October 5, 2011

You Need A Strong Password

[edit: sorry the formatting on this was all messed up somehow, so I've hopefully fixed it]

More and more all of our financial information is stored in computers.   Most of us access our banking statements, retirement accounts, mortgages, health insurance information and other financial data by websites.   All of these accounts and the financial information they contain are only as secure as the password you use to access the account.   Combine this with the fact that identity theft is growing and a real concern and you have very good reason to have a stronger password.

How easily someone can crack your password.

Computers are very good at cracking passwords.   The hackproject website has tables showing how long it can take to crack passwords of various lengths.

Your password is probably not as good as you think it is.   Lets say you have a fairly short password.   You're clever so you made up a pretend word of "skalsk".   Nobody would ever guess that right?    Well sorry to say but it would take a fairly standard computer about 31 seconds to crack that password.    If you simply threw some Numbers into that password to make it longer and used "s8k9a2ls0k" this would be a much stronger password.   It would take the same typical computer about 12 years to crack such a password.
So there you go... Time to crack :
weak password "skalsk" = 31 seconds
Strong password "s8k9a2ls0k" = 12 years

Furthermore those time estimates were written half a year ago and computers are now faster.  It will take a newer computer even less time.   By the time you read this article computers are even faster still.


In the time that you've been reading this article so far someone could have cracked a simple password.    

I don't wish to make you paranoid or unnecessarily scare you, instead I just want to make sure you understand how some passwords are really no protection and make sure you use a decent, strong password.   With 300 million people in the U.S. and over 6 billion people in the world it is not extremely likely that a random hacker will pick your computer accounts to hack.   Nobody knows your password is weak until they try to crack it.   However, its just a sensible measure to take security precautions that are effective.   You wouldn't leave your keys hanging in the lock on your door so why leave a virtual open door to electronic thieves with a weak and easily cracked password.

What constitutes a "weak" password?For a while I worked as a temp at UPS.   The password for one of their systems there was ... "ups".   That was not a good password.  I think that was an internal network system so it wouldn't be exposed to hackers from the outside and there wasn't anything really sensitive on that system that I know of.  But it constitutes a very good example of a truly awful password.

Obviously using a password like your own company name or "password" or your wife's name or any other simple words or easily guessed things is a bad idea.   But past that how do you know if your password has weaknesses that would make it a "weak" password.  

Examples of weak passwords from Wikipedia:

  • Default passwords (as supplied by the system vendor and meant to be changed at installation time): password, default, admin, guest, etc. Lists of default passwords are widely available on the internet.
  • Dictionary words: chameleon, RedSox, sandbags, bunnyhop!, IntenseCrabtree, etc., including words in non-English dictionaries.
  • Words with numbers appended: password1, deer2000, john1234, etc., can be easily tested automatically with little lost time.
  • Words with simple obfuscation: p@ssw0rd, l33th4x0r, g0ldf1sh, etc., can be tested automatically with little additional effort. For example a domain administrator password compromised in the DigiNotar attack was reportedly Pr0d@dm1n.[24]
  • Doubled words: crabcrab, stopstop, treetree, passpass, etc.
  • Common sequences from a keyboard row: qwerty, 12345, asdfgh, fred, etc.
  • Numeric sequences based on well known numbers such as 911 (9-1-1, 9/11), 314159... (pi), or 27182... (e), etc.
  • Identifiers: jsmith123, 1/1/1970, 555–1234, "your username", etc.
  • Anything personally related to an individual: license plate number, Social Security number, current or past telephone number, student ID, address, birthday, sports team, relative's or pet's names/nicknames/birthdays/initials, etc., can easily be tested automatically after a simple investigation of person's details.

What qualifies as a "strong" password?

To have a strong password you want to make sure you don't do any of the things that make your password weak.

Length IS important.   The longer the password the harder it is to crack.    8 characters is a good start but 10 characters would be great.   Microsoft suggests 14 characters, (though I kinda think thats a little overboard).

The password on my work computer's harddrive is 24 characters long not counting spaces.


You want a combination of uppercase letters, lowercase letters, numbers, and symbols.

Test the Password

You can use a site like Password Meter or the Microsoft checker to help judge the strength of your password.    I don't think these simple tools really consider if you're using common words or number sequences so "password1234" may register as stronger on the meters then it is in reality.   Make sure your password doesn't have any of the traits that constitute weak passwords discussed above.

How do you Remember it?

One of the main reasons people avoid stronger passwords is that it can be difficult to remember a random string of numbers, letters and special characters.   Its so much easier to remember "ups" if you work at UPS.  

Write it down.   Sometimes people say that you shouldn't write down your password.  The fear is that a thief will find your password.  Don't write the username and the account on the same piece of paper but just write down the password.  If someone comes across a piece of paper with some gibberish characters on it they won't know who's it is or what its for.   You can secure this piece of paper just as easily as you can secure the $20 bill in your wallet or the credit card you carry around. 

Use things that mean something to you but aren't easily guessed.    Instead of using your street number maybe use the street number for a friend or the house you grew up in.   Try using a pronoun like the name of a friend.   You should avoid meaningful dates such as your birthday but someone elses birthday could make a good number.   An acronym used as a mnemonic memory device is also a good tactic.    For example lets say your gradmother lives on West 1834 main street.   You could use a mnemonic password of "Gl@1834WMs" for "Grandma lives at 1834 W Main street"

No comments:

Post a Comment

Blog Widget by LinkWithin