The task of picking a strong password is not as easy as it may seem at first. It is believed that the right way of picking a password is picking a long password of randomly generated characters, preferably not letters only. At the same time, it is acknowledged that the vast majority of users do not follow this recommendation, picking easy to typing and remember passwords like "qwerty".
It is not a problem to generate a long password; there is a huge number of generators for producing strong passwords - this function is available in literally any password manager (e.g., Aurora Password Manager). However, the use of strong, automatically generated passwords creates a new problem: unable to memorize them, users either write them down, often in the most inappropriate places, or simply forget them, and that often leads to serious problems and the need to use password recovery software (not always successfully).
At first, let's think, what length a password should have in general, and what requirements does it have to meet. First of all, it should be understood that the reliability of a system in whole is determined by the weakest of its components. You can generate a prodigiously strong and long password, memorize it and use it, but, for example, if you use it for protecting databases in Microsoft Access of a version older than 2007, that password can be recovered instantly. The length of the password won't do any good for you, simply because the password protection in Microsoft Access before version 2007 was realized absolutely ignorantly and unprofessionally and didn't provide any real protection. Therefore, if the software doesn't have the reliability, a long password won't save you. Unfortunately, very often password protection (and security issues in general) is considered as something of minor importance. The result of that is the outrageously ignorant realization of it. As a case in point, we could consider the IT market's leader (not for a while yet) - Microsoft Corporation, which it took 20 years to finally create a more or less reliable password protection in their lead product Microsoft Office (still not in full and not in all its products).
But even if the system is reliable, there are still many ways to obtain the password even if it is strong enough. First, that's the human element (writing a password on paper that's near the computer is just one example). Second, that's spyware all kinds, keyloggers that record all key presses and not only those. If you, while being far from home, visit an internet caf? to use online banking, be aware that the password you enter there can be easily stolen. Moreover, it wouldn't necessarily be the administration's malicious intent - often the security in internet caf? is maintained at a low level, and a spyware application can be installed even by a visitor.
And finally there are two universal methods for breaking a password, which are applicable in literally all cases, but which, fortunately, do not guarantee the success (provided that the password is selected properly). The first method is dictionary search. Second - exhaustive search of all possible combinations of characters; this method is also called bruteforce attack. Besides, there are different variations of these methods. For example, when searching by dictionary, it's also possible to check not only whether or not a certain word suits as password but also try checking different modifications of it: word with trailing digits, word with typos, password composed of two words, etc. Different variations and optimizations are also applicable to the exhaustive search.
Dictionary search goes quickly enough; however, the success of this method is guaranteed. If a sequence of characters that is not a word (and even a modification of it) is picked for a password, dictionary search will be unable to break your password.
As for the exhaustive search of all characters - this method guarantees the success; any password can be broken with this method. This fact lies at the heart of Dan Brown's famous book "Digital Fortress". Like since it is possible to break any password, it means that one could spend a lot of money, build a supercomputer that calculates really, really fast, and that's it - it will crack all passwords like peanuts. Fortunately, that's not true. To put it more precisely, theoretically that's true; however, practically the matter rests on time. How much of time and resources can a malefactor afford to spend on breaking a password? There are three factors that determine the time required for that: first (and most important) - password length, second - password "width", in terms of the characters that can be present in the password: Letters only? Latin characters only or Cyrillic too? Lowercase only, uppercase only or, maybe both? Digits? Other characters? Third factor - search speed. For example, the hardest for breaking password applications are WinRar and Office 2007 (Word, Excel, OneNote, PowerPoint; in Access 2007 things with security are much worse, and in Outlook everything is just as monstrously bad as it was 20 years ago) - in these applications the search speed is very low. On the other hand, the password search speed for a password-protected ZIP archive can be 100,000 times higher! Thus, the same password can turn out reliable enough as well as completely unreliable - depending on where it is used. For example, a password to a ZIP archive, which can be broken within just one hour, when used with WinRar will require over 11 years of calculations.
The dependence of time from password length is exponential. That mathematical dependence is known for the fact that at the beginning it grows not very fast, but it grows faster and faster as it goes further. Many worldly paradoxes are based upon that fact; for an example, take a look at the following problem. Would you rather choose get one million dollars at once or get one cent on the first day, two cents on the second day, four on the third and so on, doubling the previous amount every next day for one month (30 days) instead? It would seem, the second option is much less paying - after all, only a week later from the cents you will move on to one dollar, whereas a week is a quarter of the entire time span allowed! On the 15th day - the middle of the allotted term - you're going to have just a bit over three hundred dollars, while in the first case you'd have a million! But keep on calculating - on the twentieth day you're going to have 10 thousands, and on the thirtieth day the amount due to us will be 10 millions! This example is directly related to the bruteforce attack. If the password consists of English characters only, picking a one-character password is nothing - there are only 26 variants. For a two-character one the number of options rises to 676 - also not all too many. Five characters - 11 millions. That will cause some difficulties with the breaking if that is, for example, a password to a Word 2007 document. But in case of simpler variants no problems or special delays will occur. Breaking a password of 9 characters - almost unbearable job in case of Word 2007 or WinRar, and even with the fast variants (like a password to a ZIP archive) breaking such password will take noticeable time.
