As online business owners, our passwords list grows as a great number of the services we access require authentication. We are tempted to use the same password over and over, or to use easy to remember words.... a very unwise practice.
A while ago, I needed to access a Word document that I compiled a couple of years ago. Being a bit on the security conscious side, I had applied a password to it and guess what?....
I had forgotten the password I'd used.
So I set about running some software that would extract the password for me. I settled back with my cup of Moccona Indulgence, quietly contemplating the complexities of toenail clipping and ferret farming while I waited for the password to be revealed along with the cheery "ding!" that would signal success.
I waited and waited, solved the toenail and ferret issues and became sleepy. I went to bed reassured by the prospect that the password would be available by the morning. And it was; only because I remembered the password in a dream (it was relayed to me by a pink ferret with really long toenails). Over 750 000 000 password combinations had been flung at the file and it was still going.
Password recovery statistics
There many articles available on "how to choose a good password", so I won't reinvent the wheel, but simply provide a few statistics on how long it would take someone to crack a password under certain conditions - to illustrate the importance of having long passwords.
The times stated here are in relation to "brute force" attacks. A brute force attack is carried out by a program that throws every possible combination of letters and/or numbers and/or other characters at a file. Another popular form of cracking/hacking is a dictionary attack which utilizes a (very large) file of commonly used words, names, film titles etc and some word substitutions (forwards, backwards, numbers for words, words for numbers). This is why it is never wise to use your name as a password. A cracker can very quickly extract passwords using dictionaries.
There are many types of brute force programs out there. The scariest thing is visiting some of these "security" sites and seeing how many times the utilities, which are often free and require no screening to access, are downloaded. I won't name any programs for obvious reasons. The speed at which these programs work depends on a number of factors including
a) The speed of the computer/computers using the program
b) The type of file being cracked (zip, document etc.)
c) The location of the file (WWW or "hands on" access to the computer)
d) The design of the program
Some brute force programs only operate at around 50 000 passwords per second, others claim to run at up to 4 000 000 passwords per second on Microsoft Office files using a standard PC. For this example, I will base it on a program operating at 1 million passwords per second on an Office document where the cracker has "hands on" access to the file. Times quoted are maximum, and are for non-dictionary words.
As you can see from the above, the longer your password the more secure it is as long as you adhere to the standard password choice guidelines. But even a standard 8 character lower or upper case password can be cracked a lot quicker if you use a dictionary word, name of a celebrity or a simple misspelling of a common word etc.
Some other popular methods for hackers and crackers to gain a foothold in accessing your passwords:
a) Counting keystrokes as you type in your password - this can save them a lot of time
b) Installing a keylogger to your machine. This is a program that will record every keystroke into a file that can be retrieved later.
c) Installing trojans onto your system that make use of security holes to open up communications conduits. Many trojans also contain keyloggers. Under the right conditions, trojans can be installed remotely and often are "dropped" onto systems as part of a virus attack.
Of course, it's a lot easier for the hacker if he/she has direct physical access to your system. I mention this mainly for the teachers and I.T trainers out there who may have people in their classes eager to "strut their stuff".
I once observed a training room where the students had installed a password hacking program onto an NT server. The application ran in the background and the trainer in charge of the server was none the wiser. Since the server was on 24 hours a day, all the students had to do was wait - many pseudo-administrators have a habit of using short, common passwords.
If you are a small business owner who employs others, it's not only critical that you ensure you have policies in place regarding password length, it's probably wise to ascertain the level of interest your employees have in computer and Internet technologies. If an employee shows a great deal of interest in computer security, they may be your greatest asset - or your biggest liability.
At the end of the day, no password is long enough and no security system is bulletproof. If someone really wants to access your files or information about you, there are a number of ways to do so. Taking proper precautions will eliminate the opportunist hackers and nosy employees, who aren't really hackers at all, just bored people who are.....let's just say....."socially challenged"....
Further Learning Resources
paid cash taking online surveys - free to join online
In Loving Memory - Mignon Ann Bloch
copyright (c) 1999-2011 Taming the Beast Adelaide - South Australia