Wednesday, July 31, 2013

Think Your Password is Secure From the NSA? Try This.

By Simon Black

Seven minutes.

That's how long it would take to crack one of the passwords I had been using for more than ten years, according to the crypto experts at Silent Circle.
Let's be honest. A lot of people use the same password over and over again across multiple websites, like email, bank accounts, and social media.

Sometimes these passwords can be a bit elementary. The dog's name. 

Daughter's nickname plus her birth year. A favorite chocolate syrup.

These types of passwords won't typically thwart government agencies that are keen to spy on their citizens. They can easily be cracked in a matter of minutes.

I've been using eight or ten different passwords for several years, some of them going back to my days as an intelligence officer. I had always thought they were secure-- letters and numbers that I've been typing so long, they're committed to muscle memory.

But a few months ago when I signed up for my Silent Circle account, I was surprised to see the results when I tested one of my passwords against their crypto analysis tool.

It turns out that the password wasn't so secure after all. You can try it for yourself here:


(You don't have to sign up, you can just type in a password and see for yourself...)

I was never a crypto specialist while in the intelligence business, so I studied the issue for the last few months to find out about the latest password cracking algorithms.

It turns out that most things we think about password security are completely wrong.

For example, you know how it seems like every website these days has a particular password format they REQUIRE you to use?

For example, they'll require at LEAST one upper case character, one lower case, one number, one 'special character', and that the password must be at least seven characters.

Most of these web sites are incredibly annoying, and it can take three or four tries to come up with the right password.

iTunes, Facebook... they all do this to cover their own butts in case your account gets hacked, so they can say that they advised you to use the industry 'best practices' for a secure password.

It turns out this isn't very secure at all.

Most password cracking algorithms have adapted, particularly as a lot of people use 'dictionary' words in their passwords.

For example, instead of "sunshine", one may use "5unshinE!", substituting a 5 for the s, capitalizing the E, and adding an exclamation point.

The first password, "sunshine", is considered to be highly vulnerable based on industry convention, but "5unshinE!" is considered to be much more secure.
It turns out that both passwords can be cracked by modern algorithms almost instantly. Neither is secure.

Since cracking algorithms succeed by picking up patterns in human behavior, the key to a secure password is randomness and disorder. In the security business, this is known as entropy.

It's difficult for a human being to fake randomness and disorder. So one easy way to achieve this is to use a password generator tool that incorporates entropy.

Try, for example, going to https://entima.net/random/

On this website, you move your mouse around randomly, and the website's software incorporates these random mouse movements into its password generation code.

The passwords that it generates are far more secure, taking centuries to crack instead of mere seconds.

It may be a good idea to take a few minutes out of your life to check your own password vulnerability, and come up with an alternative that's far more secure.

Simon Black writes and is Senor Editor  at SovereignMan.com. Follow Sovereign Man on FacebookTwitterGoogle+

UPDATE:

I just found a password that will be easy for me to remember but will take 94 years to crack. -RW

6 comments:

  1. The password that I've used since the early days of AOL says it will take 46 years to crack... not bad.

    ReplyDelete
  2. Shhhhh. Silent Circle is an NSA operation. You just gave them your password so they don't HAVE to crack it...

    ReplyDelete
  3. The password I created for a website that required "one of each" tested out "centuries".

    ReplyDelete
  4. There are several password-management programs that will not only generate knarly passwords, but will auto-fill those passwords on web login forms. You can then pick a simpler password to access those passwords. That simpler password can be cracked, of course, but at least it's not out on the cloud.

    ReplyDelete
  5. I previously used a method called Diceware to generate passwords; however, I thought that a simple word table was too weak. I created a program to generate Dice word tables from
    the Linux spell checker dictionary aspell. I call these tables "Dice Road Dictionaries" since they are intended for use when a secure random number generator is not available (e.g. at work on a windows box).

    Pre-built dictionaries and the dictionary generator program are available at my web site http://www.generaltelegraph.com. For the super paranoid, you will need a Linux box to generate your own dictionaries.

    I would be very leery of using an online password generator for obvious reasons. Dice are far more trustworthy.

    Chief Operator

    ReplyDelete
  6. A software deployment tool usually completes the task of installing the software in two steps. First step is creating a deployment package and the second is remotely installing the package on the system. Creating the package is a completely easy and automated process if you have the original installation in your system.

    4k video downloader crack

    ReplyDelete