The Problem with Passwords

Thanks for the reminder. Never ceases to amaze me how many people use the same 5 letter password for all their accounts and never change it...

A system that requires a 10-second wait between attempts changes those numbers considerably. One that adds a 30-minute delay after 3 failures is even better. My bank accounts lock after 3 failures and require that the password be reset by the bank. Using three simple words, five or six letters each, even if lowercase only, pushes the length of time to years because of the added length.

Given that the most successful data thieves use social manipulation, I'm not sure how big a deal this really is. Doesn't matter how secure your password *would* be if you told it to someone, or if a person somehow convinced an operator to email the reset info to their email instead of yours.

These numbers look like they are for a brute force attack that goes thru each possible combination. One thing that can change this is if the hacker first tries a list of the top 1000 passwords and then just tries the dictionary. Most people stick to lowercase and they like to use something simple they can remember. There are common passwords and then there are people who just use normal words. Mixing the case and putting some special characters or numbers will reduce the chance of this technique working.

The idea of using a delay between attempts is a good one. I wish more places used it. It would turn that first number of 10 minutes into millenia of work.

Another idea I have heard of is creating a list of landmine passwords. These passwords, if anyone tried to use one to get in would lock the account. A user would not ever be allowed to enter one of these as their password. If someone tries to use a brute force attack they would be sure to hit one of these landmines. You create millions of them. Odds are the users will only encounter a few of them. A brute force would hit them all over the place. These need to be changed on a regular basis so a hacker cannot compile a list of them.

I feel fairly safe according to the the chart but I do like the delay strategy coupled with the landmine idea.

Protecting against brute force attacks is great but it's much more likely nowadays that your password will be leaked from a website you login to. It seems every 2 weeks a major website gets hacked and requests all it's users change their passwords. Once you know somebody's password and email you can extrapolate most everything else you need.

Besides using strong passwords use different passwords for all sites you use. And make sure your home network and email passwords are completely unique from ANYTHING else.

Every time I get told to use a stronger password, I wonder who appointed them to be the password police? I know the risks of using "weak" passwords. Warn me and then let me be as foolish as I wish.

What am I supposed to be afraid of exactly..?

This is a great chart, but horribly flawed. for starters, this is most likely assuming that this is a person at a keyboard. most hackers use bots, not a physical presence. Bots try hundreds of passwords in seconds. second, as another person pointed out, this is assuming a brute force method. that means that they might just get lucky and get it in a few tries, or years, it entirely depends. the final thing is that there are ways to peer into the murky depths of your cpu's memory and retrieve the password. (I even believe WIRED has an article on that) I other word, cute image, great way to increase awareness, but not accurate by any means.

but who would ever want to hack into my college account? who would ever care??? is a hacker going to swap one of my classes? doubt it, the website is so badly configured it would take them longer to change my schedule than it would to just hack my password

my college requires 8 letter passwords with lowercase, uppercase, numbers, and symbols

and they make you change it every semester

forgetting your own password is a bigger problem than hackers

@Edward - Because when the user's account is compromised, they go crying to the webmaster who has to go through the work of fixing the problem.

Sorry to be picky, but the table is meaningless. What do the numbers represent? Because the time to crack will certainly depend on whether my string of six lowercase letters is a word rather than, say, 'xxsdty'.

Also, just adding uppercase letters and characters will make no difference at all if you change 'password' to 'P4$$word', for example. Cracking programs are not that stupid.

My personal advice? Pick three unconnected words and seperate them with a weird character: for example 'ocelot-mango%envelope' Easy to remember, pretty difficult to crack.

Of course a string of ten random characters is much, much harder to crack - but impossible to remember, so almost useless as a password.

The best password is one that you don't even know yourself. I have tried it and it works pretty well. The idea is, use a simple yet long word and try to make sure it has the letter 'a' at least once, if not many times. Put your hands on the keyboard as if to type. Move your hands over to the left one letter. Type the simple password. If it has a couple 'a's in it, you will be turning on and off caps lock while typing a word that is not in the dictionary. Always good to add a number at the end. Another way is to move your hands up and do the same thing (except keys don't match up as well when you move them up, but then you get letters and numbers).

What a load of outdated crapola.

Now days anything less then mixed 10-12 character passwords are brute forceable in days not decades.

GPU Clusters that rent by the hour are available online for pennies.

Bigger clusters are certainly affordable by any serious hacker/crime syndicate.

And of course Quantum computing will make all password cracking available in almost realtime.

It's always amusing (but not so neat) to read tech/security articles by non-tech magazines.

Best seems to use a program like KeePass Password Safe http://sourceforge.net/projects/keepass/ to create complex, unique passwords for all your on-line sites.
If one site gets hacked, that password is useless for any other site. Just need to remember the one password ( hopefully complex )for the program.

I've always been annoyed by sites that insist on having numbers in the password. It seems to me that by insisting that at least one character be a number, you're just about giving away one character of your password.

Except that if your 8-letter lowercase password is "password" or your 7-letter lowercase one is "letmein," it'll probably take them about 2 second to crack. I assume hacking programs run those types first.

i am not that worred because if some one stole my identaty the worst the can do is make it go up.

credit i mean