Tweet
I'm sure you've all heard it, and even get tired of hearing it: Password needs to be at least 8 characters, must have at least one number, mixed case, and a symbol.
This isn't a bad practice, but isn't a good one either. If you're like me, you get annoyed with hearing this, and in fact want simpler passwords for convenience (it's a pain to use the shift key and numbers in such short sequence repeatedly each day, isn't it?)
Well you can have your cake and eat it too. Some say passwords shouldn't be easy to memorize, but they're wrong. There is a better way. First, let me point you to this:
xkcd: Password Strength
Now I'm going to elaborate on why.
I've heard an argument that all one has to do is throw dictionary words at it. Well, some estimates put the English language at 1 million words. (Source: Number of Words in the English Language: 1,013,913 | The Global Language Monitor ) But, let's say you reduced that down to the 10,000 most common words, and you used four of them. That is 10,000^4, or 100 pentillion. Let's put that into perspective:
I did a test on my machine using my GPU (Radeon 7850 OC) to crack AES128 keys. It was able to go through roughly 5,000 iterations per second. Let's suppose that the NSA had some super advanced computer that could do 10,000 times what mine can do (a compute cluster of that capability doesn't exist to my knowledge, but let's suppose it does anyways) so say 50 million passwords per second.
100 pentillion divided by 50 million is 200 million seconds. Divide that by 60, by 60 again, then by 24, then by 365. That means it would take 6 years to break your password with a compute cluster that at this point is only theoretical. By the time 6 years passes by, the information they wanted to glean from you could very well be useless, meanwhile that compute cluster could have gone towards something more important.
Now that is a very optimistic number, by the way. What if you used a less common word? Or used deliberate bad grammar or bad spelling? Or used a fifth word? That suddenly goes from 6 years to potentially billions of years. If the latest theory about the higgs boson is correct, the universe would end before the US department of homeland security, with its vast resources, would be able to crack your password.
Then of course, there's always brute forcing your way by iterating through the letters of the alphabet in sequence. Well, assuming you used at least say 15 letters or so, that would take a lot longer. When I was testing this password cracking tool, I looked at the readme and one of the first things it said was that if the password has more than 7 or 8 unknown characters, you may as well forget about it unless you've got some serious money and time on your hands. Set it to 20 characters (my everyday use passwords are longer than that) and there's basically no chance.
Just keep this in mind, and then at least your password won't be the weakest link:
xkcd: Security
This isn't a bad practice, but isn't a good one either. If you're like me, you get annoyed with hearing this, and in fact want simpler passwords for convenience (it's a pain to use the shift key and numbers in such short sequence repeatedly each day, isn't it?)
Well you can have your cake and eat it too. Some say passwords shouldn't be easy to memorize, but they're wrong. There is a better way. First, let me point you to this:
xkcd: Password Strength
Now I'm going to elaborate on why.
I've heard an argument that all one has to do is throw dictionary words at it. Well, some estimates put the English language at 1 million words. (Source: Number of Words in the English Language: 1,013,913 | The Global Language Monitor ) But, let's say you reduced that down to the 10,000 most common words, and you used four of them. That is 10,000^4, or 100 pentillion. Let's put that into perspective:
I did a test on my machine using my GPU (Radeon 7850 OC) to crack AES128 keys. It was able to go through roughly 5,000 iterations per second. Let's suppose that the NSA had some super advanced computer that could do 10,000 times what mine can do (a compute cluster of that capability doesn't exist to my knowledge, but let's suppose it does anyways) so say 50 million passwords per second.
100 pentillion divided by 50 million is 200 million seconds. Divide that by 60, by 60 again, then by 24, then by 365. That means it would take 6 years to break your password with a compute cluster that at this point is only theoretical. By the time 6 years passes by, the information they wanted to glean from you could very well be useless, meanwhile that compute cluster could have gone towards something more important.
Now that is a very optimistic number, by the way. What if you used a less common word? Or used deliberate bad grammar or bad spelling? Or used a fifth word? That suddenly goes from 6 years to potentially billions of years. If the latest theory about the higgs boson is correct, the universe would end before the US department of homeland security, with its vast resources, would be able to crack your password.
Then of course, there's always brute forcing your way by iterating through the letters of the alphabet in sequence. Well, assuming you used at least say 15 letters or so, that would take a lot longer. When I was testing this password cracking tool, I looked at the readme and one of the first things it said was that if the password has more than 7 or 8 unknown characters, you may as well forget about it unless you've got some serious money and time on your hands. Set it to 20 characters (my everyday use passwords are longer than that) and there's basically no chance.
Just keep this in mind, and then at least your password won't be the weakest link:
xkcd: Security
Comment