Friday, August 24, 2012
This article from Ars Technica should be terrifying for those who haven't learned good password habits for their online accounts — in other words, it should be terrifying for damn near everyone reading this.
From Ars Technica:
The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.
. . .
At any given time, [Rick Redman, a penetration tester for security consultants KoreLogic and organizer of the Crack Me If You Can password contest] is likely to be running thousands of cryptographically hashed passwords though a PC containing four of Nvidia's GeForce GTX 480 graphics cards. It's an "older machine," he conceded, but it still gives him the ability to cycle through as many as 6.2 billion combinations every second. He typically uses a dictionary file containing about 26 million words, combined with programming rules that greatly extend its effectiveness by adding numbers, punctuation, and other characters to each list entry. Depending on the job, he sometimes uses a 60 million-strong word list and something known as "rainbow tables," which are described later in this article.
Considering that the Gawker network of websites had 1.3 million users' accounts exposed in late 2010, it's safe to say that your passwords for your accounts might possibly be at risk for a dedicated account cracker. For Ars Technica's advice from the experts on how to keep your accounts safe, you can read through to the end of the article — or you can click through below the jump.
So what can the average person do to pick a passcode that won't be toppled in a matter of hours? Per Thorsheim, a security advisor who specializes in passwords for a large company headquartered in Norway, said the most important attribute of any passcode is that it be unique to each site.
"For most sites, you have no idea how they store your password," he explained. "If they get breached, you get breached. If your password at that site is unique, you have much less to worry about."
It's also important that a password not already be a part of the corpus of the hundreds of millions of codes already compiled in crackers' word lists, that it be randomly generated by a computer, and that it have a minimum of nine characters to make brute-force cracks infeasible. Since it's not uncommon for people to have dozens of accounts these days, the easiest way to put this advice into practice is to use program such as 1Password or PasswordSafe. Both apps allow users to create long, randomly generated passwords and to store them securely in a cryptographically protected file that's unlocked with a single master password. Using a password manager to change passcodes regularly is also essential.
So there you have it. Randomly generate your passwords, change them regularly, and have a unique one for each account.
If you'll excuse me, I'm going to change every password to everything I've ever owned — starting with my old Neopets account.