Ever since reading XKCD comic about Password Strength, the question of whether my own passwords are good enough has troubled me. I've always tried to be conscious of security issues, though never fanatically; I felt my secure password (I have three-four passwords of increasing complexity) was secure enough to deter a chance cracker that is not too keen on spending too much time on me personally. Of course, if an experience cracker was after me, I don't have the delusions that an extra letter or ten is going to deter her.
One major issue I had with my password scheme is that there were not enough gradations. I have one password for various websites that I would not care much if my account was compromised. Another, though perhaps even less secure than the first, is used for accounts that I care about, but not overly, such as Facebook, for example. The third, and the most secure one, is used for -- and here's where the problem lies -- my online banking, administrative accounts on my computers, and websites that require eight character passwords with digits, uppercase letters, and such. It's this last category that makes me uneasy, more so since reading the How Big is Your Haystack? article by Steve Gibson of Security Now! fame. According to the "Brute Force Password 'Search Space' Calculator" on the page, my secure password would take ovegoryer four million years to crack in an online attack, but only a day and a half in an offline attack, or as little as "2.29 minutes" if a "massive cracking array" is used. Granted, that's still not bad, but computers are getting more and more powerful with each passing year, so I would imagine the "massive cracking array" will soon be contained in an iPhone. As you no doubt see, the main problem is that my secure online password is the same as my secure offline password, so someone who, for example, steals my laptop and cracks my root password has the potential of being able to access not only my Gmail (Google requires eight-character passwords) accounts, but also my online banking.
Therefore, I spent some time with the "Brute Force Password 'Search Space' Calculator" as well as the Password Meter and came up with a more secure password that I can now use for my important stuff. Instead of coming up with a different password altogether, I used a strategy similar to the one outlined by Vic of Tech Garten about making your password stronger. My secure password thus went from 68% score on the Password Meter to a 98% without my requiring to memorize a wholly different password.
The reason I went with this approach rather than, like the XKCD suggests, coming up with four nonsensical English words is the ease of remembering. True, perhaps if I was creating my first secure password remembering four English words would be easier, but over a dozen years of using my existing password has cemented it in my brain like no English words can. Moreover, having to type some 25 characters every time I need to log in somewhere suffers from a similar problem to using a randomly generated password: there is a strong incentive to have one's browser "save" the password just to avoid having to type it every time. As things stand, I feel fairly good about my 11-character password that could take up to 1.83 years to crack even using a "massive cracking array."
No comments:
Post a Comment