Welcome to 12 character passwords

[Bateluer]

http://www.cnn.com/2010/TECH/innovation/08/20/super.passwords/index.html

Interesting read, and should come as no surprise to IT people. Its no secret that processing power increases pretty quickly, and a relatively cheap computer can easily brute force passwords of shorter lengths.

Specifically, I wanted to comment on Facebook. Many sites as using FB login credentials to authenticate now. Given Facebook's sub-par privacy and the cavalier non-nonchalant attitudes that many of its users have towards uploading all their personal data and information to FB, this is going to explode in a big way. I can't imagine that the majority of people on FB are using 8 character passwords, let alone 12 character alphanumeric ones. Shoot, last I checked, FB's password reset tool was broken, one of the many reasons why I deleted my account.

I'd like to see a repeat of the 1999 Deep Crack experiment using off the shelf hardware from 2010, see how long it takes to crack the same DES key. I'm going to guess a lot less than the 24 hours it took before.

(CNN) -- Say goodbye to those wimpy, eight-letter passwords.

The 12-character era of online security is upon us, according to a report published this week by the Georgia Institute of Technology.

The researchers used clusters of graphics cards to crack eight-character passwords in less than two hours.

But when the researchers applied that same processing power to 12-character passwords, they found it would take 17,134 years to make them snap.

"The length of your password in some cases can dictate the vulnerability," said Joshua Davis, a research scientist at the Georgia Tech Research Institute.

It's hard to say what will happen in the future, but for now, 12-character passwords should be the standard, said Richard Boyd, a senior research scientist who also worked on the project.

The researchers recommend 12-character passwords -- as opposed to those with 11 or, say, 13 characters -- because that number strikes a balance between "convenience and security."

They assumed a sophisticated hacker might be able to try 1 trillion password combinations per second. In that scenario, it takes 180 years to crack an 11-character password, but there's a big jump when you add just one more character -- 17,134 years.

Passwords have gotten longer over time, and security experts are already recommending that people use full sentences as passwords.

Here's one suggested password-sentence from Carnegie Mellon University:

"No, the capital of Wisconsin isn't Cheeseopolis!"

Or maybe something that's easier to remember, like this:

"I have two kids: Jack and Jill."

Even though advances in cheap computing power are making long, complicated passwords a necessity, not all websites will accommodate them, Boyd said.

It's best to use the longest and most complex password a site will allow, he said. For example, if a website will let you create a password with non-letter characters -- like "@y;}v%W$\5\" -- then you should do so.

There are only 26 letters in the English alphabet, but there are 95 letters and symbols on a standard keyboard. More characters means more permutations, and it soon becomes more difficult to for a computer to generate the correct password just by guessing.

Some websites allow for super-long passwords. The longest one Boyd has seen is at Fidelity.com, a financial site that lets users create 32-character passwords.

On a Microsoft website devoted to password security, the tech giant tells the password-creating public not to use real words or logical combinations of letters. That keeps you safer from a "dictionary attack," which uses a database of words and common character sequences to try to guess the code.

The Georgia Tech researchers carried out a "brute force" attack when they determined that passwords should be at least 12 characters long.

To do so, they deployed computer graphics cards, which are cheap and can be programmed to do basic computations very quickly.

The processors in those cards run simultaneously, trying to guess all of the possible password combinations. The more characters in a password, the more guesses are required.

But if your password has to be really long in order to keep up with this computational power -- and if you're supposed to have a new password for each website you frequent -- then how are you supposed to remember everything?

That's a real problem, the Georgia Tech researchers said.

There are a few solutions, however.

A website called Password Safe will store a list of passwords for you, but Boyd and Davis said it may still be possible for a hacker to obtain that list.

Other companies sell tokens that people carry around with them. These keychain-sized devices generate random numbers several times a minute, and users must enter those numbers and a shorter password to log in.

Some sites -- Facebook for example -- are marketing their log-ins and user names as a way to access sites all over the Web.

That's good for the user but is potentially dangerous because if hackers figure out a single password, they can access multiple banks of information, the researchers said.

The reason passwords have to keep getting longer is that computers and graphics cards are getting faster, the Georgia Tech researchers said.

"These things are really inexpensive -- just a few hundred dollars -- and they have a performance that's comparable to supercomputers of only just a few years ago," Boyd said of fast-processing graphics cards.

Maybe our brains will have to get bigger and faster, too. We'll need some way to remember these tome-like character strings

 

[PokerGuy]

Tokens are really the way of the future, but nobody wants to carry around a bunch of tokens. They need to find a way to share some sort of token authentication.

 

[Schadenfroh]

The password requirements were insane when I worked for the DoD, glad they are. It was just annoying to memorize them when they changed.

 

[jackace]

Tokens are really the way of the future, but nobody wants to carry around a bunch of tokens. They need to find a way to share some sort of token authentication.

Yeah tokens and/or some form of biometrics is where I see it heading too. Look at World of Warcraft and their authenticators. I bet we will see more of that in the future. Maybe even some kind of digital wallet with everyone packing around a thumb drive containing all their information. The information would be fully encrypted and require a thumb print, retinal scan, etc to access any files on the drive.

 

[MotF Bane]

Oh no.

 

[BrunoPuntzJones]

Conference I went to a few months ago said 15 is the current standard, with 16 recommended.

I'm all for tokens as well.

 

[CycloWizard]

I'm not a computer security expert by any means, so someone can help me out here: why can't a brute force attack easily be stifled by simply locking out an account for some amount of time after x incorrect guesses?

 

[Bateluer]

And I'm willing to bet 3/4th of Facebook users user a 6 digit or less dictionary word as their password.

