Tuesday, August 24, 2010

Are your passwords long enough?

Size matters.

Georgia Institute of Technology scientists used clusters of graphics cards to crack eight-character passwords in less than two hours. But when the researchers applied that same processing power to 12-character passwords, they found it would take 17,134 years to make them snap.
It's hard to say what will happen in the future, but for now, 12-character passwords should be the standard, said Richard Boyd, a senior research scientist who also worked on the project. The researchers recommend 12-character passwords -- as opposed to those with 11 or, say, 13 characters -- because that number strikes a balance between "convenience and security."

They assumed a sophisticated hacker might be able to try 1 trillion password combinations per second. In that scenario, it takes 180 years to crack an 11-character password, but there's a big jump when you add just one more character -- 17,134 years.
Security experts are already recommending that people use full sentences as passwords. Here's one suggested password-sentence from Carnegie Mellon University:
"No, the capital of Wisconsin isn't Cheeseopolis!"
Or maybe something that's easier to remember, like this:
"I have two kids: Jack and Jill."
Some tips:
  • If a website will let you create a password with non-letter characters -- like "@y;}v%W$\5\" -- then you should do so. There are only 26 letters in the English alphabet, but there are 95 letters and symbols on a standard keyboard. More characters means more permutations, and it soon becomes more difficult for a computer to generate the correct password just by guessing.
  • On a Microsoft website devoted to password security, the tech giant tells the password-creating public not to use real words or logical combinations of letters. That keeps you safer from a "dictionary attack," which uses a database of words and common character sequences to try to guess the code.
  • A website called Password Safe will store a list of passwords for you, but Boyd and Davis said it may still be possible for a hacker to obtain that list.ionary attack," which uses a database of words and common character sequences to try to guess the code.
  • Some sites -- Facebook for example -- are marketing their log-ins and user names as a way to access sites all over the Web. That's potentially dangerous because if hackers figure out a single password, they can access multiple banks of information, the researchers said. 
I like the idea of using a sentence, or perhaps the first line of a favorite song.
Posted by Terry A. Kirkpatrick at 11:55 AM
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)