The real deal when it comes to passwords

There are quite a number of articles on passwords these days.  People are providing all kinds of advice on length, complexity and special characters. They also mention how easy it is for passwords to be guessed or cracked.  In this post, I want to provide some additional information that seems to be missing from some of these articles.

1. Your password means nothing if you have a password stealing Trojan on your computer. This seems rather obvious, but the number one way to protect your password is to make sure your computer is free of malware.  For most, this means using anti-malware software, making sure software is always up-to-date (PSI) and not letting themselves be tricked into installing malware that isn’t detectable by anti-malware software.

2. Ensure passwords are 12 or more characters long and contain at least two uppercase characters, two lowercase characters and four numbers. Seriously? Yes, seriously.  No one is going to simply guess a password with four digits in it unless you use four numbers together (i.e. year) that can be tied back to you or your family.  A “pass phrase” containing two or more words is much better than a single word. You can replace certain letters with numbers or intersperse the numbers between or after the words. Special characters are an awesome addition to any password if you can remember them and the best place to put them is between pass phrase words or at the end.  This is an example of a good password that is pretty easy to remember:

3. Don’t use your online passwords on someone else’s computer. I know this is pretty hard to follow, but I follow it without exception.  Who knows what type of key logging software or hardware might be on the computer? Play it safe and only use your own equipment.

4. The truth about “brute force” password attacks. A brute force password attack involves using a known user name and trying passwords using every possible combination of letters, numbers and special characters.  Do you have any idea how long it’s going to take for a hacker to try and do that online against a 12-16 character password? Forever. Many financial Websites often lockout accounts after 3-5 incorrect password attempts, making it impossible for someone to successfully execute a brute force attack.

5. Cracking passwords is not the same as brute force attacks. Many articles talk about “cracking” passwords, but don’t mention that the hacker has to have your encrypted password.  A hacker obtains encrypted passwords primarily by capturing network packets on a network on which your computer is connected  (i.e. poorly secured wireless network) or by stealing the password from a compromised system or database. Once a hacker has the encrypted password, he does a brute force attack on the encrypted password without having to log into a system, so lockout is no longer applicable. If a password is eight characters or less, the password is cracked very quickly. Once the password is cracked, he can successfully log in on the first attempt.

Keeping your password safe from compromise is pretty straightforward. Just follow some simple rules and the only problem you’ll have with passwords is forgetting them once in awhile. If that’s your only problem, consider yourself lucky.

About these ads