Most Companies require them and a lot of home users do not but for those who do, just how good is your password?
I often advise people on passwords and how to make them more secure and if you like spaceballs you will know about one of the simplest easy to crack passwords going around
but here a re few more that are common and should not be used
- password
- 1234
- 12345
- 123456
- 1234567
- 12345678
- qwerty
- abc123
- letmein
- monkey
- myspace1
- password1
- blink182
- (your first name)
- god
- sex
- money
- love
- 696969
- admin
- password
But sometimes it is not even necessary to hack the password, I have seen people give out their password to work colleges and friends.
In one case someone had managed to get a co-workers password they then went on to use this account for looking up adult material while in work. The only reason that he got caught was he used this account while his co-worker was on a different shift, so after security and the IT department looked into it and then tracked the usage they were able to catch the person in the act. That person was instantly sacked, but things could have been different if they had only used that account when that person was working.
It used to be the case that good 6 character password would be sufficient and that someone could try 100 passwords per second (see table below, thanks to baekdal
But now there is a new threat.
Graphics cards
As the graphics processing unit (GPU) have become so powerful and fast in order to handle the the rendering for today’s games this has also lead to them being used for other things.
According to the Georgia Institute of Technology passwords with fewer than 12 characters can be decoded using brute force and to put the power of these graphics cards in to perspective:
The top graphics processors, today, offer about two teraflops of parallel processing power. Put this into comparison comparison, the world’s fastest supercomputer, in the year 2000, a cluster of linked machines costing $110 million, operated at slightly more than 7 teraflops
A teraflop is “a trillion calculations per second” and like every other computer technology, they are just going to get faster meaning they will crack your passwords faster. A brute force attack means they will try every combination of number, letters & symbol combinations until they find the right one.
Christian Brindley, Regional Technical Manager EMEA at VeriSign Authentication, said,
Lots of people think that they have a solid password – over 12 characters long, including a combination of letters, numbers and cases to increase their strength.
However, in today’s world passwords are simply not enough to protect sensitive information on their own. In fact, VeriSign research of UK online adults showed that 39% of us disagree that ‘user name plus password’ is a strong enough security measure.
If that was not bad enough Elcomsoft have software that is meant to audit your wireless security by hacking it and if you have not already guessed it, it uses your graphics card’s GPU to do it. No doubt some criminals will find a way of adapting this to try and hack their way into someone else’s network.
My Advise
For home users I would suggest a 8 character password and for businesses at least 12. They should include uppercase letters, lowercase letters, numbers and special characters like £, $ or &.
It is better a strong password that take a bit longer to log in than have it hacked and have sensitive details lost.
If you would like any more information then please contact us and we will happily give you some advise.
7 Responses to “Passwords”
Leave a Reply
This is quite correct, however surely good security states that only a limited number of retries are allowed on a password before the account is locked and requires a supervisor to unlock it.
What might be a really neat option would be a requirement to choose a specific font and maybe even colours for characters too. That would give these GPU’s something to think about.
That would be good but I know XP does not lock itself unless it is part of a domain, but I am not sure about Vista or Windows 7
Interesting about the Graphics Card attack, I take it this kind of attack is vulnerable on all computers (no matter what OS is being ran)?
I know Windows is never the best for security but as the card is hardware is it limited to the OS?
Problem I always find is getting people to keep secure passwords once they’re set for them. 75% of the time you will always get a request for something like ‘mYw@0RdpA5′ to be changed to ‘myname4′
I’ll be passing this useful info onto clients in future to get the point across!
Nvidia opened up their graphics processor so other could write programs for it in CUDA which is like the C programming language. As this programming language is specific to the graphics card then it can be designed to hack a Mac or Linux if desired but I think Microsoft will be the biggest hit due to it’s popularity in the home and office.
I do know what you mean by people changing their passwords and there is nothing you can do except offer advise.
As far as a home user being hack or attack by someone with the knownledge or software is slim to none. Everyone should take the proper steps to protect their data. This info about the graphic is new to me, thank for the info. We have to continue to spread the word when we here about the new ways hcker are attacking. Let hope the manufactures of these card do the right thing a come up with a security fix.
What could be more worrying is that even without the graphics card approach (which is purely a speed increase) there are ways of getting passwords cracked much faster.
For many years I have conducted password strength audits for large financial organisations, and if I have access to a typical network (eg as a contractor) I can use rainbow tables to crack all passwords up to 11 characters within a matter of seconds. 8 character passwords are broken instantly. (Google rainbow tables if you haven’t yet seen them)
So I encourage people to use stronger passwords (concatenating 3 words and a couple of numbers to a length of over 13 is not considered brute force-able in any practical timeframe – ie many years) and to mention Kevin’s point above, they can still be easy to remember, meet complexity requirements, and don’t need to be changed as often – which all helps)
I would totally agree that the key here is educating the users, but the problem is that they do whatever it takes to make their day easier, so if there is a process which becomes onerous to them they will get around it. Go for simple to remember password rules, re-educate on a regular basis, use practical security guidelines that help protect the business.
This is the core of what I have been doing for the last 15 years – practical security that works in a business environment with people, processes and technology.
Regards
rory
Nvidia opened up their graphics processor so other could write programs for it in CUDA which is like the C programming language. As this programming language is specific to the graphics card then it can be designed to hack a Mac or Linux if desired but I think Microsoft will be the biggest hit due to it’s popularity in the home and office. I do know what you mean by people changing their passwords and there is nothing you can do except offer advise.