Saturday, May 19, 2012

Think Your Password Is Secure, It's Probably Not

Growing information shows how week passwords are for protecting you.


 
Many believe that creating a good password is all that it takes to protect your various accounts from someone attempting to gain unauthorized access. The problem is knowing what a good password is for today. Good passwords from several years are now considered now longer safe and secure. But many do not know that and have exposed themselves to having someone potentially guess their password to gain access. Hackers have many tools at their disposal and those tools are getting better all the time. In doing some research for this, I came to see that a password with a length of even 8 characters could be cracked in a matter of months or less by those seeking to gain access. The longer a password you create, the better the chances are that it will not be cracked. But length alone is not the complete answer in trying to have a solid password which gives you confidence.

All of this, many choose not to deal with, but the time is here where you had better look at this seriously before you become the next victim. I have previously written about the password length versus password complexity issues and it is not a versus situation but rather a combination of the two. And it gets even worse than that. The usual list of characters of letters (upper and lower), numbers and special characters now becomes critical to your password strategy. In a very revealing article about 10,000 Top Passwords it shows:


* 4.7% of users have the password password;
* 8.5% have the passwords password or 123456;
* 9.8% have the passwords password, 123456 or 12345678;
* 14% have a password from the top 10 passwords
* 40% have a password from the top 100 passwords
* 79% have a password from the top 500 passwords
* 91% have a password from the top 1000 passwords


You should take a look at the article as it is an eye opener. People are not taking password protection seriously and they wonder why they get hacked. Making your password longer containing the above list of characters is no longer enough. If you go out to The Password Meter it will rate your password for being secure. You lose points for things like letters only or numbers only as that makes it much easier to be guessed or hacked via brute force methods. But this site points out some other items that you may not have thought about in determining a password. You should not use consecutive letters or numbers as that is something hackers check for, whether it be letters or numbers. Entering sequencial letters or numbers, such as "abc", is also something you should not do either. Some password generating tools do not check for this, but they have gotten better in recent years.

But recent information we have seen points to even more things to be concerned about. While technology for hackers has improved, the same technology is helping to make better passwords which are generated as part of software. These tools point out just how long it might take to crack a password and point out other items such as repeating characters. While the values they show as to how long it will take a desktop PC to crack your password may be off a little, you get the point of the strength of a password given what we know today.

So, I went over to How Secure Is My Password and ran a series of tests using the password generator in RoboForm, which is my method of keeping track of passwords. I have too many to keep track of and it is critical that you do not duplicate a password on more than one site. So, here is a list of the generated passwords I tested with and the length of each one is 14 characters. Some folks recommend even longer passwords and in a growing number of situations, I am inclined to agree with a password which is greater than 16 characters. Here is the list:

 1) t93&%I7tYq#Yy2
 2) 4f^f9t!pDjGJmI
 3) W5m!E^tTF*W8Wj
 4) Qe&LK5o%qa8Yh0
 5) J&ZR#wOx1rY2m9
 6) BKYmhh3227IKS^

From the 6 listed above, I entered each one in the How Secure site and then started removing digits from the right hand side to see the impact. I have included those results hear for your reference to see how strong longer passwords actually are. I have not included column for 14 characters as it would take 32 billion years on a desktop computer to hack. But below that number things start to move around. I have dropped the 5 character column as all the values were 10 seconds or less, meaning you are screwed.

password strength test
bil = billion, mil - million, ths = thousand, etc.

This is for passwords created today and the availability of hacker tools to crack a password. Things move quickly and a year from now, that may not be the case. It is important that you look at your password strategy for today and make sure that it is keeping up with the times. In fact, you must be keeping ahead of the times before the hackers catch up.

RoboForm: Learn more...

No comments:

Post a Comment