Post by drcard on Mar 23, 2020 8:36:11 GMT -5
Password Strength
Overview:
A password is a digital lock much like a lock on a box or door. The amount of protection a lock provides comes from the strength of the lock; likewise, the amount of protection a password provides comes from the strength of the password. What follows is information of what makes a password strong and more difficult to hack.
Prelude:
In order to determine what makes a password strong, one must understand how passwords are hacked. Password hacking can be divided into two major approaches…1) Brute Force and 2) Research. Below is information on each of these two major approaches and how to create passwords that are more difficult to hack.
It is important to understand that there is no password that is hack proof. However, password hackers must weigh resource investment versus the gain from hacking. A hacker is not going to spend his resources, time, and exposure to hack your login password to your Facebook account, so a weak password that is easy to remember is OK for that site. Conversely, the password to your bank account may entice a hacker to spend his resources and time. Clearly the password for your bank account should be very strong. A password that requires more investment in time and resources to hack than what can be gained by hacking the password is the best protection one can receive from a password.
Brute Force
A Brute Force password hack is a program trying every possible combination of characters until the password is found. This type of hack has been a back and forth battle between new password designs and new hacking abilities. If you count all the letters both upper and lower case, numbers, and characters on a typical keyboard you get 96 different characters. The possible number of unique combinations of 96 different characters depends on the number of characters in the password. It is calculated as 96X where X is the number of characters in the password. A 4-character password would yield 964 (which is 96x96x96x96 = 84,934,656 possible combinations); but an 8-character password would be 968 or 612,709,757,329,767,363,772,416 possible combinations. The more characters in the password, the more possible combinations exist; thus, harder for a Brute Force hack to try every combination. It is easy to see that the brute force method alone would have problems with passwords over 8 characters by number of possible combinations.
An off shoot of the Brute Force method is using Rainbow Tables. The Rainbow Tables makes use of how many encrypted passwords are stored and recognized. As the password is entered it is encrypted to hide the characters. An alpha-numeric code is created based upon the characters being encrypted. This created code is the hash code for that password and it is the hash code that is used to validate the password for that account. The Rainbow tables are an enormous lists of hash codes for the most common passwords ever used. These tables cut down the number of combinations to try and make it easier to hack the password. Many web sites have already switched to different encryption for passwords and don’t use the hash code method. Due to Rainbow tables, important sites like social security and banks are utilizing texting code to allow access to make sure the users logged on is the owner of the account. Rainbow tables depend upon passwords being common text and dates, but unrelated letters and characters will yield hash codes not in the tables.
Research
All users face the same dilemma when creating a password…meeting the criteria given to us at the web site and creating a password we will remember. This is where we use info that we know we won’t forget such as birth dates, pet’s name, or even home address. With social media and other sources, hackers can easily find your date of birth, place of birth, pet’s name, etc. If you used any of these in any combination a hacker could hack that password in less than 30 minutes. The way to defeat the research password hack is not to use true info in your password. This could make remembering the password harder, so start using permanent fudge factors such as always add one month to any real date or avoid these types of passwords.
What is a Strong Password
A Strong Password will:
Be 12 or more characters in length
Contain letters, numbers, and characters
Contains no personal or pet information
Random letters, numbers, & characters that do not form legible text
So how are you to remember a password that meets the above criteria? I use the acronym trick to create and remember complex passwords. I create a statement that is true and easy to remember such as:
“I like tuna fish on toast and could eat 3 times a day, but that is too much fish!”
Take the first letter of each word, turn times a day to /d, and change too to 2 to yield the following password:
Iltfotace3/dbti2mf!
As I say the statement I enter the letters numbers and characters.
Write the statement down rather than the password and only you will know how to use the statement.
You will never know that your strong password stopped a hacker, but you will know when a hacker has hacked your weak password and stole from you.
Overview:
A password is a digital lock much like a lock on a box or door. The amount of protection a lock provides comes from the strength of the lock; likewise, the amount of protection a password provides comes from the strength of the password. What follows is information of what makes a password strong and more difficult to hack.
Prelude:
In order to determine what makes a password strong, one must understand how passwords are hacked. Password hacking can be divided into two major approaches…1) Brute Force and 2) Research. Below is information on each of these two major approaches and how to create passwords that are more difficult to hack.
It is important to understand that there is no password that is hack proof. However, password hackers must weigh resource investment versus the gain from hacking. A hacker is not going to spend his resources, time, and exposure to hack your login password to your Facebook account, so a weak password that is easy to remember is OK for that site. Conversely, the password to your bank account may entice a hacker to spend his resources and time. Clearly the password for your bank account should be very strong. A password that requires more investment in time and resources to hack than what can be gained by hacking the password is the best protection one can receive from a password.
Brute Force
A Brute Force password hack is a program trying every possible combination of characters until the password is found. This type of hack has been a back and forth battle between new password designs and new hacking abilities. If you count all the letters both upper and lower case, numbers, and characters on a typical keyboard you get 96 different characters. The possible number of unique combinations of 96 different characters depends on the number of characters in the password. It is calculated as 96X where X is the number of characters in the password. A 4-character password would yield 964 (which is 96x96x96x96 = 84,934,656 possible combinations); but an 8-character password would be 968 or 612,709,757,329,767,363,772,416 possible combinations. The more characters in the password, the more possible combinations exist; thus, harder for a Brute Force hack to try every combination. It is easy to see that the brute force method alone would have problems with passwords over 8 characters by number of possible combinations.
An off shoot of the Brute Force method is using Rainbow Tables. The Rainbow Tables makes use of how many encrypted passwords are stored and recognized. As the password is entered it is encrypted to hide the characters. An alpha-numeric code is created based upon the characters being encrypted. This created code is the hash code for that password and it is the hash code that is used to validate the password for that account. The Rainbow tables are an enormous lists of hash codes for the most common passwords ever used. These tables cut down the number of combinations to try and make it easier to hack the password. Many web sites have already switched to different encryption for passwords and don’t use the hash code method. Due to Rainbow tables, important sites like social security and banks are utilizing texting code to allow access to make sure the users logged on is the owner of the account. Rainbow tables depend upon passwords being common text and dates, but unrelated letters and characters will yield hash codes not in the tables.
Research
All users face the same dilemma when creating a password…meeting the criteria given to us at the web site and creating a password we will remember. This is where we use info that we know we won’t forget such as birth dates, pet’s name, or even home address. With social media and other sources, hackers can easily find your date of birth, place of birth, pet’s name, etc. If you used any of these in any combination a hacker could hack that password in less than 30 minutes. The way to defeat the research password hack is not to use true info in your password. This could make remembering the password harder, so start using permanent fudge factors such as always add one month to any real date or avoid these types of passwords.
What is a Strong Password
A Strong Password will:
Be 12 or more characters in length
Contain letters, numbers, and characters
Contains no personal or pet information
Random letters, numbers, & characters that do not form legible text
So how are you to remember a password that meets the above criteria? I use the acronym trick to create and remember complex passwords. I create a statement that is true and easy to remember such as:
“I like tuna fish on toast and could eat 3 times a day, but that is too much fish!”
Take the first letter of each word, turn times a day to /d, and change too to 2 to yield the following password:
Iltfotace3/dbti2mf!
As I say the statement I enter the letters numbers and characters.
Write the statement down rather than the password and only you will know how to use the statement.
You will never know that your strong password stopped a hacker, but you will know when a hacker has hacked your weak password and stole from you.
