Tuesday, October 11, 2016

Gud Paswurds

You’ve all read the news: “Bank Accounts Hacked,” “Large Department Store Data Stolen,” “30,000 Emails Deleted.” Oh wait, that last one is from the political news. But you know that bad actors, many located in foreign countries, seem to be able to regularly access accounts that should be secure. And why is that?

Well there are many reasons and many ways these thieves gain access where they should have been kept out by locks, security, and passwords. Yet they seem to find their way in, through a window or under the floor or over the roof … metaphorically speaking.

Well there isn’t a lot you can do about the data processing security of your local bank, department store, or government; but there is one aspect of cyber security that you do control. That is your password. Make them STRONG. That’s right ladies and gentlemen, don’t let those beach bullies kick sand in your password’s face. You can have a strong password in just 60 days with these wonderful … wait, I think I got off track yet again.

You do want strong passwords. You’ve read the instructions: Include upper AND lower case LETTERS. Use numbers. Use punctuation and the other strange keys on your keyboard. (Just what the heck is a "~" or a "|") That’s called “complexity.” There are other good hints such as, and I can’t emphasize this enough, don’t use regular words called “dictionary words.” Like I said, don’t use regular words called “dictionary words.”

But there is a third method, and it is actually the best at building strong passwords. And that is to make your passwords LOOOOONNNNNGGGGGGGGGG! Sure the site requires a minimum of 8 characters, but that isn’t nearly long enough. You see the hackers use programs that quickly produce combinations of letters and numbers (and even the strange ${>~?*|` characters. Oh, and they quickly run through dictionaries of common words and names. It is better to use upper and lower case letters, numbers, and even odd-ball symbols, but mathematical analysis shows the most difficult passwords to hack by these automatic programs are long passwords (without common words or names).

Compare these eight character passwords and the estimated time for most hacking algorithms to break them:

qkcrmztd       52 seconds
kqwbv832     11 minutes
J5bZ>9p!       20 days

Note how adding numbers and caps and symbols does increase the hacking time. Doesn’t 20 days sound pretty secure? Oh, but wait, the crooks are running massive parallel systems made of modern PCs with several graphics cards installed. (Graphics cards are very fast at doing math.) So the 20 days may only be one day on a parallel system with 20 nodes.

So, it may be, that 20 days isn’t as good as it may seem from first glance.

By the way, the way this works, in most cases, the crooks have hacked some site and stolen their encrypted password file. They are now using super fast algorithms to hack these files to discover the plain text password. But then I’m sure you don’t use the same password on all your accounts, so if they do discover the password used at one retail store, certainly that isn’t the same password you use at your bank. IS IT????

So what can you do? Well my friends, (Can I call you friends even though I don't know you?), length is your buddy. Let’s start to think in terms of “pass phrases” rather than “pass words.” Length adds tremendously to the time taken to crack a password, even if it only contains lower case letters. Here’s some examples:

orange tea       98 days     (length 10 characters)
this is cool       546 years   (length 12 characters)

Of course, many sites don’t accept blank spaces in passwords. Plus they may require upper and lower case, numbers, and special characters (often from a subset of all the keys on the keyboard) no matter how long you make the phrase. Besides that, these example contain dictionary words, so I don’t recommend them anyway.

Here are some really secure passwords

I own 2 dogs and 1 cat!         30 octillion years (longer than the age of the universe)
#I own 2 dogs and 1 cat!?     285 nonillion years (yeah, I made that up … but you get the idea)

Now for the blanks and dictionary words:

Just combine some things, misspell the words, add a few characters (which isn’t even necessary unless the site requires it and “round the rough and ragged rocks” becomes the uncrackable:

rOwnd*thE*rufF*and*rageD*ruck8

Using every computer on the planet hooked in parallel, that password will take until the universe has died of a heat death before it can be hacked. It is rather long, and takes a while to type. You could make it a bit simpler and shorter and it would still be plenty secure. The important thing is to make it more than 8 characters in whatever you choose. Twelve, fourteen, that should be enough, at least with the present state of the art. When they perfect quantum computers, we will have to revisit length.

The key point is that length > complexity in the required computing time to hack the password. No matter how complicated and complex your 8 character passwords are, and no matter how many special odd characters you use on the keyboard (assuming the site will allow them all) a relatively simple 12 character password will be tougher to break than the most complex 8 character password you can dream up. And if 12 isn’t enough to give you a warm feeling, use 18 or 20.

Just remember:

Don't use common dictionary words: orange, secret, password
Don't just substitute numbers for letters: secr3t, passw0rd — the crooks know that one.
Don't use sequential letters or numbers: 12345, abcde
Don't use repeated letters/numbers or keyboard patterns: 111, aaa, qwerty, asdfgh

And, finally, Don't use the same passphrase for every site if you can help it. (If it is a trivial site, using a common password is OK. But protect your financial accounts and your email carefully.)

P.S.
Why email accounts? Well guess how you reset a password, You typically ask for a reset and the site sends an email to reset the password. If someone can hack your email, they can probably reset your wonderful long password in about 1 minute, assuming they know the answer to a security question such as our mother’s maiden name or the high school you attended — which isn’t that hard to find on the Internet, now is it? Ah yes, security questions. I’d better get busy and write another note about security questions. Good security, it’s a never ending job!