During the past week, I've had a couple of professional colleagues who have been victims of password hacking -- and have had a real mess to clean up.
A few years ago, I became aware of an excellent blog post about hacking passwords by John P. of One Man's Blog, "How I'd hack your weak passwords." In that posting, John gives excellent advice about creating passwords that are difficult to hack. One of his best pieces of advice is:
Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.
And here is his chart to prove it.
So simply by going to 10 characters and mixing upper and lowercase, you can make hackers work for almost two mellennia to break your password! So, if your passwords don't meet this requirement, go read John's original post and get the fear of God/Password hacking into your system.If you heed his words, you will save yourself a lot of misery. Trust me.
Some of his other excellent hints include:
- Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ’0?, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
- Randomly throw in capital letters (i.e. – Mod3lTF0rd)
- Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
- Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
- You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
- Since it can be difficult to remember a ton of passwords, I recommend using Roboform for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link. Mac users can use 1Password. It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
John recommends 1Password. However, I have used the SplashID program for years -- which works on WinOS, MacOS and a variety of smartphone/PDAplatforms -- and have been very pleased with it.
Some day you'll thank me for sharing this...
Loading ...
{ 3 comments… read them below or add one }
I will never want my account hacked… thanks for sharing with us! Was really helpful
Thank you for sharing this!
One of the hints that the cybersecurity gurus give @ UNH, is to use the first letter of each word in a sentence. For example, Now is the time for all good men to come to the aid of their country would become Nitt4agm2c2taotc. Or you could do something really easy to remember like “My two cat’s names are Oliver and Misty” would be M2cnaO&M.
That’s a great suggestion! Thanks for sharing it.