Chilling yet fantastic advice from security expert Bruce Schneier on passwords (with hat tip to Bert):
“Offline password guessers have gotten both fast and smart. AccessData sells Password Recovery Toolkit, or PRTK. Depending on the software it’s attacking, PRTK can test up to hundreds of thousands of passwords per second, and it tests more common passwords sooner than obscure ones.”
Well, there goes my assumption that my simple eight-character password will suffice. And don’t think that using a crypto program like my beloved PGP is going to help:
“The results are all over the map. Microsoft Office, for example, has a simple password-to-key conversion, so PRTK can test 350,000 Microsoft Word passwords per second on a 3-GHz Pentium 4, which is a reasonably current benchmark computer. WinZip used to be even worse — well over a million guesses per second for version 7.0 — but with version 9.0, the cryptosystem’s ramp-up function has been substantially increased: PRTK can only test 900 passwords per second. PGP also makes things deliberately hard for programs like PRTK, also only allowing about 900 guesses per second.”
The whole article is brilliant reading. Go read it. Now.
Equally illuminating are some of the comments, and the replies by Bruce, to wit:
“Of course longer is better. If you have a 32-character password, no software cracker is going to find it.”
“A useful class of memorable passwords that are difficult to cast as a PRTK-style stereotype is equations.
For the physically or mathematically-minded, they can be very easy to remember. They also make it easy to involve symbols (memorably). And since the notation for terms can have a very broad variation, they are probably not easy to search efficiently. And, there are a lot of them, many of which are quite obscure.
An example from classical mechanics: Hamiltonian evolution with Poisson Bracket notation might yield a password like
dy/dt={H,y}
Considering the possible variations (ydot instead of dy/dt, Heisenberg evolution with commutators, replace y by a Greek letter like Psi, subtract the RHS from both sides, many more) it seems like a losing game to try to create a stereotype search for these. And in this case, obscurity does aid security.”
“Interestingly, it sounds to me like a combination of two (reasonably long) dictionary words with a small non-alpha infix would survive this attacker fairly well.”
“Seems like a shift in the root is all you need to be less predictable. The progression I often have experienced in terms of user password maturity:
1) simple root (password)
2) simple root with appendages (password123)
3) root with character-shift and appendages (p@ssW0rd123!)
4) phrase with character-shift and appendages (e.g. I wish I had a dollar for every star = iW1h@$4e*)
5) random digits generated by a program and stored securely with a level 4 password”
“I found this slide-deck on a method to create passwords interesting:
http://druid.caughq.org/presentations/Mnemonic-Password-Formulas.pdf
I wonder how well something like PRTK would be in recovering the formula used to generate the password if it had multiple passwords to compare.”
“@Simon: “how does Password Safe help?”
It helps in two ways: First, it allows you to choose different passwords for different services. Not many among us can remember 40 distinct passwords; we either have to write them down or re-use the same passwords over and over again, which becomes a nightmare with the different password choice and lifetime policies out there.
Second, it allows you to generate random passwords. Myself, I use different, random 12 character passwords for each service. In cases where I don’t care about identity, I even use a randomly generated user name.
“When away from my computer I’d not know the passwords.”
There’s not many services that I want to use when I’m away from my computer, so it’s not much of an issue for me.
Password Safe and its clones can also be installed on a USB stick, along with the password database. Although I would somewhat hesitate to trust a public computer.”
@Squyd
That just sounds like a LOT of work. Why bother? Use a password manager with a password generator built in. Done.There are plenty out there, both traditional, and online:
http://passpack.wordpress.com/2007/01/29/online-vs-offline-password-managers/
Me, I use Password Master myself (from the excellent team at Dreameesoft) so I can use it on my pda, but they are all much of a much-ness.
I’m now going through all of my different passworded accounts and randomising them with Password Master rather than relying on my old 8-character password which is the same one I use on multiple sites (very dangerous and stupid, I know, but I’m lazy!)
Currently listening to: Brian Eno – On Land – Dunwich Beach, Autumn, 1960
Pingback: Better Communication Results