This article from Ars Technica should be terrifying for those who haven’t learned good password habits for their online accounts — in other words, it should be terrifying for damn near everyone reading this.
From Ars Technica:
The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.
. . .
At any given time, [Rick Redman, a penetration tester for security consultants KoreLogic and organizer of the Crack Me If You Can password contest] is likely to be running thousands of cryptographically hashed passwords though a PC containing four of Nvidia’s GeForce GTX 480 graphics cards. It’s an “older machine,” he conceded, but it still gives him the ability to cycle through as many as 6.2 billion combinations every second. He typically uses a dictionary file containing about 26 million words, combined with programming rules that greatly extend its effectiveness by adding numbers, punctuation, and other characters to each list entry. Depending on the job, he sometimes uses a 60 million-strong word list and something known as “rainbow tables,” which are described later in this article.
Considering that the Gawker network of websites had 1.3 million users’ accounts exposed in late 2010, it’s safe to say that your passwords for your accounts might possibly be at risk for a dedicated account cracker. For Ars Technica’s advice from the experts on how to keep your accounts safe, you can read through to the end of the article — or you can click through below the jump.
So what can the average person do to pick a passcode that won’t be toppled in a matter of hours? Per Thorsheim, a security advisor who specializes in passwords for a large company headquartered in Norway, said the most important attribute of any passcode is that it be unique to each site.
“For most sites, you have no idea how they store your password,” he explained. “If they get breached, you get breached. If your password at that site is unique, you have much less to worry about.”
It’s also important that a password not already be a part of the corpus of the hundreds of millions of codes already compiled in crackers’ word lists, that it be randomly generated by a computer, and that it have a minimum of nine characters to make brute-force cracks infeasible. Since it’s not uncommon for people to have dozens of accounts these days, the easiest way to put this advice into practice is to use program such as 1Password or PasswordSafe. Both apps allow users to create long, randomly generated passwords and to store them securely in a cryptographically protected file that’s unlocked with a single master password. Using a password manager to change passcodes regularly is also essential.
So there you have it. Randomly generate your passwords, change them regularly, and have a unique one for each account.
If you’ll excuse me, I’m going to change every password to everything I’ve ever owned — starting with my old Neopets account.
[Why Passwords Have Never Been Weaker — And Crackers Have Never Been Stronger]
This article appears in Aug 23-29, 2012.
I had just been thinking that it was time to change all the passwords on my list to make them all random. But then I have to keep a paper copy of the list sitting around because I can’t remember them all.
One easy way to make a long password is to add together all the short random character one you already have memorized, then you only have to remember what sequence you used them in.
Brute force hacking can eventually break any password, part of ones protection is how the site being hacked handles repeated login failures.
Much of what was discussed was doing all the background work to crack the hash and hash functions rather than someone sitting there figuring out one person’s password and repeatedly trying to log in. All they need is the hash string, they can backwards figure out the password. The shorter your password the easier it is to crack the hash. Passwords should be a minimum of 9 characters. Don’t start with a capital, don’t end with all numbers.
You’re right, the better passwords are a combination of words or strings. XKCD’s password generator was mentioned a couple different times. As was a password manager application where you only have to remember the one password into the program and it stores all of your other passwords. Most people on-line have about 25 different accounts and on average about 6.5 passwords. Password sharing makes it much easier for crackers to access all your accounts while only getting one login/password.