Monday, December 10, 2012

Password Security and Keeping your Data Safe

If you are using a password that is 8 characters in length (or shorter) you just lost the game. And I'm not talking about well-known passwords, such as "password", "monkey", "qwerty", or "12345678". This machine here is part of a cluster of 25 GPUs (Graphic Processing Units) and can crack any 8 character password of any complexity in less than 6 hours:

GPU Cluster

As reported on the Ars Technica blog today, researchers have built a Linux-based GPU cluster that can do a brute-force attack on the NTLM cryptographic algorithm at the heart of the Windows login authentication that can try and astounding 958 combinations in just 5.5 hours. At a speed of 350 billion guesses per second, it can crack any password of 8 characters or less in length without resorting to dictionary-based attacks.

Combining such power with existing dictionary based cracking algorithms can possibly crack even longer passwords in a similar time.

The machine was unveiled by Jeremi Gosney at the Passwords^12 conference in Oslo, Norway, last week. The same machine can make 63 billion guesses per second against password hashes computed using SHA1 - a very widely used hashing algorithm.

How secure is your password?

The reality is that most people still use incredibly weak passwords. The 25 Most Popular Passwords of 2012 are well-documented, as are the 10,000 Top Passwords of 2011. If your password is on either of those lists, you should stop what you are doing right now and go change it. Seriously. All of these well-known passwords as well as any word that appears in a dictionary is highly susceptible to hacking.

Up until a little while ago the common recommendation was to add a few numerical digits and maybe a special character or two to the mix and that would usually result in a pretty safe password. Most sites also require users to pick a password of 8 characters of length (or more) and people usually stick with 8. But that is simply no longer sufficient, as any password 8 characters in length can now be hacked within 6 hours with a brute-force attack.

However, the solution is fairly simple: just by doubling the password length from 8 to at least 16, the duration required to crack the password by the new GPU cluster or similar machines increases from 6 hours to 138 billion years. Even assuming reasonable advances in processor power over the next couple of years, that should make the password pretty safe for the foreseeable future.

If you want to see how (in)secure your old password was, you can use this service. But please make sure you change your password afterwards!

In addition to these thoughts about password length and complexity, it is also important to realize that sooner or later most online websites end up being hacked and all their passwords being stolen (see, for example, the LinkedIn Password Hack in June 2012). Therefore, it is vitally important to minimize the damage and not reuse your passwords on multiple sites.

Ultimately, however, a password alone cannot ever be 100% secure. In addition to hacking in its various forms, any password is also susceptible to phishing attempts, trojans, key-loggers, and other approaches that compromise its security. The only proven approach to really keep a system secure is based on a technology called 2-factor authentication where you need to provide at least two pieces of information to access a system: for example, something that you know (password) and something that you have (secure token).

A lot of these topics have also been discussed in various newspaper articles and blog posts recently and I have provided links to the most useful articles at the bottom of this blog post.

Recommendations

Here is my own personal list of measures that help me keep my passwords and data more secure - these are based on my own approach that I've developed over time, so feel free to adopt any of those for your needs as you see fit:

  1. If an online service offers 2-factor authentication, I always take advantage of that - especially for sensitive information, such as online banking, investments, etc. but I also use it for DropBox, my Google account, or even for Facebook.
  2. All passwords need to be 16-20 characters length at a minimum and include at least 6 numeric or special characters. This makes them relatively uncrackable, provided that one doesn't include any common words from the dictionary. I try to stay away from common recommendations and password-generation patterns, such as taking the first character of each word in your favorite song lyrics or similar approaches. If a pattern has been described somewhere you can rest assured that hackers know about that pattern and can tweak their algorithm to crack it.
  3. I use different passwords for all sites - not a single password shared amongst multiple sites.
  4. For all online services I use computer-generated random passwords with a length of 16-20 characters or longer - depending on what the website allows - and these passwords use at least six numeric or special characters. For example, such a password might look like this: [mLzJKf1j7cP3n|B!8@WJw
  5. I use a password-management application to generate and keep track of all these random passwords. There are many popular such applications on the market and after some research and testing I found 1Password to be the right solution for me, since it is available for Windows, Mac, iOS, and Android.
  6. My master password for the password-management software is somewhere between 25-35 characters in length and uses more than eight numeric and special characters. Nothing in this password is susceptible to a dictionary-based attack, so it should withstand all current cracking capabilities.
  7. I store all my sensitive information and financial data in an encrypted file and keep it safe by storing that file on a USB drive. I use a href="http://www.truecrypt.org/">TrueCrypt as the encryption software of choice, because it is again available on multiple platforms. The password for my encrypted data is again highly complex and fulfills all of the requirements outlined above.
  8. To guard against catastrophic failure of the password-management software, a printout of all passwords is stored in my safe.

With this approach I feel that I have done a pretty good job of making a hackers' life rather difficult. Is it 100% secure? Probably not, and I constantly tweak my system as new information surfaces and we learn about new improvements in processing speed or cryptography advances.

What is your strategy? Let me know your thoughts here on the blog or via Twitter or Facebook comments…

Further reading:

Tools I use:

No comments: