Search My Blog

Thursday, June 2, 2011

The Usability of Passwords (by @baekdal) #tips

This is a Great Article!:) I have followed Computer and Internet Security for the last 13 Years and this info is worth reading every word... And then putting these principles into Practice, for Sure! I have put in the crux of the Article here, to get you interested...


Don


The Usability of Passwords.

Written by Thomas Baekdal | Saturday, August 11, 2007 | Section: tips

Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice, because you can actually make usable, easy to remember and highly secure passwords. In fact, usable passwords are often far better than complex ones.

So let's dive into the world of passwords, and look at what makes a password secure in practical terms.

Update: Read the FAQ (updated January 2011)

Update - April 21, 2011: This article was "featured" on Security Now, here is my reply!

How to hack a password

The work involved in hacking passwords is very simple. There are 5 proven ways to do so:

  1. Asking: Amazingly the most common way to gain access to someone's password is simply to ask for it (often in relation with something else). People often tell their passwords to colleagues, friends and family. Having a complex password policy isn't going to change this.
  2. Guessing: This is the second most common method to access a person's account. It turns out that most people choose a password that is easy to remember, and the easiest ones are those that are related to you as a person. Passwords like: your last name, your wife's name, the name of your cat, the date of birth, your favorite flower etc. are all pretty common. This problem can only be solved by choosing a password with no relation to you as a person.
  3. Brute force attack: Very simple to do. A hacker simply attempts to sign-in using different passwords one at the time. If you password is "sun", he will attempt to sign-in using "aaa, aab, aac, aad ... sul, sum, sun (MATCH)". The only thing that stops a brute force attack is higher complexity and longer passwords (which is why IT people want you to use just that).
  4. Common word attacks: A simple form of brute-force attacks, where the hacker attempt to sign-in using a list of common words. Instead of trying different combination of letters, the hacker tries different words e.g. "sum, summer, summit, sump, sun (MATCH)".
  5. Dictionary attacks: Same concept as common word attacks - the only difference is that the hacker now uses the full dictionary of words (there are about 500,000 words in the English language).

When is a password secure?

Skipping on down...

Does that mean that the IT-departments and security companies is right? Nope, it just means that a 6 character password isn't going to work. None can remember a password like "J4fS<2", which evidently mean that it will be written on a post-it note.

To make usable passwords we need to look at them differently. First of all what you need is to use words you can remember, something simple and something you can type fast.

Like these:

Using more than one simple word as your password increases you security substantially (from 3 minutes to 2 months). But, by simply using 3 words instead of two, you suddenly got an extremely secure password.

It takes:

  • 1,163,859 years using a brute-force method
  • 2,537 years using a common word attack
  • 39,637,240 years using a dictionary attack

It is 10 times more secure to use "this is fun" as your password, than "J4fS<2".

If you want to be insanely secure; simply choose uncommon words as your password - like:

A usable and secure password is then not a complex one. It is one that you can remember - a simple password using 3+ words.

It is not just about passwords

One thing is to choose a secure and usable password. Another thing is to prevent the hacker from hacking password in the first place. This is a very simple thing to do.

All you need to do is to prevent automatic hacking scripts from working effectively. What you need to do is this:

  1. Add a time-delay between sign-in attempts. Instead of allowing people to sign-in again and again and again. Add a 5 second delay between each attempt.

    It is short enough to not be noticeable (it takes longer than 5 seconds to realize that you have tried a wrong password, and to type in a new one). And, it forces the hacker to only be able make sign-in requests 1 every 5 seconds (instead of 100 times per second).

  2. Add a penalty period if a person has typed a wrong password more than - say - 10 times - of something like 1 hour. Again, this seriously disrupts the hacking script from working effectively.

A hacker can hack the password "alpine fun" in only 2 months if he is able to attack your server 100 times per second. But, with the penalty period and the 5 second delay, the same password can suddenly sustain an attack for 1,889 years.

Remember this the next time you are making web applications or discussing password policies. Passwords can be made both highly secure and user-friendly.


