Everything About Passwords
Your passwords are the keys you use to access personal information – stored in your computer or your online accounts. It is not easy to break a password – there is no direct way to do this, however certain other methods do exist – if your password is weak (read on to find out more) – it can be recovered in a couple of minutes using an ordinary computer.Here are a few tips on choosing a strong password. As we proceed, I will explain clearly the difference between a strong password and a weak one. Or rather, how to classify them.
How to choose a strong password?:
A strong password is one which has a random string of characters. It should meet the following criteria.
1. Length – The rule of the thumb is – each character you add to your password increases the protection that it provides by many times over. An ideal password is 8 or more characters: 14 characters or more is recommended.
You can also use a ‘pass phrase’. Since many systems support the use of space bar in passwords (a space bar is equal to a *, it is counted as part of the password), you can create a phrase made of many words. For example:
Mypasswordcanneverbecompromised.
Such a password is easy to remember and very hard to recover.
2. Combine letters, numbers and symbols – The more variety of characters you have, the more secure is the password. Instead of your password being ladyluck, change it to l@dYlucK123. Use the entire keyboard, your password will be much stronger if you use all the symbols.
– A strong and easy to remember password in 4 steps –
1. Passphrase – Think of a sentence you can remember and if the password system accepts [spacebar] as a character – your password can be made very strong and very easy to remember.
2. Add complexity – Mix uppercase and lowercase letters and numbers. Letter swapping and misspellings are recommended. For example, if your password says, ‘My name is James Bond’, it can be also said as, ‘My nAMe iz J@me$ B0|\|D’ – which is a much better password than the former.
3. Add special characters – Like in the previous example, substituting @ for a, $ for S, increases the strength of a password.
4. Change your password regularly if it is simple. Doing so is a good practise.
Weak Passwords (Password strategies to avoid)
1. Avoid repeated characters – such as 123456, asdfg or adjacent letters on your keyboard.
2. Don’t use dictionary words (ever) – Using sophisticated tools (explained later) passwords that are based on words from the dictionary can be guessed/ broken in almost no time. This includes dictionary words spelled backwards, mis-spellings and substitutions.
3. Use more than one password everywhere - If you have multiple accounts, using a common password is not recommended. It is critical to use different passwords for different systems.
4. Don’t give out your passwords over e-mail or based on an e-mail request - Any e-mail that requests your password or requests you to go to a website to verify your password is almost certainly a fraud. Such a method is called as ‘phishing’
(read fishing). Read more here.
5. Do not type passwords on computers that you do not control – Computers such as those in Internet cafes, computer labs or airport lounges etc. are unsafe for any personal use other than anonymous Internet browsing. Do not use the computers at such places to check emails, bank balances, business mail or any other account that requires a username and password. Chances are – keyloggers are installed and your password will be recorded.
6. Do not use other information easily that can be easily guessed. This includes pet names, license plate numbers, telephone numbers, identification numbers, birthdate etc. If you have multiple passwords, you can store them in a ‘password safe’. Some safes worth checking out are:
(KeePass is highly recommended)
KeePass – keepass.sourceforge.net {Open source password safe}
Password Safe – passwordsafe.sourceforge.net {Same}
Norton Password Manager – Symantec {Paid}
===
How can passwords be broken?
Many password recovery tools are out there. They use a technique called a brute force attack. To understand this, let me give you an example.
I had a debate with my friend – I challenged him that I can get the password to his Microsoft Word (.doc) file. [To add a password to a Word file, go to Tools>Options>Security] He said it was impossible since it was clearly mentioned that passwords once lost can never recovered (Word says this).
Using a dictionary brute force, I got his password in 15 minutes on my Pentium 4 machine. Simple. Why? Why was I able to recover his password when Word clearly says that password can never be recovered?
His password was ‘ladyluck’. A brute force attack on the Word file started checking every possible password from a simple ‘a’ to the word ‘ladyluck’. So the password was compromised.
But had his password been something like, ‘920394290asdas23@#@#’ it would have taken years to get the password. That is why the emphasis on the length and complexity – brute force attack time is directly proportional to the length.
A network of computers (a farm as it is called) can be used for brute forcing. Such an attack, can typically recover a password that would take decades on your computer to break, in a few minutes. However, you are out of this!
Stay secure!
[Comments can also be found here]
Salaams! Thanks for dropping by at my blog hehe
Glad u liked the name as well. hmm, passwords? Don’t think anybody can guess mine lol so it’s pretty secure!
