Pump Up Your P@$$w0rd$

Tuesday, April 03, 2012

Kevin Doel


Article by Tim Henneway, support manager for mSeven Software

Many web services or computer systems today require strong passwords. So why are strong passwords so important? Is it really worth all the trouble?

You might also wonder what makes a password strong? Is it just the length of the password and why all the emphasis on mixed case and special characters.  This article will discuss the why, what and how of strong passwords.

Cryptography is King

Cryptography is the hiding of information via the encryption and decryption of data. To keep you data safe whether on a web site or on your device, it needs to be stored in an encrypted form with a strong algorithm like Blowfish or AES. Encryption has become so strong that today’s hackers must use computers to attack security systems.

Brute Force Attack

Even though your data is strongly encrypted, it may still be vulnerable to a brute force attack if the hacker has access to your database.  A brute force attack is where a hacker uses software to try a series of common passwords or all possible passwords in an attempt to guess your password and gain access to your data. 

The best protection against this type of attack is a strong password because, as you will see, it will take too long for the hacker to figure out your password.  Using strong encryption and a strong password will provide a very high level of security for your data.

How Long is Strong?

A strong password is not just a long string, but is also determined by the number of different characters that are used in forming each character of the password. For example, it takes less than a second for a fast computer to run all the permutations of 4 digit PIN (i.e., 2578) containing only digits.

By simply making the 4-digit password out of any lowercase, uppercase letters, numbers and symbols (i.e., Bc1@), it now takes 25 seconds to generate all permutations -- a major improvement!

Time to generate all permutations of 4 character password

Character Set             Digits Only (0…9)                  All ASCII Characters

                                         1 second                                 25 seconds

Now let’s see what impact password length has on password strength. In 2010, a top password recovery service in the US reported that their state-of-the-art computing systems can try about 20 million passwords a second.

This means that only hackers with state-of-the-art resources should be able to obtain this same level, while the average hacker is going to probably take twice as long as these numbers.

Time to Crack*

Password Length      6 characters   7 characters   8 characters   9 characters

                                    11 hours        6 weeks          5 months        10 years

*assumes each character can be any ASCII character.

As you can see, with a password as small as nine characters you can make it very hard for a hacker to crack your database.

Choose Wisely

Many will hear that a 9-character password can be strong and then select any easy-to-remember 9-character word and use that as a password. This can be a big mistake! Hackers know people will do this, and they will create and share dictionaries of common passwords and will even mine your personal data for keywords they can use to reduce the 10 year crack time to mere hours.

For example, let’s say you use you the word “mountain” as your password. Since the word is in the dictionary, a hacker using the dictionary as a set of passwords will crack your data rather quickly.

The trick is to create a password that is memorable and yet long enough while using a wide array of characters.

Pumping Up Your Password

Here are some ideas on how to create strong passwords. Pick an 8-character word that is easy to remember and make it strong.  For our example we will use the word “mountain.” You will note that this word is all lowercase characters, which is not very secure.  Let’s pump it up!

  • Change at least one letter to uppercase (you don't want to pick the first letter, as that would be more common and easy to guess). The revised password is now “mounTain.”
  • Add at least one number to it. Let’s replace the “o” with an “0”, making the revised password “m0unTain.”
  • Finally, include a symbol. Let’s replace the “a” with the symbol “@” making our new password “m0unT@in.”

We now have a much stronger password using a combination of uppercase, lowercase, numbers and symbols.  While an 8-character password is a good length, you will recall from the chart above that we need a 9-character minimum password. 

Let’s make it more secure by adding another character.  “m0unT@in” could become “m0unT@ins”, or even better “m0unT@in$”, where we have swapped the “s” for a “$”. Many people also put an “!” at the end of any password or a “+” at the beginning and end of all their passwords.

The general idea is to choose a word or phrase that you will be able to remember and a simple algorithm for converting it to a strong password. Even the best encryption systems in the world are not going to protect your data if you are using weak passwords and a hacker gains physical access to your mobile device.

To keep your data safe, it is important to understand what makes a strong password and create a password that is easy for you to remember and type into the login screen of your password manager.

Passwords that are about 9 characters in length and include lowercase letters, uppercase letters, numbers and symbols are considered the best defense to the hacker’s brute force attack.  

Possibly Related Articles:
General PDAs/Smart Phones
Information Security
Encryption Passwords Authentication Access Control Mobile Devices Smart Phone hackers Algorithms Data Protection
Post Rating I Like this!
Wim Vandierendonck According to me, the replacement of certain characters with "the well known" characters (like 'a' and '@') is dated and adds limited strength to a password. Wouldn't the use of a 'pass sentence', combined with random changes (like capitals, random chars or numbers, ...) result in a more powerful password? A good resource for me: http://www.microsoft.com/security/online-privacy/passwords-create.aspx
David Pfeiffer Good thoughts and article, thanks for adding to the conversation!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.