My last post was a real teaser according to some. I have to admit that was my intention; however, I meant what I said. The conventional way of looking at passwords is completely wrong. And it is wrong for one very big and completely overlooked reason. Follow these next three posts and you’ll see exactly what I mean. What follows is three articles I wrote for my Security Corner blog. They have gained real traction on the ‘net. Feel free to post your comments!
Break out your pet’s name, your children’s names, your spouse’s name or any other easy-to-remember words or phrases that I–and every other security wonk–have been telling you never to use. Apparently, we’ve been giving you some information that isn’t as valid as we thought. In fact, depending on how you look at it, we may have been completely wrong with some of the things we insisted you do or don’t do. Don’t misunderstand, what we told you worked and the information would have resulted in greater security, it was just too darned complex. Because of that, many people just didn’t make the extra effort
There has been a sea change in the password paradigm, thanks to Steve Gibson of GRC.com who uses the needle-in-the-haystack analogy for passwords. It is an approach that results in even greater security while letting you create easily-remembered passwords. Gone are the days where you had to use such cryptic and impossible-to-remember passwords like PrXyc.N(n4k77#L!eVdAfp9. Steve gives an elegant explanation including an excerpt from the June 1st Security Now! podcast on is Password Haystacks page. The site also has what he calls a “Search Space Calculator” that will give you some real insight into what the hackers are up against.
The new password paradigm is to invent your own personal padding policy. “What the heck is that,” you say? It’s extremely simple: 1. Invent a pattern of characters that you will easily remember; 2. Pad your memorable words, phrases, dates, etc. with that pattern. The easiest way is to put the pattern before and after your chosen phrase, but you can do it any way you like as long as it is memorable for you. The beauty of this system is that you can even use any of the Top 500 Worst Passwords of All Time as long as you pad them. You can use any dictionary word, name, date, phrase–whatever you wish–and you’ll be OK.
I’ll expand on this concept in Part 2.
Looking forward to it, Ken. I wanted to say, “Tell me now! Tell me now!”, but didn’t want to show my excitement.
I tried Steve Gibson’s program, and with only 14 characters, managed to receive these interesting results. BTW, his SpinRite program rules.
Online Attack Scenario:
(Assuming one thousand guesses per second) 1.57 thousand trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 15.67 million centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 15.67 thousand centuries
Not bad, eh?, Mindblower!