…z)
· Westernized Arabic numerals (0, 1, 2,…9)
· Nonalphanumeric characters (`~!@#$%^&*_-+=|\{}[]:;"‘<>,.?/)
· Unicode characters such as the Euro symbol (€)

A strong password is also long. Remember the longer a password, the harder it will be to crack. Start thinking about a pass phrase, instead of a password. In that case you can use sentences that are easier to remember, especially if these sentences contain characters from the three aforementioned groups. A sentence like: "At the last yard sale I bought a book by Stephen King for $3.99" will be infinitely harder to crack than a simple password of 12 characters.

And, if you have trouble remembering the passwords you use, you can use a program like Password Corral, which you can download from http://www.cygnuspro...freeware/pc.asp to aid in storing and remembering them for you. The program uses encryption to securely encrypt the stored passwords so that a hacker will have a difficult time decrypting all your passwords. The program also has a password generator which you can configure to use all of these five groups. Of course you need a password to open the file, but by using the guidelines from above that will be much easier to do.

#2 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 14 October 2005 - 02:51 PM

Pinned. Thank you Bobbi Flekman, this is a great article. :)

#3 syracuse

syracuse

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 05 December 2005 - 12:28 PM

All of us are well aware of the bane of today's society. Everywhere you go, you must prove who you are. You get a card from your bank that you can use to access your money. You need a passport to go from one country to the other. A driver's license says you are authorized to drive a car. You may even have cards and badges to get into work each day.
And above that, to access your computer, or the network, you also have to identify yourself by typing in a username and a password.

To minimize the strain of not forgetting a password, many people use something simple to remember. Maybe your kid's name? Or your pet's? Your date of birth?… Or the one from your significant other? It might even be something foolish like secret or password! And apart from that, you may even use this password everywhere you have to login… After all, that minimizes the tension of remembering tens, if not hundreds, of passwords.

If you are one of those people, think of what it takes to crack your password! I assume that you only used single cased alphabetic characters. This is because most password checkers are case sensitive and, remembering the proper case of the characters is an extra burden. I also assume that your password is 8 characters in length. This means that a password consists of 8 characters out of 26 possible choices, or in mathematical form 26^8. This means that there are 208,827,064,576 possible combinations. This looks like much, but remember the speed of a computer. At a million attempts per second it would take less that 60 hours to try all the combinations. Ergo, your password will be cracked within 60 hours!

If you use case sensitivity and the numeric characters (0 to 9) this would mean 62 possible characters and increase the possible combinations to 218,340,105,584,896. At the same million attempts per second this would take 6.9 years to crack it. That is a lot better then 60 hours!

Normally people do not make random passwords like "Vj7K;Z<w1576". They take something they can remember. And that usually means it is a normal word…. From a dictionary. So password crackers like Rainbow Crack use lists from dictionaries to enumerate as possible passwords. This program uses other methods to crack passwords too, such as using the number 1 more frequently than others or appending numbers to dictionary words. All of these are flaws in the way humans create passwords.

All these search algorithms guarantee that given enough time, all passwords can be cracked. All you can do is use strong passwords. What comprises a strong password? A strong password is made up of at least three of these five categories:

· English uppercase letters (A, B, C,…Z)
· English lowercase letters (a, b, c,…z)
· Westernized Arabic numerals (0, 1, 2,…9)
· Nonalphanumeric characters (`~!@#$%^&*_-+=|\{}[]:;"‘<>,.?/)
· Unicode characters such as the Euro symbol (€)

A strong password is also long. Remember the longer a password, the harder it will be to crack. Start thinking about a pass phrase, instead of a password. In that case you can use sentences that are easier to remember, especially if these sentences contain characters from the three aforementioned groups. A sentence like: "At the last yard sale I bought a book by Stephen King for $3.99" will be infinitely harder to crack than a simple password of 12 characters.

And, if you have trouble remembering the passwords you use, you can use a program like Password Corral, which you can download from http://www.cygnuspro...freeware/pc.asp to aid in storing and remembering them for you. The program uses encryption to securely encrypt the stored passwords so that a hacker will have a difficult time decrypting all your passwords. The program also has a password generator which you can configure to use all of these five groups. Of course you need a password to open the file, but by using the guidelines from above that will be much easier to do.



