4/19/2023 0 Comments 1000 passwords plus![]() ![]() ![]() Note: The examples below are based on 100 password request per second. Now that we have covered the basics, let's look at some real examples, and see just how usable we can make a password, while still being "secure forever". That ought to be good enough, right? Making usable and secure passwords I want a password that takes 1,000 years to crack- let's call this " secure forever". Let's step that up too and go for the full high-end security level. That he accidently finds the right password after only 15 years instead of 100. There is still the chance that the hacker gets lucky. It has good ring to it and it makes us feel safe. Let's look at "100 year - secure for life". Who cares about their password being hacked after they have died? Still it is nice to know that you use a password that is "secure for life"īut let's take a full swing at this. A lifetime: 100 years - this is really the limit for most people. ![]() 10 years - Now we are talking purely theoretical.For the rest of us, well - you do not have that kind of enemies, nor is your company data that interesting. If you are NASA or CIA then it is unacceptable. 1 year - now we are moving from practical risk to theoretical risk.1 month - this is something that only a dedicated attacker would do.The probability that a person will have a program running just to hack your account for an entire day is very little. a password that can be hacked in 1 minute is far too risky.This is of course a highly insecure password, but how much time is enough for a password to be secure? 3 letters using the lowercase alphabet = 26 3 Note: "sun" has 17,576 possible character combinations. This means it takes the following time to hack a simple password like " sun": The actual number varies, but most web applications would not be capable of handling more than 100 sign-in requests per second. The measure of security must then be " how many password requests can the automated program make - e.g. He isn't going to sit around manually trying 500,000 different words to see if one of them is your password. A hacker will usually create an automated script or a program that does the work for him. You cannot protect against "asking" and "guessing", but you can protect yourself from the other forms of attacks. Dictionary attacks: Same concept as common word attacks - the only difference is that the hacker now uses the full dictionary of words (there are about 500,000 words in the English language)."sum, summer, summit, sump, sun (MATCH)". Instead of trying different combination of letters, the hacker tries different words e.g. Common word attacks: A simple form of brute-force attacks, where the hacker attempt to sign-in using a list of common words.The only thing that stops a brute force attack is higher complexity and longer passwords (which is why IT people want you to use just that). If you password is "sun", he will attempt to sign-in using "aaa, aab, aac, aad. A hacker simply attempts to sign-in using different passwords one at the time. Brute force attack: Very simple to do.This problem can only be solved by choosing a password with no relation to you as a person. Passwords like: your last name, your wife's name, the name of your cat, the date of birth, your favorite flower etc. It turns out that most people choose a password that is easy to remember, and the easiest ones are those that are related to you as a person. Guessing: This is the second most common method to access a person's account.Having a complex password policy isn't going to change this. People often tell their passwords to colleagues, friends and family. Asking: Amazingly the most common way to gain access to someone's password is simply to ask for it (often in relation with something else).The work involved in hacking passwords is very simple. Update - April 21, 2011: This article was "featured" on Security Now, here is my reply! How to hack a password Update: Read the FAQ (updated January 2011) So let's dive into the world of passwords, and look at what makes a password secure in practical terms. In fact, usable passwords are often far better than complex ones. This is bad advice, because you can actually make usable, easy to remember and highly secure passwords. Security companies and IT people constantly tells us that we should use complex and difficult passwords. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |