[Home] [Services] [Philosophy] [Experience] [Software] [Publications] [Tips] [Contact]

Topics

Which platform?
Choosing a password
Network File System (NFS) Tuning
Infiniband on FreeBSD
Running an Open Source OS on an Intel Mac

Choosing a Password

Weak and exposed passwords are among the most common causes of computer attacks.

The best security software and firewall in existence won't do much to protect you if someone else gets their hands on your password.

Protecting your password is simple. The goals are simply to make it hard to guess and not allow it to be seen.

Hard to Guess

Most passwords are stored in an encrypted form to prevent them from being stolen. When you log into a computer, the system encrypts the password you type and then compares the encrypted form or what you typed to what is stored on the computer. If they match, then you have successfully logged in.

Hackers can often easily obtain your encrypted password directly from a file on a computer or by eavesdropping on a network connection. This in itself does them no good. They need the unencrypted password in order to log into your account.

Passwords are encrypted using irreversible encryption, so it's impossible to directly decrypt the encrypted password. So, what hackers have to do is simply generate a series of guesses at your password, encrypt them, and see if their encrypted guesses matches what they obtained.

A modern computer can test many thousands of guesses per second. Hence, the key to a strong password is choosing one that comes from a large space of possibilities.

Suppose a hacker's computer can encrypt and compare 10,000 guesses per second.

  • If your password is an English word, there are only about 170,000 possibilities, all of which can be tested in about 17 seconds.
  • How about adding three random digits, such as "canoe837"? This will increase the number of possibilities by 10*10*10 to 170,000,000, which will still only take about 4 hours 43 minutes to test.
  • A completely random password consisting of 5 lower-case letters will have 26^5 (11,881,376) possibilities. Our hacker's computer can test all of these in 1188 seconds, or 19 minutes.
  • If your password is a mix of upper and lower case, there would now be 52^5 (380,204,032) possible strings, and our hacker's computer will now take about 10 hours.
  • Add digits and punctuation, and we're now at 80^5 (3,276,800,000) possibilities, or 91 hours. Still not secure at all.
  • Increase the length to 8 characters, and we have 80^8 (1,677,721,600,000,000) possibilities, which would take 5,320 years.

We see that a long, random password with many different types of characters is best for security.

Passwords that are, or even contain, a real word, your name, pet's name, birth date, or any other personal information are the worst possible choice.

Older systems often limited password length to 8 characters. Modern systems allow much longer strings, which opens up the possibility of using a "pass phrase" instead of a "password". A pass phrase consists of multiple real words separated by random characters. Pass phrases tend to be easier to remember than random passwords, but more secure.

A pass phrase consisting of three English words separated by 2 random characters has 170,000 * 80 * 170,000 * 80 * 170,000 = 31,443,200,000,000,000,000 possibilities, which will take our hacker 99,705,733.13 years to test.

Protecting your Passwords

  • Never write it down or store it in a plain file. Commit it to memory immediately. If you want to store passwords for safe keeping, use KeePassX, a free program that stores your passwords in an encrypted file. Use a *very* strong password for you KeePassX login, since this grants access to all of your passwords. Make sure you back up the KeePassX database file regularly on a different computer, in a different location, so it will be secure in case of fire or theft.
  • Don't let the computer remember it for you using tools like Keychain or your browser's credentials manager. It's better if you have to type it in every time you log in. This will help you remember it for the long term.
  • Keep important passwords separate from unimportant ones. It's common and OK to use the same password for multiple unimportant purposes such as Facebook and Twitter, but the password for your bank account should be unique and never used for anything else. If someone obtains this password from anywhere, they'll have access to your money as well.