I found this free tool to test your password maybe some may be interested in using it

How Good is Your Password?
Check out the security of your passwords using this free service:
http://www.securitys...ls/password.asp

#4 Disruptor4

Disruptor4

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 09 February 2006 - 04:15 AM

msn has that option i think when you change your password, comes up in weak, normal, high i think

#5 XirOa

XirOa

    ガブリエル

  • Helper Trainee
  • Pip
  • 87 posts

Posted 27 July 2006 - 08:02 PM

thanks for the math side of password crackin' :lol: :lol:
In Trance We Trust

#6 racooper

racooper

    Master of my own Domain

  • Retired Staff
  • PipPipPipPipPip
  • 1,420 posts

Posted 27 August 2007 - 09:59 AM

I've been using the Open-Sourced KeePass Password Safe for the last few months. I've been quite impressed with the program, and it has some great features: a password generator, password strength analyzer, support for temporary/time limited passwords. It supports password- and keyfile-encrypted databases, and it has a version available for PortableApps, to run from a USB drive.

#7 nirax

nirax

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 16 January 2008 - 10:40 AM

Every method which stores your password somewhere whether encrypted or not is vulnerable to attack. The best possible security is if you commit passwords only to your own memory. In general one should not share their passwords with anybody. Not even with very close family members. It is sad but a true fact of life that families also break up.

To have secure passwords I follow these rules -

1. Think of 3-4 random words of about 5 character length. I mean the whole word should be random. Try to completely memorize these random strings. Ex - pi*yu, bahr#, <Mer&, etc

2. Make a code word for all these strings which are easily memorable. Preferably the code words should be very short like a, b, etc. Remember the code & word association by heart. Never write down this association anywhere.

3. Now to generate passwords think of a two digit number and join two of the above words with this number. Ex - pi*yu34bahr#, bahr#87bahr#, etc. Don't generate too many passwords. Use one particular password for all office related things, other for all personal finances related things, other for all personal things, etc.

4. If at all you need to write the passwords at some place write the coded passwords like a34b, b34b, etc. Write it in a file and save in a email address space whose password you are sure not to forget. Delete all traces of the file from your computer immediately. Try not to see that file again and again.

5. Practice typing the password so that the key stroke comes very naturally to you so that you can do it very quickly.

6. For many things which are not critical like forums, bulletin-boards, etc and which will never contain any personal/financial/professional info use a very handy password, in fact so handy that it is even guessable like mary, mouse, etc. Do not use your 'power' passwords for these things so that you do not have to edit your password file again and again.

7. Never auto-save your 'power' password anywhere, not even in your home computer. And do not access your bank, credit card, airline-reservation, insurance, personal-email, etc from a new place or a new city you have just checked into. Update yourself on these info before the travel itself. Access these things only from secure and trusted confines.

I hope my suggestion are useful to members.
Minus time Minus is Plus
The reason for this let us not discuss

#8 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,368 posts

Posted 16 January 2008 - 08:47 PM

nirax,

Many of your suggestions are somewhat valid, but unnecessarily complex and unlikely to be effective for most people... For many people, there is no need to worry about writing down passwords since no one would have access to them... Your elaborate scheme for remembering them may work for you, but is likely to lead to most people needing to contact the place that requires the password to change it again because it will not be remembered... Forums and other sites may still involve important things like your reputation -- if someone hacks your forum account and starts posting in your name, you could quickly end up getting banned and that could extend to other forums as well...

While a keylogger can steal passwords from a password saving program, it will also steal them as you type them into your computer -- either way, the best protection is to keep keyloggers off of your computer...

I suggest you look at the first post in this topic and consider using those approaches...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#9 Tom Herry

Tom Herry

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 11 April 2008 - 04:07 AM

Ya really it is very nice Artical

#10 Abadi

Abadi

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 07 May 2008 - 07:38 PM

Nice Article ;)..

Tyvm.

Btw.. the password checker site has been canged into:

http://www.securitys...ls/password.php

Abadi

#11 123ira

123ira

    Member

  • New Member
  • Pip
  • 1 posts

Posted 05 November 2008 - 05:19 AM

Hello Bobbi,
I would like to share my personal experience with you. My Mail ID was hacked recently because of weak password. Now i have gone through your article thoroughly and it was great to know about how to make a password strong. Thanks for sharing.

=================================
Ira
Edit to remove advertising link - jedi

Edited by jedi, 05 November 2008 - 07:51 AM.


#12 solibytes

solibytes

    Member

  • Helper Trainee (A)
  • Pip
  • 61 posts

Posted 23 November 2008 - 03:18 PM

A great article Bobbie and it is still relevent today. :D

The solution of

A sentence like: "At the last yard sale I bought a book by Stephen King for $3.99" will be infinitely harder to crack than a simple password of 12 characters.

is one to remember. :thumbup:

Cheers
And there it was - gone!




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!