- The Washington Times - Friday, January 19, 2007

Today, I’m writing about online passwords and why yours probably aren’t secure.

People today tend to have lots of passwords for everything from newspaper access to bank accounts.

Many of these passwords don’t much matter. The financial ones do. How secure are they? On average, not very.

Bruce Schneier (whose site schneier.com offers a free and worthwhile security newsletter) recently analyzed 34,000 passwords used by people, mostly children, on MySpace.com. Note that children are often better than adults at choosing passwords. His findings: Most people use passwords that are too short and easily guessed.

“While 65 percent of passwords contain eight characters or less, 17 percent are made up of six characters or less. The average password is eight characters long,” he writes.

That’s not good. Worse, certain passwords were common and, therefore, easy to guess. The most used were: password1, abc123, myspace1, password, blink182, qwerty1, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1 and monkey.

How does password cracking work? Passwords are stored on computers in encrypted form. If the hacker can get these encrypted data, highly sophisticated password-cracking programs exist that intelligently guess, and guess, and guess, until they get the right answer.

Says Mr. Schneier, “Current commercial products can test tens even hundreds of millions of passwords per second.”

A good example is Password Recovery Toolkit, from AccessData.com. Now, if you are mathematically inclined, you might note that a 15-character password, on a keyboard of 85 characters, offers a huge number of passwords to be guessed. Wouldn’t even a modern computer find this daunting?

But cracking programs don’t try all possible combinations. They guess intelligently, starting with the most common passwords. And they are even slicker than that.

Those in the business of security know that people commonly make up passwords by using a “root” and an “appendage.” For example, the root might be “cowboys” and the appendage a number, thus “cowboys1963.” Computer users typically think that “cowboys1963” will be hard to guess. No, it’s child’s play. “Cowboys” is the Dallas Cowboys football team, and guessers know that sports teams are frequently used in passwords. The date is a plausible birthday, also used frequently. Ninety percent of the time, the appendage comes after the word, not before.

Computers are so fast now that the program can try every major sports team in America with all dates from 1900 on.

Says Mr. Schneier, “So the first attack [Password Recovery Toolkit] performs is to test a dictionary of about 1,000 common passwords, things like “letmein,” “password1,” “123456” and so on. Then it tests them each with about 100 common suffix appendages: “1,” “4u,” “69,” “abc,” “!” and so on. Believe it or not, it recovers about 24 percent of all passwords with these 100,000 combinations.” How very secure. But it gets worse.

A pronounceable password, even if it’s a nonsense word plus numbers, is less secure than you think. The guessers know that people almost always use pronounceable combinations. The software will try “purfgurl” before, say, “qZ7/[email protected]

The point is that a secure password should be long, upper and lower case, contain numbers and symbols, and be at least partly unpronounceable.

Most people won’t bother.

Before we all panic, note that to engage in automated guessing, the hacker has to have your password in its encrypted form. If he tries to log on to your mutual fund account, the software probably will allow only three wrong guesses before freezing the account.



Click to Read More

Click to Hide