Blog / Hasta la vista, baby

The second is through password crackers.  They look for account portals over the Internet.  This could be a VPN (Virtual Private Network) on a firewall, a Terminal Server login, a server login, a website login – anything that is exposed to the Internet that has a login page.  They run two types of login attempts.

1. Common Passwords. There are useful tools on the Internet that list the most common passwords; 123456 is at the top of the list, but 12345, password1, qwerty, and several other combinations are still very widely used.  They try a list of common passwords against a login page in very quick succession.  They can run a list in fractions of a second.
2. Brute Force.  They try every possible combination of letters (upper and lower case). numbers, and special characters – anything on the keyboard.  This list of keyboard characters is called the standard ASCII list. Of course, we’ve seen this in all sorts of mystery and action spy thriller movies – where the numbers roll by the screen as the safe combination is cracked. It makes for good cinema. Brute-force cracking a password takes time, but computers are very good at doing this type of repetitive task with blinding speed.  There are spreadsheets that calculate the average time it takes to crack a password using brute force.

We’re going to assume your super-secret password is not 123456 – or one of the common passwords. So, someone is going to have to use brute force. Which leads me to the point: the longer the password, the longer it takes to crack using brute force.  here are some simple examples from a spreadsheet calculator:

• 6 Lower Case Letters: Less than 1 minute
• 6 Lower Case Letters, 1 Upper Case Letter, 1 Number: 2.5 hours
• 6 Lower Case Letters, 1 Upper Case Letter, 1 Number, 1 Special Character: 75 hours
• 8 Lower Case Letters, 2 Upper Case Letters, 2 Numbers, 2 Special Characters: 48,000 Years

I think you can see the pattern.  It’s also not that important to have special characters and numbers.  There are only 10 digits, so they add less complexity than just adding another alpha character. Upper and lower case each add 26 characters to try, so mixing case is good.  Special characters add 32 more. But trying to remember a 14-character mixed case password with numbers and special characters is tough, especially if it’s changed every 3 months – and you have more than a handful of them.  So, here’s the trick:

Use a simple phrase that’s easy to remember.  Let’s try:

• Hastalavista,baby: 4.6 billion years

It’s estimated our sun will die in about 5 billion years; 4.6 billion years should be good enough. Of course, some systems will force you to add a number or a special character, but those are easily  appended to your phrase: Hastalavista,baby1! if you like. If you need multiple pass-phrases, try another favourite – Doyoufeelluckypunk?, and so on.

Song lyrics, movie lines, poetry, a sentence from a favourite book – just about anything can be a un-crackable pass-phrase. You should choose something 15 characters or longer.  Usetheforceluke is a bit short. Just about all systems that require a password can accommodate 25 characters with ease; some as many as 1,000.

Of course, expect the next evolution of password crackers to use common song lyrics and movie phrases, but I think you’ll be safe for awhile. Now there is NO EXCUSE to have lousy passwords.

Hasta la Vista baby!