Info Tech

Info Tech

3 15th Street
Hearst
ON P0L 1N0
Contact Us
705-362-4143

Info Tech

Info Tech

Article

Hasta la vista, baby! An easy way to create great passwords that are tough to crack

Posted by Dave White 10-10-2017 11:42 am

News Millenium Micro - Hasta la vista, baby! An easy way to create great passwords that are tough to crack

What do nursery rhymes, memorable movie phrases and great song lines have in common? They make great passwords. And there is not a single number or special character in them. The requirement to make complex passwords using special characters and numbers is being re-thought.

The original idea for complex passwords came from Bill Burr in 2003, a former manager of the National Institute of Standards & Technology (NIST) and a well-respected Cyber-Security expert. He wrote an 8-page article that recommended complex passwords. He also recommended they be changed frequently – at least every 90 days.

It now appears these recommendations may not have been appropriate. The NIST authored a new set of recommendations this June. Complex passwords are out. Pass phrases are in. The need to change passwords frequently is also not as important as it once was.

“With brute force cracking, it makes common sense that longer passwords are more difficult to crack.”

There are two ways passwords are compromised; a keystroke sniffer and password crackers. Sniffers are malware that track keyboard typing looking for typical credential combinations. Crackers look for account portals over the Internet; a VPN (Virtual Private Network) on a firewall, a Terminal Server login, a server login, a website login – anything with a login page. They attempt to log in by using common passwords – like 123456, or by brute force – trying every combination of letters, numbers and special characters.

With brute force cracking, it makes common sense that longer passwords are more difficult to crack. But how much more difficult? Here are some simple examples:

  • 6 Lower Case Letters: Less than 1 minute
  • 6 Lower Case Letters, 1 Upper Case Letter, 1 Number: 2.5 hours
  • 8 Lower Case Letters, 2 Upper Case Letters, 2 Numbers, 2 Special Characters: 48,000 Years

The pattern is obvious - and length appears to be more important than complexity. The current recommendation is to use a simple phrase that's easy to remember. Hastalavista,baby would take 4.6 billion years to crack using brute force.

Some systems force a number or a special character, which are easily appended to a phrase: Hastalavista,baby1!, for example.

Song lyrics, movie lines, poetry, a sentence from a favourite book – just about anything can be a great pass phrase. Pass phrases should be 15 characters or longer. Usetheforceluke is too short. Most modern systems can accommodate 25-character passwords; some as long as 1,000. The days of complex and difficult passwords are coming to an end. Hasta la vista, baby!

Dave White, Trinus Technologies

Comments