Password Insecurity...
Security is one of my focus areas and is one area that often falls short but more often than not it is not due to poor policy and not poor programing. That’s right I said it. Yes, I do work for a software company… Yes I often blame hardware manufactures drivers for the blue screen of death and not Microsoft. Yes, I do admit that people get infected with viruses due to poor browser coding and poor coding of plugins.
BUT, poor security practice makes you a lot more insecure than most coding problems. For example if I can call your helpdesk, say I am you, and your helpdesk will help me get connected to your network then you have a huge security problem. You need to have some policy in place to make sure that you can identify you are who you say you are. The larger the organization the more susceptible they are to this social engineering attack.
What I believe is one of the biggest issues in security practice today is the password. It would be great if we could get to another security solution that uses something other than passwords like smart-cards. This way someone can’t login as me unless they have the smart-card and my pin. This is what we use at Microsoft in addition to Direct Access. Another bad security practice is telling people how you secure your network that just helps them know where to start looking for holes in the armor.
Passwords are insecure often because users have to remember them so they choose easy passwords or reuse them. I have written about this before:
- https://mythoughtsonit.com/2011/02/passwords/
- https://mythoughtsonit.com/2011/08/dont-reuse-passwords/
- https://mythoughtsonit.com/2011/06/passwords-are-getting-easier-to-crack-with-gpus/
- https://mythoughtsonit.com/2011/06/the-10-immutable-laws-of-computer-security/
Even if you use a unique secure password for each site / login you should pay close attention to the length of the password. Currently for a bruit force password attack against a local password hash here are the times to try all combinations of possible passwords. I know this is a bit simplistic but the idea is the important part. Look at how quickly the time to crack a password changes with the length. With only lowercase letters you need to have at least 10 characters to have it even remotely secure. And if the hacker uses GPUs and multiple machines that may even change this table up a few characters.
Password Length |
All Characters |
Only Lowercase |
3 characters |
0.86 seconds |
0.02 seconds |
4 characters |
1.36 minutes |
.046 seconds |
5 characters |
2.15 hours |
11.9 seconds |
6 characters |
8.51 days |
5.15 minutes |
7 characters |
2.21 years |
2.23 hours |
8 characters |
2.10 centuries |
2.42 days |
9 characters |
20 millennia |
2.07 months |
10 characters |
1,899 millennia |
4.48 years |
11 characters |
180,365 millennia |
1.16 centuries |
12 characters |
17,184,705 millennia |
3.03 millennia |
13 characters |
1,627,797,068 millennia |
78.7 millennia |
14 characters |
154,640,721,434 millennia |
2,046 millennia |
Until we can replace the password with a better more secure system; my recommendation is to use a password manager. Then for each of your many logins use unique passwords consisting of both upper and lower characters as well as other characters (!@#$%^&). Lastly use a long password – over 12 characters. Since your using a password manager make it as long as the system will let you. Oh, and those security questions for resetting your password. – Don’t use real answers! Use fake answers and keep them in your password managers notes section. Lastly keep a backup of your password manager.
My password manager runs on Windows, Mac, Windows Phone, IOS, Android. So in addition to my backup of the database I have the program running on a Windows Phone, Windows 7 laptop, Windows 8, laptop,iPod Touch, Galaxy Tab8.9, Mac Air, and iPad gen 1. They all stay in sync via a dropbox account.