Read More...
http://www.baekdal.com/tips/password-security-usability


GPU password cracking made easy
GPU password cracking made easy - Hack a Day
GPU Password Cracking – Bruteforceing a Windows Password Using a Graphic Card « Vijay's Tech Encounters
oxid.it - Cain & Abel
SHA1/MD5/MD4 bruteforcer for ATI and nVidia GPUs
GPU Processing and Password Cracking - Hack a Day
The Usability of Passwords (by @baekdal) #tips
Why "this is fun" is 10x more secure a password than "J4S!2" - and "fluffy is puffy" is even better : geek
MD4/MD5/SHA1 bruteforcer for ATI and nVidia GPUs
Cain & Abel User Manual
Index of /dot/progs/firefly
DonsDeals Blog - recover password - Google Search
Secure - all my links on 06-02-11
Why "this is fun" is 10x more secure a password than "J4S!2" - and "fluffy is puffy" is even better : geek
Brother Solutions Center: Contact Us - Linux
Brother Solutions Center: Contact Us - Linux
vsftpd - Secure, fast FTP server for UNIX-like systems
Linux Today - Secure Online Banking with Linux USB Live
Linux Today - Secure Online Banking with Linux USB Live
Newegg.com - Transcend 8GB Secure Digital High-Capacity (SDHC) Flash Card Model TS8GSDHC10
artaculous.com | McAfee SiteAdvisor Software – Website Safety Ratings and Secure Search
Download Click&Clean for Desktop 3.7.2.0 - An application that automates CCleaner's internet history removing process - Softpedia
Herring Bank
Obama's new BlackBerry: The NSA's secure PDA? | Tech News on ZDNet
SafeCopy Backup - online backup, file sharing and secure access service for Mac, Windows and Linux
Secure Online Banking with Linux USB Live
Smilebox Playback
TurboTax Online - Free Edition 2009
Secure Call - GNU Telephony
Rescue CD
Newegg.com - DANE-ELEC 4GB Secure Digital High-Capacity (SDHC) Flash Card Model DA-SD-4096-R - Flash Memory
Secure Web Shopping
Linux Today - Spideroak: Secure Offsite Backups For Linux
Linux Today - Spideroak: Secure Offsite Backups For Linux
Nmap -- Port Scanner
srm - secure file deletion
Hosting Control Panel
Firefox web browser | Faster, more secure, & customizable
Firefox web browser | Features: Faster, more secure, & customizable
Hosting Control Panel
Disability Appeal Online - Welcome!
Disability Appeal Online - Welcome!
Adult Disability and Work History Report
Internet Benefits Application
Firefox web browser | Faster, more secure, & customizable
Firefox web browser | Features: Faster, more secure, & customizable
Accommodation in Evpatoria and Cheap Travel to Evpatoria, Autonomous Republic of Crimea, Ukraine :-) Hospitality Club
Ukraine:Autonomous_Republic_of_Crimea:Evpatoria :-) Hospitality Club
F-Secure Linux weblog » Blog Archive » F-Secure Rescue CD 3.00 released
SecureHorizons Quality health care coverage
SecureHorizons: Quality health care coverage
SecureHorizons ProviderLookup Online
SecureHorizons: Quality health care coverage
SecureHorizons: Quality health care coverage
SecureHorizons ProviderLookup Online
Linux Today - Spideroak: Secure Offsite Backups For Linux
Linux Today - Spideroak: Secure Offsite Backups For Linux
del.icio.us/login
Newegg.com - Transcend 4GB Secure Digital high-Capacity(SDHC) Class 6 Flash card Model TS4GSDHC6 - Flash Memory
Become a Certified Paid Search Management Professional
OpenFire and Spark offer secure private chat and collaboration tools
F-Secure Linux weblog » Blog Archive » F-Secure Rescue CD 3.00 release (...)
F-Secure Support pages: F-Secure Online Virus Scanner
Linux Today - Spideroak Secure Offsite Backups For Linux
Linux Today - Spideroak: Secure Offsite Backups For Linux
Newegg.com - Transcend 4GB Secure Digital high-Capacity(SDHC) Class 6 Flash card Model TS4GSDHC6 - Flash Memory
Claimed-Secure Horizons United Health Care (866) 491-5940
(866) 491-5940-Secure Horizons United Health Care
