.... Internet marketing resources, ecommerce web site design tutorials
  Taming the Beast - quality web marketing and ecommerce development services .... .

 

Return to web marketing and ecommerce articles index


Password length - securing your online business.

As online business owners, our passwords list grows as a great number of the services we access require authentication. We are tempted to use the same password over and over, or to use easy to remember words.... a very unwise practice.

A while ago, I needed to access a Word document that I compiled a couple of years ago. Being a bit on the security conscious side, I had applied a password to it and guess what?....

I had forgotten the password I'd used.

So I set about running some software that would extract the password for me. I settled back with my cup of Moccona Indulgence, quietly contemplating the complexities of toenail clipping and ferret farming while I waited for the password to be revealed along with the cheery "ding!" that would signal success.

I waited and waited, solved the toenail and ferret issues and became sleepy. I went to bed reassured by the prospect that the password would be available by the morning. And it was; only because I remembered the password in a dream (it was relayed to me by a pink ferret with really long toenails). Over 750 000 000 password combinations had been flung at the file and it was still going. 

RoboForm: Free Password Manager

Free Password Manager
Roboform is a top-rated Password Manager - PC Magazine Editor's Choice, & CNET Download.com's Software of the Year. Encrypt passwords using AES, Blowfish, RC6, 3-DES or 1-DES algorithms Free software download!

Password recovery statistics

There many articles available on "how to choose a good password", so I won't reinvent the wheel, but simply provide a few statistics on how long it would take someone to crack a password under certain conditions - to illustrate the importance of having long passwords.

The times stated here are in relation to "brute force" attacks. A brute force attack is carried out by a program that throws every possible combination of letters and/or numbers and/or other characters at a file. Another popular form of cracking/hacking is a dictionary attack which utilizes a (very large) file of commonly used words, names, film titles etc and some word substitutions (forwards, backwards, numbers for words, words for numbers). This is why it is never wise to use your name as a password. A cracker can very quickly extract passwords using dictionaries.

There are many types of brute force programs out there. The scariest thing is visiting some of these "security" sites and seeing how many times the utilities, which are often free and require no screening to access, are downloaded. I won't name any programs for obvious reasons. The speed at which these programs work depends on a number of factors including

a) The speed of the computer/computers using the program

b) The type of file being cracked (zip, document etc.)

c) The location of the file (WWW or "hands on" access to the computer)

d) The design of the program

Some brute force programs only operate at around 50 000 passwords per second, others claim to run at up to 4 000 000 passwords per second on Microsoft Office files using a standard PC. For this example, I will base it on a program operating at 1 million passwords per second on an Office document where the cracker has "hands on" access to the file. Times quoted are maximum, and are for non-dictionary words.

4 character lower or upper case letters a few seconds
4 character lower and upper case letters a few seconds
4 character lower and upper case and number  a few seconds
 
5 character lower or upper case letters (e.g passb) under 60 seconds
5 character lower & upper case letters (e.g passB) approx 6 minutes
5 character lower & upper case and number password 
(e.g Pasb1)
approx 15 minutes
 
8 character lower or upper case password approx 58 hours
8 character lower & upper case password approx 21 months
8 character lower & upper case and number password approx 7 years
 
10 character lower or upper case password approx 5 years
10 character lower & upper case password -  approx 4648 years
10 character lower & upper case and number password -  approx 26984 years

As you can see from the above, the longer your password the more secure it is as long as you adhere to the standard password choice guidelines. But even a standard 8 character lower or upper case password can be cracked a lot quicker if you use a dictionary word, name of a celebrity or a simple misspelling of a common word etc.

RoboForm: Free Password Manager

Free Password Manager
Roboform is a top-rated Password Manager - PC Magazine Editor's Choice, & CNET Download.com's Software of the Year. Encrypt passwords using AES, Blowfish, RC6, 3-DES or 1-DES algorithms Free software download!

Some other popular methods for hackers and crackers to gain a foothold in accessing your passwords:

a) Counting keystrokes as you type in your password - this can save them a lot of time

b) Installing a keylogger to your machine. This is a program that will record every keystroke into a file that can be retrieved later.

c) Installing trojans onto your system that make use of security holes to open up communications conduits. Many trojans also contain keyloggers. Under the right conditions, trojans can be installed remotely and often are "dropped" onto systems as part of a virus attack.

Of course, it's a lot easier for the hacker if he/she has direct physical access to your system. I mention this mainly for the teachers and I.T trainers out there who may have people in their classes eager to "strut their stuff". 

I once observed a training room where the students had installed a password hacking program onto an NT server. The application ran in the background and the trainer in charge of the server was none the wiser. Since the server was on 24 hours a day, all the students had to do was wait - many pseudo-administrators have a habit of using short, common passwords. 

If you are a small business owner who employs others, it's not only critical that you ensure you have policies in place regarding password length, it's probably wise to ascertain the level of interest your employees have in computer and Internet technologies. If an employee shows a great deal of interest in computer security, they may be your greatest asset - or your biggest liability.

At the end of the day, no password is long enough and no security system is bulletproof. If someone really wants to access your files or information about you, there are a number of ways to do so. Taking proper precautions will eliminate the opportunist hackers and nosy employees, who aren't really hackers at all, just bored people who are.....let's just say....."socially challenged".... 

Further Learning Resources

Preventing credit card fraud - for merchants.

Michael Bloch
Taming the Beast
http://www.tamingthebeast.net 
Tutorials, web content, tools and software.
Web Marketing, Internet Development & Ecommerce Resources
____________________________

Copyright information.... This article is free for reproduction but must be reproduced in its entirety & this copyright statement must be included. Visit http://www.tamingthebeast.net  for free Internet marketing and web development articles, tutorials and tools! Subscribe for free to our popular ecommerce/web design ezine!

Click here to view article index 

Online meeting & webinar software review
Powerful, easy to use collaboration tools that can help improve your marketing sales and training efforts. Learn more about these services in this review & try a free trial!

The best shopping cart software
Our reviews of some of the best shopping carts around - free ecommerce solutions  through to premium services offering affiliate programs, marketing modules & online soft goods delivery.  Shopping cart software guide 

Autoresponder software/mailing list manager
 Read our beginners guide and reviews of all-in-one autoresponder & email marketing software solutions.

Credit card transaction fraud screening!  Effective fraud screening is an essential part of running an online businesses. Fraud transactions cost you money and can threaten your merchant account. Pick up a stack of transaction screening tips in this free guide! 

Need some advice/tools for writing/creating a web design, development or marketing proposal?

 

 

 

Home

 

Get paid cash taking online surveys - free to join online 
survey companies that will pay you cash for your opinion!

In Loving Memory - Mignon Ann Bloch

copyright (c) 1999-2011  Taming the Beast  Adelaide - South Australia 

Profile - Contact - Privacy - Consultants Portfolio 

Search Site - Terms of Service - Social/environmental