Feature
News
8/9/2007
07:46 PM
Fred Langa
Fred Langa
Features
Connect Directly
RSS
E-Mail
50%
50%
Repost This

How to Build Better Passwords

Stronger passwords don't have to be hard to create or use.

Good passwords are essential for PC security. Even the world's strongest encryption algorithms or logon procedures won't protect you if you use the wrong kind of password.

And even if you once were safe, you may not be today: Passwords that were fine even just a few years ago may now be vulnerable to attack because of huge advances in hardware and software: Malicious hackers have tools that can make hundreds to thousands of guesses in seconds. Passwords that might once have taken months or years to crack can now be cracked in minutes or hours.

It takes very little skill to mount a password attack. The simplest form of attack is based on dictionary lists: The cracking software simply tries every possible word listed in an online dictionary. Any password found in the dictionary will thus soon be discovered. This type of software is extremely simple to create because no deep analysis or cryptographic skill is needed. It's high-school level stuff, and yet it can defeat many passwords!

Similarly, passwords based on common phrases are very weak. A malicious hacker can use a dictionary of famous quotations in much the same way as using a dictionary of individual words: Any password based on familiar quotes is likewise easily discovered.

It's only a little more complicated for a malicious hacker also to cover the most common permutations of words and phrases. For example, some people choose a password or phrase, and then touch-type that word or phrase, but shift their hands one character to the right, left, up, or down from the normal typing position. The resulting output looks like gibberish, but really isn't: It retains a regular pattern that a computer easily can sniff out.

So-called "elite" or "l33t" speak was once a useful way of increasing a password's complexity, but the rules of "l33t" substitution are now well known. Similarly, taking a common word or phrase and trying to make it more complex through random capitalization and by appending numbers does little to add real security: For example, a lowly P3 PC running a widely available cracking tool at just 500 MHz was able to guess the password "ChEcK12" in only 26 seconds; and today's top-of-the-line PCs could perform the same crack almost instantly. (For more examples of just how quickly simple password techniques like this can be bypassed, see this page from McMaster University). It's scary stuff.

What Makes A Good Password?
So, what makes a better password? There are three major factors: length, complexity, and randomness. We've already touched on randomness. A good password will be a truly unique combination of characters, and that means that the password should not appear in any form in any dictionary, book of quotations, and so on. The password also should not be based on simple substitutions or transpositions of common words or phrases: If any underlying pattern remains -- the less truly random a password is -- the easier it is to be cracked.

Complexity also is easy to understand. For example, if you limit yourself to the lower-case letters of the English alphabet, each character in your password will have only 26 possible values. Simply allowing uppercase and lowercase letters means that each character in the password can have 52 different values. Add in numbers (0-9) and you have 62 possible values; add the punctuation and symbol characters commonly found on a US-English computer keyboard, and you have a total of about 92 unique (non-repeating) possible values. Clearly, using all the kinds of characters available to you significantly increases the complexity of a password.

Length also is hugely important: A two-character password, where each character could be any of 92 possible values, affords just 8464 unique combinations. Three characters allow 778,688 possibilities; four yields 71,639,296, and so on. So clearly, longer passwords are better because the number of possible character combinations increases exponentially with length.

But note that while something like "71,639,296" password possibilities would be daunting in human terms, it's nothing to the brute strength of a PC. This online calculator lets you play with variables to see how long a "brute force" password-cracking program would have to run to defeat passwords of varying lengths and complexities. Note that the "speed -- thousands of passwords per second" figure depends not only on the speed of a given PC, but also on the efficiency of the cracking software, which is hugely variable in itself. But the calculator is seeded with an exceedingly low number, which significantly under-represents the power of today's PC's and software. For a more realistic view of contemporary threat levels, crank up the "speed" variable by several orders of magnitude. (For a hardware-based starting point, you may wish to note that the common Intel P6 is capable of processing hundreds of millions of instructions per second. Note also the real-life cracking results reported earlier by McMaster University.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.