Friday, August 20, 2010

How to create a 'super password' - CNN.com

The KeePass Password Safe icon.Image via WikipediaParanoia can be a harsh mistress.

The problem is not memory, the problem is attitude. People are too god dam casual about these passwords until it is too late. Lose your password to your Google account and all of your Gmail, Picasa, Calendar, Address Book, Blogger, etc. are at risk. Some of those Google-secured connections are directly connected to money. For example, your AdWords account is accessed through a Google login.

The more places you use these accounts, the more paranoid you need to be because it WILL happen to you too.

And please, it is not just a matter of making the password long! Please STOP using real English words as passwords! There is something called a dictionary attack that allows a miscreant to quickly figure out a password. If you use a word that can be found in a common language, be assured that it WILL find yours.

The article has good advice. Go for 11 or more characters, a phrase would be even better. And be wary of any website that won't allow you to type in at least 12-16 characters, it is a red flag for other security problems.

If you have trouble remembering passwords, then try to use a keyring application. Macs have one built into the operating system, and you can also use something like KeePass that runs on almost every major operating system and even on smart phones. With an application like this, you just need to remember one strong password, then you can use longer and much harder to remember passwords for your online activities.

Thanks to KeePass I have certain accounts protected with passwords that are random strings of 32 characters. If you had 10,000 computers that could run in parallel, each trying 500,000 passwords per second, it would take up to 2.8420938392451628e+22 years to crack a 20-character password! The calculator that I found online couldn't even calculate it for 32 characters :-)

This of course assumes that no new technology arrives that allows computers to bridge that computational gap. Using 99,999,999 passwords per second, and 999,999 computers available to run in parallel, we are still talking up to 1421048354881405700 years to crack a 20-character password.

Another thing that was not discussed in the article? Biometrics. A combination of biometrics and two-factor authentication (like with the RSA dongles or soft keys) would be horribly hard to defeat, assuming that the physical aspects of the biometric reader can't be attacked. It doesn't matter how good is the software part of the biometrics package if you can fake a fingerprint like in the movies!