Blog / Hasta la vista, baby
What do nursery rhymes, memorable movies phrases, and great song lines have in common? They make great passwords. And there is not a single number or special character in them. In fact, the requirement to use special characters and numbers to make an un-crackable password may be a myth. They in fact, make the password easier to crack.
We were taught this by our IT Security Supervisor, Karl Buckley last week.
Wow – right now the Security Gurus are firing up their Email to send me a blast. But let’s try to think this through.
There are two ways a password gets compromised (well, three if you count the stupidity of people who hand out their account credentials like candy). We’re assume you don’t share your password with anyone.
The first is the keystroke sniffer. This is a little BOT (virus program) that gets installed on your computer and monitors all of your keystrokes – and relays them on to an Internet server that analyzes the content and looks for user name – password combinations. These virus BOTs are installed by opening an infected attachment.
- Common Passwords. There are useful tools on the Internet that list the most common passwords; 123456 is at the top of the list, but 12345, password1, qwerty, and several other combinations are still very widely used. They try a list of common passwords against a login page in very quick succession. They can run a list in fractions of a second.
- Brute Force. They try every possible combination of letters (upper and lower case). numbers, and special characters – anything on the keyboard. This list of keyboard characters is called the standard ASCII list. Of course, we’ve seen this in all sorts of mystery and action spy thriller movies – where the numbers roll by the screen as the safe combination is cracked. It makes for good cinema. Brute-force cracking a password takes time, but computers are very good at doing this type of repetitive task with blinding speed. There are spreadsheets that calculate the average time it takes to crack a password using brute force.
We’re going to assume your super-secret password is not 123456 – or one of the common passwords. So, someone is going to have to use brute force. Which leads me to the point: the longer the password, the longer it takes to crack using brute force. here are some simple examples from a spreadsheet calculator:
- 6 Lower Case Letters: Less than 1 minute
- 6 Lower Case Letters, 1 Upper Case Letter, 1 Number: 2.5 hours
- 6 Lower Case Letters, 1 Upper Case Letter, 1 Number, 1 Special Character: 75 hours
- 8 Lower Case Letters, 2 Upper Case Letters, 2 Numbers, 2 Special Characters: 48,000 Years
I think you can see the pattern. It’s also not that important to have special characters and numbers. There are only 10 digits, so they add less complexity than just adding another alpha character. Upper and lower case each add 26 characters to try, so mixing case is good. Special characters add 32 more. But trying to remember a 14-character mixed case password with numbers and special characters is tough, especially if it’s changed every 3 months – and you have more than a handful of them. So, here’s the trick:
Use a simple phrase that’s easy to remember. Let’s try:
- Hastalavista,baby: 4.6 billion years
It’s estimated our sun will die in about 5 billion years; 4.6 billion years should be good enough. Of course, some systems will force you to add a number or a special character, but those are easily appended to your phrase: Hastalavista,baby1! if you like. If you need multiple pass-phrases, try another favourite – Doyoufeelluckypunk?, and so on.
Song lyrics, movie lines, poetry, a sentence from a favourite book – just about anything can be a un-crackable pass-phrase. You should choose something 15 characters or longer. Usetheforceluke is a bit short. Just about all systems that require a password can accommodate 25 characters with ease; some as many as 1,000.
Of course, expect the next evolution of password crackers to use common song lyrics and movie phrases, but I think you’ll be safe for awhile. Now there is NO EXCUSE to have lousy passwords.
Hasta la Vista baby!