2008 Woodie Awards
Mum's the Password
Brooks Haroldson
Issue date: 9/19/07 Section: Life
- Page 1 of 1
letmein. qwerty. 123abc. monkey. Your first name. What do all of these words have in common? They all happen to be in the top ten most popular passwords, with "password," incidentally, coming in at number one. They are all, also, easily cracked. So, as we busy ourselves with all the little things we need to do at the starting a new semester, let's take a little time to consider the passwords we are going to be using to protect our data.
A strong password has several important traits that make it useful and secure. First, this password will use as many different types of characters as possible. This means that it will use both upper- and lowercase letters, numbers, and special characters like _, *, and &. Hackers usually try to crack passwords by using specially developed lists that include the most frequently used passwords, names, word-number combinations, and complete dictionaries in multiple languages, including Klingon. Using at least one of each type of character helps ensure, but does not guarantee, that a chosen password is not included in on of these lists. Once a dictionary attack fails, a hacker will probably resort to subtler methods of password theft, like phising or dumpster diving, rather than attempt a resource intensive brute force attack.
To examine why this is so important, let's consider a little math for a moment. If you're already convinced, you can skip this paragraph. To guess someone's credit card pin, a four digit password that uses only numbers, an attacker must try 10^4 or 10,000 different numbers to guarantee success. Now, let's consider an arbitrary four digit password that includes not just numbers, but upper- and lowercase letters and special characters on the keyboard. A typical keyboard, like the one I am currently using, offers 97 different characters. Now our attacker must try 97^4, or 88,529,281 different combinations to ensure the success of a brute-force attack.
Second, a strong password is a long password. If, in our above mathematical overview, we use a five character password instead of four, the number of available combinations increases dramatically. It increases even more when we use a six character password. If ATMs used six digit pins instead of four digit pins, there would be 99 times as many possible pin combinations available. Thus, the number of attempts an attacker needs to make grows quickly with each additional character. Currently, a password is not considered "strong" until it reaches a length of at least eight characters, and is not considered "very strong" until it reaches 14 characters.
Finally, a good password is memorable. This is often the most difficult rule to conform to, especially when following the first two rules. That is why most experts have started encouraging the use of pass phrases. 2Bo!2B_TitQ might look hard to remember, but when we know it means "To be, or not to be: that is the question," it comes to mind more easily. Any memorable phrase can easily become a strong password, from personal preferences (I_H8_Jar.Jar.B1nk$) to factoids (79=AU_Atomic_#) to sport statistics (BBh73!HR_2001; that would mean "Barry Bonds hit 73 home runs in 2001").
In any case, don't write it down or share it. The best password in the world is useless if it is published on the internet, and no one wants to have a semester ruined because they had a password stolen.
A strong password has several important traits that make it useful and secure. First, this password will use as many different types of characters as possible. This means that it will use both upper- and lowercase letters, numbers, and special characters like _, *, and &. Hackers usually try to crack passwords by using specially developed lists that include the most frequently used passwords, names, word-number combinations, and complete dictionaries in multiple languages, including Klingon. Using at least one of each type of character helps ensure, but does not guarantee, that a chosen password is not included in on of these lists. Once a dictionary attack fails, a hacker will probably resort to subtler methods of password theft, like phising or dumpster diving, rather than attempt a resource intensive brute force attack.
To examine why this is so important, let's consider a little math for a moment. If you're already convinced, you can skip this paragraph. To guess someone's credit card pin, a four digit password that uses only numbers, an attacker must try 10^4 or 10,000 different numbers to guarantee success. Now, let's consider an arbitrary four digit password that includes not just numbers, but upper- and lowercase letters and special characters on the keyboard. A typical keyboard, like the one I am currently using, offers 97 different characters. Now our attacker must try 97^4, or 88,529,281 different combinations to ensure the success of a brute-force attack.
Second, a strong password is a long password. If, in our above mathematical overview, we use a five character password instead of four, the number of available combinations increases dramatically. It increases even more when we use a six character password. If ATMs used six digit pins instead of four digit pins, there would be 99 times as many possible pin combinations available. Thus, the number of attempts an attacker needs to make grows quickly with each additional character. Currently, a password is not considered "strong" until it reaches a length of at least eight characters, and is not considered "very strong" until it reaches 14 characters.
Finally, a good password is memorable. This is often the most difficult rule to conform to, especially when following the first two rules. That is why most experts have started encouraging the use of pass phrases. 2Bo!2B_TitQ might look hard to remember, but when we know it means "To be, or not to be: that is the question," it comes to mind more easily. Any memorable phrase can easily become a strong password, from personal preferences (I_H8_Jar.Jar.B1nk$) to factoids (79=AU_Atomic_#) to sport statistics (BBh73!HR_2001; that would mean "Barry Bonds hit 73 home runs in 2001").
In any case, don't write it down or share it. The best password in the world is useless if it is published on the internet, and no one wants to have a semester ruined because they had a password stolen.
Be the first to comment on this story