I'm not a computer security expert by any means, but can't a brute force attack easily be stifled by simply locking out an account for some amount of time after x incorrect guesses?

Not if acquire the /etc/shadow file, or whatever the windows equivalent is, that has the hash values, then you can brute force them at your leisure.

 

[dfuze]

12 character PW? You can bet a lot more people will be writing down their PW and sticky noting it to the base of the monitor though

 

[WackyDan]

Considering many sites don't even support that many characters... we have a way to go to get there.

I agree, a FOB + PWD is probably going to be the only way to ensure simplicity. Problem is the industry needs to settle on a standard which will be like pulling teeth.

Authenticate to the local FOB and then site.

 

[child of wonder]

My cousin and I had an argument this weekend about leaving root SSH access open. He said that as long as he uses an 8 character password with upper case, lower case, numbers, and special characters it would take millions of years to brute force through it.

 

[StageLeft]

I doubt most corporate people who are losing data are having their accounts cracked anyway.

 

[Anubis]

And I'm willing to bet 3/4th of Facebook users user a 6 digit or less dictionary word as their password.
.

:O

mines 6 digits and is just numbers

 

[Genx87]

12 character PW? You can bet a lot more people will be writing down their PW and sticky noting it to the base of the monitor though

yup lol

 

[spidey07]

What I want to know is what does this article mean by "hack the passwords"? This seems like nothing more than brute force computational power to "guess" a string of characters after trying billions of permutations. Any site or system with any care of security will then kick into a 2 factor authentication needed state, tokens being another form of 2 factor auth as mentioned (something you know and something you possess).

If the site or system let's somebody try billions of combination of a password then that is the site's own fault.

 

[Avalon]

I use a 14 character password for my important stuff, a 9 character password for semi important things, and 5 character password for stuff I couldn't give two shits about

 

[child of wonder]

What I want to know is what does this article mean by "hack the passwords"? This seems like nothing more than brute force computational power to "guess" a string of characters after trying billions of permutations. Any site or system with any care of security will then kick into a 2 factor authentication needed state, tokens being another form of 2 factor auth as mentioned (something you know and something you possess).

If the site or system let's somebody try billions of combination of a password then that is the site's own fault.

Agreed.

Not allowing default user accounts access (root, administrator) is also important.

 

[Balt]

12 character PW? You can bet a lot more people will be writing down their PW and sticky noting it to the base of the monitor though

Yup.

 

[Kntx]

I'm not a computer security expert by any means, so someone can help me out here: why can't a brute force attack easily be stifled by simply locking out an account for some amount of time after x incorrect guesses?

The idea is that the hacker has the user file on hand. Maybe they hacked the system and downloaded it, pulled it off a found/stolen laptop, etc.

 

[DisgruntledVirus]

I use a 14 character password for my important stuff, a 9 character password for semi important things, and 5 character password for stuff I couldn't give two shits about

I'm similar.

I have 3 main passwords that all vary by complexity. My very secure password (computer, bank, etc) is 15 characters, the password that's middle of the road (meets 95% of password complexity requirements) is 9 characters, and my "I don't give a fuck" password (for AIM and crap I don't care if I lose) is also 9 characters but is the simplest to type in and least complex (although it is still more secure than a lot of peoples).

Although, back in HS on my tablet I had with me in school I had an encrypted HD requiring a password to boot and a 34 character complex password. Try typing that in with an onscreen keyboard at the start of every class

 

[Kirby]

The password requirements were insane when I worked for the DoD, glad they are. It was just annoying to memorize them when they changed.

Yup. The guy that sat next to me used to cuss up a storm when he had to change passwords.

One requirement was 10 or 12 chars, including at least 2 symbols, 2 caps, and 2 numbers. I think there was something about too many consecutive characters from your last password too.

 

[JSt0rm]

pretty soon we will have programs that create our passwords and we dont even enter them by hand anymore

 

[Vette73]

Yup. The guy that sat next to me used to cuss up a storm when he had to change passwords.

One requirement was 10 or 12 chars, including at least 2 symbols, 2 caps, and 2 numbers. I think there was something about too many consecutive characters from your last password too.

Yea at DoS it has to have upper, lower, and a number. Even then that is just my desktop and e-mail. For other systems its upper, lower, number, and a symbol.

I've yet to meet a single person that has been at any Fed Agency that is a GS12+/3years+ that does not write down their passwords. Some resets are quick so many don;t write those down; but a couple I know can take up to a week, I write those down.

 

[JS80]

In other news hacking/unauthorized access skyrockets due to people writing down their passwords on stickies and leaving them on the desk.

 

[glenn1]

Yup. The guy that sat next to me used to cuss up a storm when he had to change passwords.

One requirement was 10 or 12 chars, including at least 2 symbols, 2 caps, and 2 numbers. I think there was something about too many consecutive characters from your last password too.

Because corporate password programs in their current form are idiotic. If your security plan to keep safe your multi-million dollar systems requires the active cooperation of folks earning small fractions of that (who don't really give a shit either) to cooperate in your password schemes then you're doing it wrong. Expecting them not to take predictable shortcuts (like the post-it on their monitor with their password) is even more stupid on corporate security's part. Hell, I bet most of the senior managers allocating $$$ for all this network security are probably the worst about writing down their passwords (or for making their administrative assistants responsible for them on their behalf).

I think of passwords like a physical lock, something to keep out the honest but not something to stop a determined thief. Make it a PITA for me to log in, I'm not going to bother engaging the security tools you give me. To continue with the physical lock analogy, if opening my car door in the morning required 12 steps in some random order that I had to change every few weeks I'd say fvckit and leave the thing unlocked.