Submitted by Simon Black via Sovereign Man blog,
Seven minutes.
Thatâs how long it would take to crack one of the passwords I had been using for more than ten years, according to the crypto experts at Silent Circle.
Letâs be honest. A lot of people use the same password over and over again across multiple websites, like email, bank accounts, and social media.
Sometimes these passwords can be a bit elementary. The dogâs name. Daughterâs nickname plus her birth year. A favorite chocolate syrup.
These types of passwords wonât typically thwart government agencies that are keen to spy on their citizens. They can easily be cracked in a matter of minutes.
Iâve been using eight or ten different passwords for several years, some of them going back to my days as an intelligence officer. I had always thought they were secureâ letters and numbers that Iâve been typing so long, theyâre committed to muscle memory.
But a few months ago when I signed up for my Silent Circle account, I was surprised to see the results when I tested one of my passwords against their crypto analysis tool.
It turns out that the password wasnât so secure after all. You can try it for yourself here:
https://accounts.silentcircle.com/join/
(You donât have to sign up, you can just type in a password and see for yourselfâŚ)
I was never a crypto specialist while in the intelligence business, so I studied the issue for the last few months to find out about the latest password cracking algorithms.
It turns out that most things we think about password security are completely wrong.
For example, you know how it seems like every website these days has a particular password format they require you to use?
For example, theyâll require at least one upper case character, one lower case, one number, one âspecial characterâ, and that the password must be at least seven characters.
Most of these web sites are incredibly annoying, and it can take three or four tries to come up with the right password.
iTunes, Facebook... they all do this to cover their own butts in case your account gets hacked, so they can say that they advised you to use the industry âbest practicesâ for a secure password.
It turns out this isnât very secure at all.
Most password cracking algorithms have adapted, particularly as a lot of people use âdictionaryâ words in their passwords.
For example, instead of âsunshineâ, one may use â5unshinE!â, substituting a 5 for the s, capitalizing the E, and adding an exclamation point.
The first password, âsunshineâ, is considered to be highly vulnerable based on industry convention, but â5unshinE!â is considered to be much more secure.
It turns out that both passwords can be cracked by modern algorithms almost instantly. Neither is secure.
Since cracking algorithms succeed by picking up patterns in human behavior, the key to a secure password is randomness and disorder. In the security business, this is known as entropy.
Itâs difficult for a human being to fake randomness and disorder. So one easy way to achieve this is to use a password generator tool that incorporates entropy.
Try, for example, going to https://entima.net/random/
On this website, you move your mouse around randomly, and the websiteâs software incorporates these random mouse movements into its password generation code.
The passwords that it generates are far more secure, taking centuries to crack instead of mere seconds.
It may be a good idea to take a few minutes out of your life to check your own password vulnerability, and come up with an alternative thatâs far more secure.
