Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications

The secret to great passwords

advertisement 
In recognition of the importance of step 6 on page 12 of the January 2012 Awake!
Below is the text from the GRC page about strong passwords.
--------------------------------------------
... and how well hidden is YOUR needle?
--------------------------------------------------------------------------------------------------------------------Every password you use can be thought of as a needle hiding in a haystack. After all searches of common passwords and
dictionaries have failed, an attacker must resort to a “brute force” search – ultimately trying every possible combination of
letters, numbers and then symbols until the combination you chose, is discovered.
If every possible password is tried, sooner or later yours will be found.
The question is: Will that be too soon . . . or enough later?
This interactive brute force search space calculator allows you to experiment with password length and composition to
develop an accurate and quantified sense for the safety of using passwords that can only be found through exhaustive
search. Please see the discussion below for additional information.
To use “GRC's Interactive Brute Force Password “Search Space” Calculator”, click this link:
https://www.grc.com/haystack.htm
IMPORTANT!!!
What this calculator is NOT . . .
It is NOT a “Password Strength Meter.”
Since it could be easily confused for one, it is very important for you to understand what it is, and what it isn't:
The #1 most commonly used password is “123456”, and the 4th most common is “Password.” So any password
attacker and cracker would try those two passwords immediately. Yet the Search Space Calculator above shows
the time to search for those two passwords online (assuming a very fast online rate of 1,000 guesses per second)
as 18.52 minutes and 17.33 centuries respectively! If “123456” is the first password that's guessed, that wouldn't
take 18.52 minutes. And no password cracker would wait 17.33 centuries before checking to see whether
“Password” is the magic phrase.
Okay. So what IS the “Search Space Calculator” ?
This calculator is designed to help users understand how many passwords can be created from different
combinations of character sets (lowercase only, mixed case, with or without digits and special characters, etc.)
and password lengths. The calculator then puts the resulting large numbers (with lots of digits or large powers
of ten) into a real world context of the time that would be required (assuming differing search speeds) to
exhaustively search every password up through that length, assuming the use of the chosen alphabet.
How can I apply this to my daily life?
Answering that question is the reason this page exists. The whole point of using padded passwords is to adopt a
much more you-friendly approach to password design. On June 1st, Leo Laporte and I recorded our weekly
Security Now! podcast as part of Leo's TWiT.tv (This Week in Tech) audio and video podcasting network. You
may download a shortened, 37-minute, excerpted version presenting the padded password and Haystack
calculator concepts:
• 37 minute, high-quality, 64kbps MP3 audio file, 17.9 MB
• 37 minute, lower-quality, 16kbps MP3 audio file, 4.47 MB
The main concept can be understood by answering this question:
Which of the following two passwords is stronger,
more secure, and more difficult to crack?
D0g.....................
PrXyc.N(n4k77#L!eVdAfp9
You probably know this is a trick question, but the answer is: Despite the fact that the first password is
HUGELY easier to use and more memorable, it is also the stronger of the two! In fact, since it is one character
longer and contains uppercase, lowercase, a number and special characters, that first password would take an
attacker approximately 95 times longer to find by searching than the second impossible-to-remember-or-type
password!
ENTROPY: If you are mathematically inclined, or if you have some security knowledge and training, you
may be familiar with the idea of the “entropy” or the randomness and unpredictability of data. If so, you'll have
noticed that the first, stronger password has much less entropy than the second (weaker) password. Virtually
everyone has always believed or been told that passwords derived their strength from having “high entropy”.
But as we see now, when the only available attack is guessing, that long-standing common wisdom . . . is . . .
not . . . correct!
But wouldn't something like “D0g” be in a dictionary, even with the 'o' being a zero?
Sure, it might be. But that doesn't matter, because the attacker is totally blind to the way your passwords look.
The old expression “Close only counts in horseshoes and hand grenades” applies here. The only thing an
attacker can know is whether a password guess was an exact match . . . or not. The attacker doesn't know how
long the password is, nor anything about what it might look like. So after exhausting all of the standard
password cracking lists#, databases# and dictionaries#, the attacker has no option other than to either give up and
move on to someone else, or start guessing every possible password.
#
These are lists of all words in the dictionary and known popular used passwords, including the use of numbers and symbols as
letters. (i.e. 0 for o, $ for s, @ for a, and so on.) Since these lists can be run through their cracking software rather quickly, it is
best not to use them without further padding. (explained below)
And here's the key insight of this page, and “Password Padding”:
Once an exhaustive password search begins, the most important factor is password length!



