About Passwords and Security
In the last few days I conducted a little research of my own about passwords and web applications security as a whole and I found out some interesting aspects I would like to share.
Triggering process was the research for authentication mechanisms and mal-practice (eg sql injection) prevention measures to implement in the SP-REST project. Inevitably I stumbled upon issues of user level security (because a system is a strong as the most vulnerable part in the chain of participating parts –both human and machines).
Some of my perceptions about security that I had before this research proved right some other wrong.
1st axiom: There is no unbreakable system. (well, that may be not completely true, but practically over one level of security the system becomes unusable – imagine as an over-simplistic example- to ask your users to use a 50 digit password).
2nd axiom: Your system can be considered secure enough if the perceived value of the data that will be compromised, or the significance (financial, political etc) of the damage, is lower than the calculated cost (tools, processing power, special software, time of specialized experts allocated etc) of the breaching process. So, your personal blog with the photos of your cat in cute poses can be considered secure if it needs 2000$ software on state-of-the-art machinery and three man-months of an expert hacker to be broken.
Fact: The intelligence and sophistication of the black-hat hacking systems (humans, software and hardware combined) increases over time following in close range (and some times getting ahead of) those of the defensive mechanisms. Besides it is a common secret that the two colliding worlds (the “attackers” and the “defenders”) are often communicating vessels, and there are complex (and often enormous) interests involved.
Rule 1. Simple substitution of letters of easily remembered words with corresponding special characters (o with 0-zero, a with @ etc), which was considered by many (including myself) a password security panacea, is not good enough. Modern dictionary attacks take this practice under consideration making the compromise a relatively easy task.
Rule 2: Size still matters! This principle is based in the common sense that every character added increases exponentially the number of possible combinations an attacking system should try before “guessing” the right one.
A very good reading about these issues (the article itself and the links provided) is :
How long would it take to crack your password?Conclusion:
A good password consists of these ingredients:
- * Good size (by all means over 8 characters) with consideration of its usability and ease to remember.
- * Use of the maximum possible character set (uppercase and lowercase letters, numbers and special characters even other language-greek, cyrillic etc-if the system supports them)
- * Not likely to fit to common word dictionaries, so full words (even misspelled!) should be avoided (some propose using acronyms of easy to remember phrases).
If you want to test your password there is a handy online tool Passfault Analyzer (see image below) which performs a variety of tests and comes up with an estimate of the time needed to finally “break” it.
The verdict for one of the passwords I use:
1 Response
[…] 24January About Passwords and Security […]