Thursday, 1 April 2010

Length matters

I don't want to bore non-techies with this one, but I do want you to think about your passwords for just a few minutes.

The first thing is this: even if your password isn't something obvious like "password" or "obo", then hackers don't have to guess them. There is free, readily available software out there to do brute-force password hacking. So they can fire it up, go out for a cup of coffee, do the groceries, have a good night out and come back to find your password ready and waiting for them.

The second thing is this: the longer your password is, the longer it takes to crack.

The third thing is this: the more types of characters you use, the longer it takes to crack.

Let me give you a for instance: if I choose the password "obo", a brute-force cracker will take an average of 0.02 seconds to crack. So, "immediately". If I choose a slightly longer password, like "obnoxio", that will take two and a quarter hours. Much better, but still not really secure. However, if I simply change the password to include numbers and special characters, e.g. "Obnox1o$", it will take 210 years to crack.

And "Obnox1o$ Cl0wn" could take 154,640,721,434,000 years to crack using brute force.

So, put a bit of effort in, mix it up a little and make it just a little bit longer. Because it's worth it.

More info here.

14 comments:

oleuanna said...

And that was a public information film for the newly arrived people to this planet???

Roger Thornhill said...

First define "this".

Oleuanna said...

who?

martin said...

then you forget were you wrote it down

TheBigYin said...

If you need to write down a password like Obnox1o$ Cl0wn then I think some sort of dementia has set in.

There has been password crackers like Brute Force around for years. Still good advice for the un-initiated.

Chuckles said...

Right, so now we all know your universal password Obo?

How is it in any sense more secure than Password01$ or similar from the 'Hide in plain sight, Purloined Letter School'?
Or should we bear in mind that there exists a least random number(17), and take it from there...?

J Demetriou said...

That's actually quite a cool, informative piece. Cheers.

nbc said...

Obo

I would add that one should have a different password for each site/service that you use on the internet. Having one password for all is just asking for trouble, and using a good password manager can help you maintain control of your passwords.

BTS said...

You ought to have given the missus a stronger password - I cracked her rather too easily..

TheBigYin said...

Bloody hell BTS, trust Obo to have a password protected chastity belt on his Mrs.! I have a less complicated method to keep men (and women, if there are any offended lesbians out there) from having a go at mine...a recent photo, never had to use it though.

Anonymous said...

OK, this totally fucking rankles me. Every bastard site on the net these days makes me use a password. The cunts obviously think they are making me safer but their not. Because of the volume of passwords required I could never remember one for each. So I have one secure password for important stuff, and QWERTY for absolutely everything else. Figure that out once and you can hack almost everything I do, apart from important stuff like bank online and share trading online.

TheBigYin said...

I hear what you say Anon. I have only three passwords that I use all the time and they vary from strength to strength depending on how much I value the site I want to access. My blog, as well as online banking etc have the strongest made up of a long string of letters and numerals that I can easily commit to mind. After I've written them down and can remember them off by heart I destroy the hard copy. The other two I use for sites I couldn't give a shite whither someone hacks them or not.

BTS said...

Obo's only took a few minutes..

Although I'm obviously not referring to his password..

Shug Niggurath said...

Much more insecure is the method I use at work on various folks in outlying offices...

"Hi, it's the IT department here. We're updating the mail server software and I need to move your account over. Can I have your password please?"

9 times out of 10 ... 'Yeah, sure it's fuckme'.