Monday, July 30, 2007

Password Picking

Now, as you might imagine, Kijamaa has a pretty strong password; at least eight characters including at least one of each upper case letters, lower case letters, symbols and numerical digits. While it's based on a word in a human language, the word's not on this list. But, I haven't been walking around with great guidelines to make good passwords, and have inadvertently made a few crappy ones.

Once again, Bruce Schneier rides to the rescue. The linked article evaluates a common password attack
So the first attack [AccessData's Password Recovery Toolkit] performs is to test a dictionary of about 1,000 common passwords, things like "letmein," "password," "123456" and so on. Then it tests them each with about 100 common suffix appendages: "1," "4u," "69," "abc," "!" and so on. Believe it or not, it recovers about 24 percent of all passwords with these 100,000 combinations.
And gives you solid password advice (below), but
[N]one of this might actually matter. AccessData sells another program ... that ... scans a hard drive for every printable character string ... [a]nd PRTK breaks more than 50 percent of passwords from this dictionary alone.

What's happening is that the Windows operating system's memory management leaves data all over the place in the normal course of operations. You'll type your password into a program, and it gets stored in memory somewhere. Windows swaps the page out to disk, and it becomes the tail end of some file. It gets moved to some far out portion of your hard drive, and there it'll sit forever. Linux and Mac OS aren't any better in this regard.

There's a digest -- which originally pointed me at the article, and in fact to Mr. Schneier's blog -- posted on Yahoo! It essentially suggests taking a word, misspelling it, and inserting a 2- or 3-character string into the middle somewhere. So,
might be a great password. And we've found a regime in which habitual misspellers have a natural advantage.

Oh! Remember how in Windows NT an 8-character password, or anything less than a 14-character password, would be less secure than an 7-character password, as Windows would snap the first seven characters off and hash them separately? That's no longer true, I found out while reading about this. That link advises password changes every three to four months, which I don't understand. I think you should only change your password after being forced by some circumstance to share it. I suppose the thought is that a password-cracking algorithm running for months will have already passed the subsequent password you choose, but that seems a little insane. If you can explain that, please share.

No comments: