Download Our Windows 7 Tips!
So Why The Long Passwords?
And the bartender goes.. Yeah, Unfortunately password security Isn't a joke. Some of my friends and family are annoyed with the big deal people are making about "secure" passwords; For your computer, email account or anything someone could potentially break in to. So Whats the big deal? I mean, if i don't tell anyone my password I'm safe right? Yeah, Think again.
As a diploma of networking student, part of our courses are network security. Part of network security reflected in Passwords. so; I thought I'd come here and share it with the community that might not know the dangers of having an unsecured password.
So lets define a "Secure" password for starters. A Secure password is defined by encryption algorithms as containing at least one capital letter, at least one lower case letter and at least one number. Some encryption types such as Blowfish* require a specific minimum length of password to be classed as a "secure" password as well.
Now on to the fun stuff: Password cracking. Part of our training in auditing is programs to break potentially weak passwords on a network or computer. One of the Highest regarded programs to use is the completley free and open source program John the Ripper** that's as multi-platform it gets, compatible with everything from BeOS to OS2.
Recently they released some data to show how important security with passwords is. The tests were preformed on a 2.0Ghz Dual Core processor with 2GB DDR 2 ram (A pretty average computer for when the tests were taken). Here are the results:
Length of Password -- Combinations-- Crack Time
4 Characters "Secure" --- 14.7 Million --- 3 Seconds
6 Characters "Secure" --- 56.8 Billion --- 3 Hours
7 Characters "Secure" --- 3.5 Trillion --- 8 Days
8 Characters "Secure" --- 218 Trillion --- 1.4 Years***
9 Characters "Secure" --- 3 Quadrillion --- 85.9 Years***
10 Characters "Secure" --- 839 Quadrillion --- 53 Centuries***
If you have a standard English dictionary word or name, John the Ripper is almost guaranteed to break it in a second or less, based on previously mentioned computer specifications.
So why risk it?
Notes:
*Blowfish is an encryption used by alot of unix based environments; including most Linux server distributions (e.g. SLES) and user based distributions (e.g SLED, OpenSUSE, Gentoo-Based etc.)
**I am not endorsing you to download this program and use it on computers, Just providing it as the example used in the current industry. It is declared to be illegal outside of your own computer outside your own network.
***The test did not run for 1.4 years, let alone 53 Centuries. The time was taken from the Predicted maximum time in the John the Ripper program, Given the computer was never turned off.
If I come up against any more security related items I think would be interesting to pass along, I'll add another blog post.
David
As a diploma of networking student, part of our courses are network security. Part of network security reflected in Passwords. so; I thought I'd come here and share it with the community that might not know the dangers of having an unsecured password.
So lets define a "Secure" password for starters. A Secure password is defined by encryption algorithms as containing at least one capital letter, at least one lower case letter and at least one number. Some encryption types such as Blowfish* require a specific minimum length of password to be classed as a "secure" password as well.
Now on to the fun stuff: Password cracking. Part of our training in auditing is programs to break potentially weak passwords on a network or computer. One of the Highest regarded programs to use is the completley free and open source program John the Ripper** that's as multi-platform it gets, compatible with everything from BeOS to OS2.
Recently they released some data to show how important security with passwords is. The tests were preformed on a 2.0Ghz Dual Core processor with 2GB DDR 2 ram (A pretty average computer for when the tests were taken). Here are the results:
Length of Password -- Combinations-- Crack Time
4 Characters "Secure" --- 14.7 Million --- 3 Seconds
6 Characters "Secure" --- 56.8 Billion --- 3 Hours
7 Characters "Secure" --- 3.5 Trillion --- 8 Days
8 Characters "Secure" --- 218 Trillion --- 1.4 Years***
9 Characters "Secure" --- 3 Quadrillion --- 85.9 Years***
10 Characters "Secure" --- 839 Quadrillion --- 53 Centuries***
If you have a standard English dictionary word or name, John the Ripper is almost guaranteed to break it in a second or less, based on previously mentioned computer specifications.
So why risk it?
Notes:
*Blowfish is an encryption used by alot of unix based environments; including most Linux server distributions (e.g. SLES) and user based distributions (e.g SLED, OpenSUSE, Gentoo-Based etc.)
**I am not endorsing you to download this program and use it on computers, Just providing it as the example used in the current industry. It is declared to be illegal outside of your own computer outside your own network.
***The test did not run for 1.4 years, let alone 53 Centuries. The time was taken from the Predicted maximum time in the John the Ripper program, Given the computer was never turned off.
If I come up against any more security related items I think would be interesting to pass along, I'll add another blog post.
David
Add a Comment
-
Comment by Seif Sallam on June 1, 2009 at 1:38pm -
for level 1 account (not important) use 1 password that is easy to remember fast to type.
for level 2 accounts (like Gmail, Facebook .... ) use "lastpass" to generate the password
NOTES
if ur not on ur pc beware of keyloggers so the best way to avoid it watch ur typing just use an onscreen keyboard, and be ware that no one is watching u.
don't copy past ur password from place to other, as there is a clipboard applications that store all the history of copied text
-
Comment by NeferSif on May 28, 2009 at 8:44am - Good Info. My only complaint is that every site has different rules. Some won't let you use symbols. Some want an exact number. No more, no less. I have even been to one that requires 2 in cap, 2 in reg, 2 number and 2 characters. This can get very frustrating. I don't want to write them down. But I have a hard time remembering all of them.
-
Comment by Dmitri on May 27, 2009 at 1:59pm - Sadly, there will always be a method of obtaining a person's password no matter what the length is. And that method is simply "what's your password?".
-
Comment by Garrett W. on May 27, 2009 at 1:48pm - @Glenn: millennia* ;)
-
Comment by yourfindit on May 27, 2009 at 12:03pm - Hmm. Good info.
-
Comment by Glenn on May 27, 2009 at 11:32am - Oh wait...I just found out that a millennium is only 1000 years. Since 53 centuries would be over 5 millennium, I suppose I need to adjust. Say, sometime in the next 20 or 30 millennium?
-
Comment by Glenn on May 27, 2009 at 11:21am
- I would say I'm pretty safe. My (Linux) administrative password is 15 characters...a combination of 2 "words" (one of which is not in any dictionary) and several numbers. What do you think...sometime in the next couple or three millennium? :-D
-
Comment by Jake on May 27, 2009 at 10:53am - also I always turn my computer off at night to avoid hardware failure
-
Comment by Jake on May 27, 2009 at 10:51am
- I think I'm safe My password contains 8 charachters
-
Comment by Mark Hilton on May 27, 2009 at 10:43am - I'm screwed (changes passwords to more secure ones)
Sign in
Geek Out!
More Information
Pirillo's Posts
Lockergnome
© 2009 Created by Chris Pirillo
You need to be a member of Geeks! to add comments!
Join this Ning Network