The password doesn't need to have “complex length”, because “simple length” is just as unknown to the
attacker and must be searched for, just the same.
“Simple length”, which is easily created by padding an easily memorized password with equally easy
to remember (and enter) padding creates unbreakable passwords that are also easy to use.
And note that simple padding also defeats all dictionary lookups, since even the otherwise weak phrase
“Password”, once it is padded with additional characters of any sort, will not match a standard
password guess of just “Password.”
One Important Final Note
The example with “D0g.....................” should not be taken literally because if everyone began padding their
passwords with simple dots, attackers would soon start adding dots to their guesses to bypass the need for full
searching through unknown padding. Instead, YOU should invent your own personal padding policy. You
could put some padding in front, and/or interspersed through the phrase, and/or add some more to the end. You
could put some characters at the beginning, padding in the middle, and more characters at the end. And also
mix-up the padding characters by using simple memorable character pictures like “<->” or “[*]” or “^-^” . . .
but do invent your own!
If you make the result long and memorable, you'll have super-strong passwords that are also easy to use!
Common Questions & Answers
Q:If only password length matters, why does the “Haystack Calculator” change when my test passwords are all
lowercase or have all kinds of characters?
A:The use of every type of character forces the attacker to search through the largest possible space. We must
always assume that an attacker is as smart as possible (and most are). So, knowing that 41.69% of all passwords
consist of only lowercase alphabetic characters, a smart attacker who is forced to resort to a brute force search
won't initially bother spending time guessing passwords that contain uppercase, digits and symbols. Only after
an all lowercase search out to some length has failed will an attacker decide that the unknown target password
must contain additional types of characters.
So, in essence, by deliberately using at least one of each type of character, we are forcing the attacker to search
the largest possible password space, because our password won't ever be found in any of the smaller spaces.
Q:So, from the answer above, that means that our passwords should always contain at least one of each type of
character?
A:Yes, that's exactly what it means. Take, for example, the very weak password “news.” If another lowercase
character was added to it (for example to form “newsy”), the total password search space is increased by 26
times. But if, instead, an exclamation point was added, (making it “news!”), the total search space is increased
by a whopping 1,530 times! That's how important it is to choose passwords having at least one of every type of
character. If anyone ever does try to crack your password, you will have eliminated all shorter searches.
Q:Is there an optimum character mixture?
A:Yes. Since most users will likely always be choosing all lowercase characters you'll want to stay as far away
from that as possible. And, similarly, the fewest number of users will ever be using many special symbol
characters. So the wisest attacker will aim for the herd, searching through lowercase passwords first and
symbol-oriented passwords last. Since this is one race which you want to finish last (meaning never) using more
symbol characters is highly recommended.
But remember: Not only symbols, since you first want to have every type of character represented to force a
“full depth” search.
------------------------------------------------------------------------------------------------------------------------To find out if your internet connection is secure, checkout the Shields Up page at GRC.com:
https://www.grc.com/x/ne.dll?bh0bkyd2
It’s a bit deep, but worth it if you wish to be as secure as you can be.
------------------------------------------------------------------------------------------------------------------------If you are super into password security, checkout this GRC page:
https://www.grc.com/offthegrid.htm
There are ten links at the bottom to take you deeper into understanding the Latin Square Project.
------------------------------------------------------------------------------------------------------------------------As to step 8 in the Jan. 2012 Awake! magazine, you may wish to not enter any addresses in the address bar of your
browser at all if you can keep from it. Instead, enter the address in the search engine of your choice, and then choose
the site from the search results. Since Search engines automatically correct misspelling and other errors, there is much
less likelihood of winding up at the wrong site.
------------------------------------------------------------------------------------------------------------------------Step 9 speaks of “encrypted connections”. This article may shed some light on it for you:
The main difference between http:// and https://
FIRST, MANY PEOPLE ARE UNAWARE OF
**The main difference between http:// and https:// is It's all about keeping you secure**
HTTP stands for HyperText Transport Protocol, Which is just a fancy way of saying it's a protocol (a language, in a
manner of speaking) for information to be passed back and forth between web servers and clients. The important thing
is the letter S which makes the difference between HTTP and HTTPS.
The S (big surprise) stands for "Secure". If you visit a website or webpage, and look at the address in the web browser, it
will likely begin with the following: http://.
This means that the website is talking to your browser using the regular 'unsecure' language. In other words, it is
possible for someone to "eavesdrop" on your computer's conversation with the website. If you fill out a form on the
website, someone might see the information you send to that site.
This is why you never ever enter your credit card number in an http website! But if the web address begins with https://,
that basically means your computer is talking to the website in a secure code that no one can eavesdrop on.
You understand why this is so important, right?
If a website ever asks you to enter your credit card information, you should automatically look to see if the web address
begins with https://. If it doesn't, there's no way you're going to enter sensitive information like a credit card number.
------------------------------------------------------------------------------------------------------------------------Regarding step 11, Search this in the search engine of your choice: safely use wifi
You will get many sites with good advice on the topic.
Related documents
How to start Whitepins - AMAS-Team
How to start Whitepins - AMAS-Team
Slide 1
Slide 1
Password-Based Football
Password-Based Football
Password_security_terminology_research_task_brenna
Password_security_terminology_research_task_brenna
Edlio PowerPoint - Hemet Unified School District
Edlio PowerPoint - Hemet Unified School District
password - Department of Computer Science
password - Department of Computer Science
Download
advertisement