Shehzadi
November 3, 2006 at 9:20 pm
ahem princess
kumar chetan
November 8, 2006 at 7:03 pm
Dekh hun kinne mahine ho gay ne blog update keete nu, fer kahenga I dont like Ur blog. Kuch nawa add kar blog wich. Naale yaar, am a simple guy, aiwen meri hawa na kharaab kariya kar, dont call me gr8
kumar chetan
December 18, 2006 at 10:44 am
Can i ask an opinion from you sukhbir, if i use the name McLAUGHLAN for a password, it is a scottish surname, could it be secure, follows, an interpretation of the surname spellings, MacGlaughlan MacLauchleine McGlauchlan McLaouhlan
Lachie MacGlaughlin MacLauchlen McGlauchlin McLauchlain
Lachlainn MacGlothin MacLauchlin McGlauchlon McLauchlan
Lachlainson MacGlothlon MacLauchline McGlaughlin M’Clauchlan
Lachlan MacGlotten MacLauchlon McGlothin McLauchland
Lachlann MacGlottin MacLaucklan McGlothlon McLauchlane
Lachlanson MacGloughlan MacLaughlan McGlotten McLauchleam
Laflan MacGloughlin MacLaughland McGlottin McLauchleine
Laflen MacGlouthlin MacLaughlane McGloughlan McLauchlen
Laflin Machlachlin MacLaughlen McGloughlin McLauchlin
Lauchlan MacHlachlin MacLaughlin McGlouthlin McLauchline
Lauchlin MacKclauchlane MacLaughlon McHlachlin McLauchlon
Laughan MacKlawachlane MacLaughlun Mchlachlin McLaucklan
Laughin MacLachan MacLaughton McKclauchlane McLaughlan
Laughlan MacLachen MacLauthlan McKlawachlane McLaughland
Laughland MacLachian MacLauthlin McLachan McLaughlane
Laughlen MacLachin MacLawhlan McLachen McLaughlen
Laughlin MacLachine MacLawlan McLachian McLaughlin
Laughlon MacLachlain MacLlauchland McLachin McLaughlon
Laughon MacLachlainn MacLochan McLachine McLaughlun
Laughton MacLachlan MacLochlainn McLachlain McLaughton
Lauhghlan MacLachland MacLochlan McLachlainn McLauthin
Locklan MacLachlane MacLochlin McLachlan McLauthlan
Lockland MacLachlann MacLochlon McLachlan McLawhlan
Loughlan MacLachlen MacLocklan McLachland McLawlan
Loughlin MacLachlin MacLouchlan McLachlane McLlauchland
MacClachlan MacLachline MacLoughlan M’Clachlane McLochan
MacClachlane MacLachlon MacLoughlin McLachlann McLochlainn
MacClachlen MacLachlun MacLouthan McLachlen McLochlan
MacClaflin MacLackken MacLuchlayne M’Clachlene McLochlin
MacClauchlan MacLacklan Maglaughlin McLachlin McLochlon
MacClauchlane MacLacklane Makclachlane McLachline McLocklan
MacClauchlin MacLacklen Makclauchlane McLachlon McLouchlan
MacClaughlan MacLacklin Makclotan McLachlun McLoughlan
MacClaughlin MacLackline Makclowden McLackken McLoughlin
MacClouchlan MacLacklon Maklawchlan McLacklan McLouthan
MacClouchlin MacLaclan McClachlan McLacklane McLuchlayne
MacCloughlan MacLaflen McClachlane McLacklen M’Kclachlane
MacCloughlin MacLaflin McClachlen McLacklin M’Klachlane
MacGlachan MacLaghlan McClauchlane McLackline M’Lauchan
MacGlachen MacLaghlane McClaughlin McLacklon M’Lauchland
MacGlachland MacLaouhlan McClouchlin McLaclan M’Laughland
MacGlachlin MacLauchlain McGlachan McLaflen M’Lawchtlane
MacGlauchin MacLauchlan McGlachen McLaflin O’Laughlen
MacGlauchlan MacLauchland McGlachland McLaghlan O’Laughlin
MacGlauchlin MacLauchlane McGlachlin McLaghlane O’Loughlin
MacGlauchlon MacLauchleam McGlauchin M’Claichlan Vclauchlayne. these are real representations of the legal spellings of the surname, an email would be very much appreciated, gods speed be with you sukhbir happy new year.ps i am trying to crack a wireless protected network in range of my home, i know this is the answer to the password but typing in all the spellings of the name made me fall asleep lol.
Gogs (Scotland.UK)
January 10, 2007 at 8:12 pm
sorry suhkbir i wanted to know if brute force could break such a password very easily.
Gogs (Scotland.UK)
January 10, 2007 at 8:15 pm
@Gogs:
Of course you can brute force it but for that you need a software. Typing it would take a hell lot of time.
Try Brutus. {www.hoobie.net/brutus/}
A brute force attack will try all possibilities (whether upper case or lower case) … Typing yourself ain’t feasible!
Any more help, leave a comment and I will answer.
Sukhbir
January 10, 2007 at 11:27 pm
yar i thought e-mails were secure n you are saying that its not safe why yar?? i think my password is pretty secure n i hav changed it recently :p
But, yar i wanna noe 1 thing. I m member of myspace its sly to hi5 n stuff n i read a bulletin n went to a site that was there in that bulletin. next day when i signed in i saw 3 bulletins posted by my name when i dint even use myspace that day. wat shd i do now??
Simrat
January 20, 2007 at 1:44 pm
I work in a banking industry and security is key here. I am in a taskforce to protect people’s privacy rules and regulations. I researched on many many many books and sites and found out that anything is stored somewhere can be breakable, its just matter of time and right tools. I have gone through many programmers who can hack the database and convert the encrypt passwords to real text and numbers. I think most of the big company now a days spends most of their resources in IT but specially protecting privacy of their clients. There is millions of breaks every year and people are always trying. Be careful with what you put outthere! Good Luck.
Prem P.
February 22, 2007 at 2:20 pm
Hi Sukhbir, enjoyed reading your blog. Good work, keep it up !
Cheers
Venkatesh.
Venkatesh
April 25, 2007 at 4:44 pm
I enjoyed your post about password security. That’s one of my favorite topics in my blog (in fact, I wrote something today about how programmers store passwords). It’s really frustrating for me when I have a really strong password and someone does something stupid with it like email my password to me, store it in plain text, or have me verify my social security number as authentication.
I hate when I’m trying to type a password in and I can’t use # or ! or other special characters or I can’t use a password longer than 12 characters. Oh well, thanks for the blog post. It’ll get people to use secure passwords, but it’s up to the programmers out there to handle them better.
dpatrickcaldwell
February 27, 2009 at 8:40 am