*

A cracking 2013 | Blog - Arena UK

Arena UK

A cracking 2013

The secret of safe & sane passwords

Back in uni, the password to my laptop used to be Noneofyourbusiness until finally, one of my friends wanted to use it for a presentation and asked me for the password. His annoyed “oh come on, just tell me what it is” and “do you want to come over and enter it yourself?” made me laugh so much I could barely say “one word, with a capital N!” Little did I know that, actually, I was on to something…


Nightmares

As one of my New Year’s Resolutions is to be less hackable, I’ve been looking into password security – which is asking for nightmares.  Did you know about the annual DEF CON Hacker Convention and the Crack Me If You Can contest? Do you feel safe in a hotel room with a digital lock after finding out that it’s a piece of cake to crack? Do you know that on most computers, the free open source programme Ophcrack can crack most passwords within a few minutes?

It’s not just because password cracking software can try millions of combinations in less than a second with modern hardware.

Ars Technica explains that the biggest problem is that hackers have discovered a lot about the way we create passwords because of recent password leaks. To get an inkling of what sort of information can be deduced from the Yahoo and LinkedIn leak, have a look at the infographics by Rapid7. With the patterns that emerge when analysing millions of passwords – such as where we place capitals, which letters in words we replace with which numbers, etc. – hacking software has reached a new level: the so-called rainbow table attacks.

What we all know and do

There’s no need to go into technical detail – we all know it’s best to use a string of at least 8 random letters, capitals, numbers and punctuation marks.

And that we should use a unique mixture for every account we have, so that hackers can’t gain access to our Facebook and Twitter accounts with our leaked RockYou.com passwords.

But how are we to remember all of these unique strings or random characters?

Most of us write them down. Which exposes us to the most common password attackers:  the people around us. Yes, the most likely person trying to break into your personal accounts isn’t some balaclavad kid from the other side of the world – it’s your partner, colleague, friend or even a family member. They’re more likely to employ social engineering strategies such as directly asking for your password and answering your security questions, or checking your diaries, wallets and the most recent files you opened in Excel and Word.

That’s why some people use password management software such as KeePass. The idea is that you can store all of your complicated passwords in one database, which is locked with one master password. You can store the file online or on a USB stick to make sure that you’ve got access to all of your passwords wherever you go.

The only problem is… what password do you use to lock the digital vault with all of your passwords? If it’s too easy, the spies around you might guess.

Or worse: a stranger might get hold of the file and use brute force or rainbow tables to try and crack it.

But if it’s too complicated, you’ll have to write it down.

Noneofyourbussiness

But guess what… there are heavy-duty passwords that are very user friendly. Security expert Steve Gibson explains this with the following example:

Which of the following two passwords is stronger,
more secure, and more difficult to crack?

D0g…………………

PrXyc.N(n4k77#L!eVdAfp9

Since the first combination is one character longer and uppercase, lowercase, a number and special character, it should take an attacker 95 times longer to crack than the slightly less memorable answer. That’s why Gibson recommends password padding.

That doesn’t mean you should take Gibson literally and add 21 dots to all of your old passwords. Other examples of fierce passwords are “Better 3 hours too soon than 1 minute too late.”, “Orion’s belt consists of 3 stars: ***.” and “I can’t believe my 1st Hotmail password was 12345!”.

Yes indeed, most services allow you to use spaces as characters.

If you want passwords that are as powerful as they are usable, all you need is a bit of creativity.