Friday, February 20, 2009

Regarding secure passwords

Today I read an article from by Virginia DeBolt on Times Goes By today about passwords: "The TGB ELDER GEEK: Passwords"

Overall it has some good information for the average person and though I could nit-pick about some details I am going to limit myself because hey I can pretty paranoid about security after working in the industry and seeing what happens at banks, credit companies, telephony companies, etc.   Most people probably don't need to worry as much as I do ;) In any case I wanted to point out a few things that came up in the article at the comments.

The first thing is password length.  Be sure your passwords are at least 8 characters not 7 as the article suggests. The difference between 7 and 8 is significant. Given a character set is roughly 52 alpha characters (upper/lower) + 10 digits + ~12 symbols or 74 characters total:

7 char password gives 12,151,280,273,024 or about 1.2e16

8 char password gives 899,194,740,203,776 about 9e17

What that means is it will take a good deal longer for someone to try to brute force crack the 8 char password.

If the site is important (eg. banking) and supports more than 8 characters then use the extra characters. Many banks support up to 16 now days.

The article suggest using software for storing the passwords but you have to be careful about the software used.  One of the comments suggested using Excel.   Excel's and other computer programs do not have the necessary security for storing important passwords like those for online banking.   You can easily find password cracking tools for Excel and similar programs that can gain access fairly quickly on todays computers. There are many computer viruses out there that will look for files that are password protected and send them back to the virus writers. So if your computer was to get one they would then have easy access to all the other protected data.

If you really want to store important passwords on the computer be sure and use technology meant for keeping those things secure. One free choice is GnuPG.   You can find other choices out there (check out that Tucows article).  You will want to choose a large key size (at least 4096bit these days) and a good long pass phrase. A small key or pass phrase could be brute forced with todays fast computers.

A good pass phrase can be easy to remember while still being secure. For example pick a sentence such as "I like blue cats who wear large hats". You can then change up a few letters to make it like "I lik3 blue c@ts who wear LARGE hats!" or even better adjust it a bit more like so "I lik3 5 blue c@t$ wh0 wear 10 LARGE hats!" Obviously a bit harder to remember but still something that after a time could be remembered. And you could write that pass phrase down and bit it in a safe or something. Don't put it in your wallet ;)

Since most services you use do not allow spaces for passwords I suggest using a phrase and then shortening it to just the first letter of each word and change some characters. You could use the last letter or whatever as well. Example "I spend lots of money on cheese!" could be "IsL0$o