Comments on: How to create a very strong password

By: Lemuel

Lemuel — Wed, 05 Jan 2011 04:58:21 +0000

Science-fiction blog i09.com recently posted a security concern regarding its mother company Gawkermedia.com. Apparently, non-latin based characters were being registered as interchangeable with each other. Because of this non-English based passwords could actually be accessed by simply typing any order of non-English based characters. Although Gawkermedia is looking into the security concern now, it has urged all its registered users with non-English based passwords to change them immediately.

So much for using completely random characters.

By: jaime

jaime — Tue, 04 Jan 2011 21:00:14 +0000

I know of certain individuals who have completely reduced the memory of their own passwords to actual muscle memory. Offhand, they can only readily recall the very first character of their password, and trace the rest through a strange remembrance of movements and actions. They’ve admitted that without a keyboard in front of them, they wouldn’t be able to easily spell out their own password, which is as secure a password as you can get I can believe.

By: bryan reeves

bryan reeves — Tue, 04 Jan 2011 20:51:58 +0000

@jonathan

I don’t think having your passwords named after personal items is a very safe (or smart) practice of security. I think it’s already been mentioned that individuals who know you personally will be able to guess your passwords straight of the bat, but strong decryption algorithms are designed to be able to “auto-complete” trillions of possible words and key phrases that could turn out to be your password. The more random your password, the better.

By: Emmanuel Carabott

Emmanuel Carabott — Fri, 17 Dec 2010 10:13:24 +0000

@Jonathan – The biggest problem with using names is not that the password is not that complex but that it’s easily guessable by anyone who knows you. Risk changes depending on the attacker obviously. I imagine you use names cause you find them easy to remember and there is no need to throw that away; feel free to use names, just change them a bit to make them both stronger and impossible to guess. This can be done by substituting a particular letter with a symbol and add a couple of numbers. For example assuming you’re using a fruit’s name as password, say: Apple, this could in turn be changed to 12App|e24 and all you need to remember is that l is substituted with | (you can do that always) and if say 24 is your favorite number you put it at the end and 1/2 of it at the beginning. That would still be easy to remember but it’s a lot stronger than before.

@Richard – So far in terms of computing power the situation on the graphic card front didn’t change. The ATI HD5970 is still the card with the highest rated float point operations per second. The fastest I7, the 980 is rated at 107 Gflops

By: richard

richard — Wed, 15 Dec 2010 16:56:29 +0000

And to think that the kind of hardware that was used to run these kinds of tests are pretty dated. Though they are by no means obsolete; code breakers, hackers and internet vandals definitely pack a lot more punch than the mid range gear outlined in this article. It’s curious to see what kind of results we’d be seeing using i7/GTX type specs; stuff that’s more than affordable in today’s market.

By: Jonathan Chester

Jonathan Chester — Sun, 12 Dec 2010 17:40:54 +0000

Incredibly interesting stuff! I could have guessed that the average four core computers could crack a fair share of passwords, but to be able to churn out over a hundred million passwords per SECOND? I think I’ve to start rethinking my passwords. So much for slacking off and naming everything after my pets, my family and my ex-girlfriends. If ever I get hacked, I probably deserve it. *knocks on wood*

By: daniel luther

daniel luther — Sun, 12 Dec 2010 17:05:06 +0000

A lot of website and software applications that require passwords now run algorithms to determine just how strong your password is (usually ranking it from weak to very strong). However, some are far more reliable than others. Some applications simply count the number of characters in the password. Others go as far as checking that back to the number of discernable dictionary words plus non alphabet text. The more random, of course, the better.

By: Texas Data Vault

Texas Data Vault — Wed, 17 Nov 2010 17:07:44 +0000

Emmanuel, great post. It really shows the importance of taking the time to figure out a strong password for yourself. I had a client just yesterday who had her Joomla website hacked. When I asked her for her user and pw so that I could login and check it out she gave me admin, password. I thought, “Wow, no wonder you were hacked”. I am going to send this to her and will also be posting it on my site as this was very well done. Thanks.

By: Emmanuel Carabott

Emmanuel Carabott — Mon, 25 Oct 2010 16:18:28 +0000

@Shane:
The article does state what password combination you need to use to get a 2 year cracking time, but perhaps it’s not very clear. Basically using mixed case and numbers you need 10 characters for a GPU setup based on the article specs to go through all the combinations in 2 years. If you also add symbols to the mix 9 characters will suffice. Bear in mind that all number are approximations of how long a system would need to get to try all the combinations. In real life it depends on how many guesses the cracking programs will take before reaching the correct combination.

@Michael G:
The most frightening part of using GPU is that it can easily scale. How much money you put in it is what determines how long it will take to crack a password. Double the amount of GPUs and you half the time needed to go though all the combinations; thus the times above are only a baseline indication of how long it will take.

I have to agree with Richard, remote login attempts will propel the time needed to try a password by a lot! Basically all the advantages of using GPUs will be lost as the time required to establish the connection and try the password will be a lot more than the time required to try and guess the password or even generate the password combination. The only danger GPUs pose to passwords in this context is if someone has access to the hash itself so protecting that is paramount!

By: Sue Walsh

Sue Walsh — Mon, 27 Sep 2010 04:14:52 +0000

Great post! I have always used a mix of mixed case letters and numbers for my passwords but I never thought of using symbols before. That’s an excellent idea.

Richard, it’s funny you should mention disabling after so many bad login attempts. I was just thinking about how uneasy I feel about the fact one of the two banks I use lets you make unlimited login attempts. They don’t lock the account after a certain amount of failed logins. My other bank on the other hand locks you out after the second failed attempt. Think one could learn something from the other?