Tuesday, February 12, 2013

Password creation – Tips and Myths

Not all use complex password. Us humans tend to use simple (read very simple) words for passwords (such as password) for most non critical logins, gets deep into our system of using passwords and becomes a habit (which is pretty hard to break). This causes lots of unwanted issues when the third party system (which obviously we trust) leaks the passwords or the hashes (any type. Strength is not a problem). Some advocates state that a hashing should be used with a salt, but does not really improve the security if the database gets compromised and the salt values are known to attacker.

Most of the common password cracking aka brute forcing tools has an option to specify the salt to check. It really does not improve any security if the user uses “password” as the password. The top passwords list is tried first to crack the so obvious accounts within seconds and a larger dictionary is employed for the rest. With the advent of CUDA / OpenCL the time to brute has reduced leaps and bounds. I have written a password cracker in CUDA which can crack some hashes like NTLM at a whopping hashes per second. Though it is used only for private use, I am sure more such tools like HashCat / oclHashCat which are available freely can be employed by any one who has a decent hardware or it can be rented from the cloud.

What really secures the password? Okay. Do not say the answer is the Google Ring! I will not use it! Instead the following might be of some help. Though I might not be the expert (disclaimer!!!), I have been following what I am going to preach.

Not all passwords with special characters are safe if it is less than 14 characters. Common, a 14 character key space is not strong enough even if it employs special characters. Believe me, there are only a few special characters which most people use! :D. Armed with a little background on the frequency analysis, the keyspace gets drastically reduced lowering the security of the so called complex password.

A simple method of using longer, totally unrelated (but meaningful to you) sentences make a very good password. And it exceeds the common character limitation which you will find in a normal complex password. Multiply that by the number of sites for which you have use a unique password, only a tool like LastPass can offer some help! Even a sentence like “Attendingevening.school” can be a good password which is not forgotten, can be typed easily and offers a pretty decent security. Also, typing such passwords on to the mobile device is very easy! believe me!

Also always check out the password’s strength using some online tool like PasswordMeter!

Placing a random dot between words makes a lot of sense and improves the security. Really you don’t have to worry above the bla bla bla password policies and will still conform to most of the commonly used policies (Unless you are in a super special sterile environment!). I hope it makes a difference!

Be sure to checkout the Password Info graphic from ZoneAlarm! A pretty interesting read too on what not to use!