You can take advantage of the online password calculator and estimate how much time it will take to break a password depending on the parameters you provide. The calculator is available at www.LastBit.com/pswcalc.asp
Or maybe Dan Brown was right? And cool secret services, having mobilized all their resources, all supercomputers of the world, have become able to break your sacred password? Besides, the progress in the computer industry advances with seven-league strides, the computing power of the computers grows fast and if not now, in some time that will become a reality? No, it is practically impossible to break a good password with the exhaustive search.
Here's a digression about physics and mathematics, almost without formulas and absolutely not terrifying. There is a very amusing and unexpected deliberation that limits the possibility of breaking a sufficiently long password by exhaustive search. Suppose the super-mega-computer of the future has been created. It is perfect; its computing power is incredible. Will it be able to break a long password by exhaustively searching all variants? It turns out that no, it won't. Nobody has cancelled the technical progress, and it is very likely that computers of the future will perform much faster than the ones we have these days. But even those computers submit to the laws of physics. And what those laws read is that changing the state of any system inevitably requires energy. When searching passwords, the state of the system will change with each new variant. Even if we take the absolutely smallest possible change, it turns out that, for example, searching for a 28-character password will require as much of energy as the sun has not produced for as long as it has been existing. Certainly, this deliberation is true only if the exhaustive search of all variants is the only way to break the password.
So, if you are positive about the reliability of the software, you have protected yourself (for as much it can be done) from spyware and other password theft channels - to protect yourself from the dictionary search and exhaustive search of all characters, for the password you need to pick a sequence of characters that is not a word (or a variation of a word - misspelled word, word with digits, etc.) Besides that, the password is to be sufficiently long, and it is very much desirable to include symbols in it, not only letters and numbers. Different demands will be made to the password depending on what it is going to be used for. You can use Password Calculator for estimating the time required for breaking it. And the most important is that you are to be able to memorize the password without writing it down.
There is an easy way to make up easily remembered and yet strong enough passwords. Take some phrase for the base; that can be a line from a song, a quote, a saying - whatever. The point is that you need to be able to remember it; that will be the base for your password. On the next step, from each word of the phrase take, for example, 1-3 letters (depending on the length of the phrase) and form the password. As the result, you will have a long enough set of characters, which is nevertheless easy to remember and restore. For example, would it be easy for you to remember the alroletoro password? Now, how about remembering it written this way: "All roads lead to Rome"?
To fortify the password even further, you can separate the letters with a character and/or make up a rule for interlacing uppercase and lowercase characters. Unfortunately, this method can't be recognized as absolutely reliable: if the malefactor knows that you use it, he can take advantage of that knowledge and search common phrases. But anyway that is much better than the traditional passwords used by regular people.
Yet another common mistake consists in the fact that many people have one-two-three favorite passwords that they use in all cases of their lives. Here troubles can lie in wait for them. For example, when entering a password at some Web resource, you actually give it to the owner of the resource. In the majority of cases, you don't know who that person is, how careful he is regarding to storing passwords, and how the password management is organized at all. The most evident and frequently used way (although it is not secure) is storing logins and passwords in the database in the open format (if a Web resource features the recovery of a forgotten password and simply prompts for your e-mail and sends the forgotten password to it, that's exactly the case where the method takes place). In this case, your password becomes available to at least the owner of the Web resource, his employees, and employees of the company providing the hosting services. Besides that, the owner of the Web resource can simply sell it out (certainly, along with users' private data, including, in particular, your password), and you have no guarantee that your password doesn't get to someone's dirty hands in the end. When the right approach is used, stored are not the actual users' passwords but some derivatives of those (hash), which allows checking the validity of an entered password but doesn't allow to get hold of it.
The problem is extremely current. Besides Web resources, using the same password is undesirable for password protecting documents. For example, you could use the same password for protecting Word documents; moreover, some of the documents are stored in the old format (Word 2003), while others - in the new one. Since password protection in the old format is much weaker than in Word 2007, one can recover the password by using an old document and then open a new document with it, although the password, in the application to the new document, could be sufficiently reliable.
There is only one way out of it - to use different passwords for different resources. Unfortunately, it's going to be difficult to make up a new password for each Web resource. A truly reliable way out of this trap is using a password manager; for example, Aurora Password Manager, which provides a convenient plugin, which allows generating reliable passwords and then automatically enters the right password in the authentication form. You will have to remember just one master password that protects the passwords database.
You can also use a certain rule for forming passwords. For example, to set a password to a Web resource you could take the first and the last letter of the domain name and add your favorite password to them. In the strict sense, this method is not secure (especially if the rule is obvious enough), but it is still much better than repeating the same password everywhere.
In the conclusion, let me give you a few links to helpful resources:
www.LastBit.com/pswcalc.asp - Passwords Calculator for estimating the time necessary for breaking a password by searching characters depending on specific parameters
www.PasswordTools.com - Password Recovery Software for all popular applications.
www.Animabilis.com - convenient multi-user password manager.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment