July 31, 2013
That’s how long it would take to crack one of the passwords I had been using for more than ten years, according to the crypto experts at Silent Circle.
Let’s be honest. A lot of people use the same password over and over again across multiple websites, like email, bank accounts, and social media.
Sometimes these passwords can be a bit elementary. The dog’s name. Daughter’s nickname plus her birth year. A favorite chocolate syrup.
These types of passwords won’t typically thwart government agencies that are keen to spy on their citizens. They can easily be cracked in a matter of minutes.
I’ve been using eight or ten different passwords for several years, some of them going back to my days as an intelligence officer. I had always thought they were secure– letters and numbers that I’ve been typing so long, they’re committed to muscle memory.
But a few months ago when I signed up for my Silent Circle account, I was surprised to see the results when I tested one of my passwords against their crypto analysis tool.
It turns out that the password wasn’t so secure after all. You can try it for yourself here:
(You don’t have to sign up, you can just type in a password and see for yourself…)
I was never a crypto specialist while in the intelligence business, so I studied the issue for the last few months to find out about the latest password cracking algorithms.
It turns out that most things we think about password security are completely wrong.
For example, you know how it seems like every website these days has a particular password format they require you to use?
For example, they’ll require at least one upper case character, one lower case, one number, one ‘special character’, and that the password must be at least seven characters.
Most of these web sites are incredibly annoying, and it can take three or four tries to come up with the right password.
iTunes, Facebook… they all do this to cover their own butts in case your account gets hacked, so they can say that they advised you to use the industry ‘best practices’ for a secure password.
It turns out this isn’t very secure at all.
Most password cracking algorithms have adapted, particularly as a lot of people use ‘dictionary’ words in their passwords.
For example, instead of “sunshine”, one may use “5unshinE!”, substituting a 5 for the s, capitalizing the E, and adding an exclamation point.
The first password, “sunshine”, is considered to be highly vulnerable based on industry convention, but “5unshinE!” is considered to be much more secure.
It turns out that both passwords can be cracked by modern algorithms almost instantly. Neither is secure.
Since cracking algorithms succeed by picking up patterns in human behavior, the key to a secure password is randomness and disorder. In the security business, this is known as entropy.
It’s difficult for a human being to fake randomness and disorder. So one easy way to achieve this is to use a password generator tool that incorporates entropy.
Try, for example, going to https://entima.net/random/
On this website, you move your mouse around randomly, and the website’s software incorporates these random mouse movements into its password generation code.
The passwords that it generates are far more secure, taking centuries to crack instead of mere seconds.
It may be a good idea to take a few minutes out of your life to check your own password vulnerability, and come up with an alternative that’s far more secure.
PS– SMC Members are reminded of our monthly teleconference at 3pm EST today, will be taking live questions with some special guest hosts.