Password Security Tips

SparkMonkeyHellion · 03-30-2009, 04:29 PM

I figure I'd share a couple of things that I have learned about security from my work in the IT field.

First and foremost, the most obvious passwords are going to be the names and birthdays of your family. Do not use them. Ever.

Never use any sort of personal information.

Here's a rule of thumb, if the information exists on A) Your Driver's License B) Your Tax Form C) Your Criminal Record D) Any mail you receive DO NOT USE IT.

Most people use this stuff because it's easy to remember. However, it is just as easy to use a different mnemonic device. Choose a celebrity or historical figure. Use their whole name.

"AbrahamLincoln42" is an incredibly secure password and it's easy to remember (don't even think about it, that's not my password for anything). You have 3 different types of characters in this password (lower case, UPPER CASE, and ####)

Why is this important? Rainbow files and password crackers. The more types of characters you use, the harder it is to figure out what your password is. Think of it this way; if you use "alllowercase" as your password, there are only 26 characters to choose from. That is a 12 character password. So whats 26^12? I don't know. But that's how many possibilities there are for a 12 character password in all lower case.

If you use 0-9 as well, that means you now have 36^12 possibilities. Substantially more. This means that a Rainbow file (basically a file containing all possible passwords within certain parameters) would be exponentially larger.

Now, say you have Upper, lower, and ###. That is 62^12 possibilities for just a 12 digit password. That's a very high number. Most basic password crackers/Rainbow files will simply not have that kind of ability.

Now, the most secure passwords are considered to be 20 characters long today. That's incredible! However, consider how many possibilities that is:

Password with upper/lower/###
62^20 = 7.04423425547E+35 possibilities (a f*** ton!) compared to the original

vs

Password with just lower
26^12 = 9.5428956661682E+16 possibilities.

And really, length alone is one of the best ways to secure a password. In my experience, most crackers/rainbow files give up after about 8 to 12 characters. So even if you're password is "12121212121212121212", that is more secure than using your name or the name of someone related to you. Despite the simplicity of the above password, most automatic programs/files will simply give up, because that password is just as statistically likely as "iamagoatmadeofcheese". Even still, whatever password you have a better time remembering is the best.

A little bit of inside info on how passwords are stored: They are called "Hashes". Basically, your password, whatever it is, is broken down into numbers. Those numbers are fed through a formula to end up with one big huge number (usually stored in hexadecimal I think) - how is this safe? Because that formula doesn't work backwards. Take an algebraic problem. Once you solve the problem (which is equivalent to the password) you get a single number. That single number gives no hints about what made it. And only that one algebraic problem creates that number. Most of the time.

With the advent of HTTPS technology (and other things) it's much harder for the badguys to simply steal passwords, so they are left guessing (literally), so the best thing you can do is add length and complexity to your passwords.

There is a bit more information available here regarding "Information Entropy" and other password theory:
Password strength - Wikipedia, the free encyclopedia

Recapitulation:

1) Length is your biggest asset against brute force attacks. This is because most crackers/rainbow files (in my experience) give up after about 12 characters.

2) Complexity is your next biggest asset.

3) Use mnemonic devices, just don't use something that is directly related to yourself! If your password is not something obvious, then humans can't guess it. That means that automatic tools have to try to guess it, and they have limitations too.

Thanks for viewing!

For personal security I also recommend using KeePass and TrueCrypt:
KeePass Password Safe
TrueCrypt - Free Open-Source On-The-Fly Disk Encryption Software for Windows Vista/XP, Mac OS X and Linux

myr707 · 03-31-2009, 03:32 PM

Very informative. Thanks alot

Trotter · 03-31-2009, 04:09 PM

Great advice. I have already started putting it to use.

SparkMonkeyHellion · 03-31-2009, 04:17 PM

Quote:

That I'm the techie in my family, says more about their tech knowledge than mine

I say something similar when playing games like CoD - I was a late bloomer into videogames, so I don't have the "core" skills that many gamers do, thus I'm usually a full notch worse than my friends (or more)....

However I occasionally do really well (like 1st or 2nd on my team) and when that happens... we are losing. So I'm exclaiming "I am in FIRST! This is why we are LOSING!"

PS: Thanks guys, just doing my part. If you have any questions about anything let me know! I am by no means a security expert; just sharing what I've learned from people who know more than me!

PSS: Please REP ME!

CrazeD · 03-31-2009, 06:10 PM

Good guide.

However your example password, "AbrahamLincoln42", isn't all that secure at all. You're forgetting dictionary attacks, in which the program just looks for common words or names, so using a password with names or any word at all isn't secure.

Instead, you're better off with a random combination of uppercase, lowercase, numbers and even symbols. It may be harder to remember, but that's the most secure password you can use.

Like 3-4 years ago I was in a gaming clan, and some hacker group had beef with us, and so they used to hack our Teamspeak often. We grew tired of it, so I changed all of the admin's passwords to a 60 character randomly generated alpha-numerical password, and we were never hacked again.

60^62 is a pretty big number.

Mak213 · 03-31-2009, 09:59 PM

What about passwords that use upper case, lower case, numbers and symbols?

Dont forget about using some 1337 speak as well mixed in with regualr english.

S0mEth1nGl!kEth!5

will be real secure as not only will they have to bash letters and numbers but the symbols as well.

It will make it real hard to just use a brute force to get something like that and you also increase the amount of passwords you can create as well.

@ for a or A

$ for S or s

& for 8

So yeah there is so much more that can be done that just mixing in a upper case letter every now and then or adding a couple of digits.

SparkMonkeyHellion · 04-01-2009, 09:05 AM

Wow - I did totally forget dictionary attacks. Fiddlestix. That's embarrassing.

Still - I would like to point out that with the clan feud that took applied effort by humans which most people will not have to worry about. Most.

The best thing for handling passwords is the KeePass application I linked. It will generate random passwords for you and store them in an encrypted database. That way you only need to remember 1 password, and it's much safer since it's only stored on your local machine and not on the iNet.

Member Login