(866) 491-5940-Secure Horizons United Health Care
(866) 491-5940-Secure Horizons United Health Care
Mini SD, Mini SD Cards, Mini Secure Digital Card, Mini Secure Digital Memory Cards at TigerDirect.com
Transcend 2GB Secure Digital Card TS2GSDC at TigerDirect.com
Centon 2GB Secure Digital Card 2GBSD at TigerDirect.com
Nmap -- Port Scanner
srm - secure file deletion
(866) 491-5940-Secure Horizons United Health Care
(866) 491-5940-Secure Horizons United Health Care​
Claimed-Secure Horizons United Health Care (866) 491-5940
(866) 491-5940-Secure Horizons United Health Care
Accommodation in Evpatoria and Cheap Travel to Evpatoria, Autonomous Republic of Crimea, Ukraine :-) Hospitality Club
Ukraine:Autonomous_Republic_of_Crimea:Evpatoria :-) Hospitality Club
F-Secure Support pages: F-Secure Online Virus Scanner
del.icio.us/login
Become a Certified Paid Search Management Professional
Centon 2GB Secure Digital Card 2GBSD at TigerDirect.com
Mini SD, Mini SD Cards, Mini Secure Digital Card, Mini Secure Digital (...)
Transcend 2GB Secure Digital Card TS2GSDC at TigerDirect.com
Secure source code hosting and collaborative development - GitHub
Linux Today - You must be at least this Secure to ride on the Internet
Linux Today - Fedora 14 Spotlight Feature: Keeping Secure with OpenSCAP
Evernote strikes it rich, secures $20 million in funding
CCleaner version 3 goes 64-bit, adds secure disk wipe, Windows 7 integration
Remote PC through VPN Access - Secure Remote Access | Comodo
Hotmail adds full-session SSL for more secure webmail
Linux Today - Run Applications in Secure Sandboxes with SELinux
Security Blanket Technical Blog: Tips for Securely Using Temporary Files in Linux Scripts
Gawker Victim? 4 Ways to Make Your New Password Secure | News & Opinion | PCMag.com
Newegg.com Shopping Cart
rsync.net - Secure Offsite Backups, Offsite Data Storage and Remote Encrypted Filesystems, Offsite Backup
F-Secure Labs
Easy Clean, Free Virus Removal - Free Download | F-Secure
Free Online Tools
Linux Today - Weekend Project: Scrub Files and Old Hard Drives Securely on Linux
Cable Stripper Tools Comparison Chart - Secure(tm)
SSH tunneling for secure web surfing | parabing!
Secure, passwordless SSH logins | parabing!
Secure, passwordless SSH logins | parabing!
Proxify® anonymous proxy - surf the Web privately and securely
Proxify® anonymous proxy - surf the Web privately and securely
Linux Today - 9 Best practices to secure your Linux Desktop & Server
Linux Today - Knockd, to secure your ports on Linux
» Linuxaria Knockd, to secure your ports on Linux
How To Secure Your Ubuntu 10.10 Desktop With LinOTP 2 | HowtoForge - Linux Howtos and Tutorials
F-Secure Support pages: F-Secure Online Virus Scanner
F-Secure Support pages: F-Secure Online Virus Scanner
Easy Clean, Free Virus Removal - Free Download | F-Secure
Brother Solutions Center: Contact Us - Linux
Brother Solutions Center: Contact Us - Linux
Brother Solutions Center: Contact Us - Linux
Linux Today - Secure Online Banking with Linux USB Live
Linux Today - Secure Online Banking with Linux USB Live
SafeCopy Backup - online backup, file sharing and secure access service for Mac, Windows and Linux
Secure Online Banking with Linux USB Live
Linux Today - Spideroak: Secure Offsite Backups For Linux
Linux Today - Spideroak: Secure Offsite Backups For Linux
F-Secure Linux weblog » Blog Archive » F-Secure Rescue CD 3.00 released
Linux Today - Spideroak: Secure Offsite Backups For Linux
Linux Today - Spideroak: Secure Offsite Backups For Linux
F-Secure Linux weblog » Blog Archive » F-Secure Rescue CD 3.00 release (...)
Linux Today - Spideroak Secure Offsite Backups For Linux
Linux Today - Spideroak: Secure Offsite Backups For Linux
Linux Today - You must be at least this Secure to ride on the Internet
Linux Today - Fedora 14 Spotlight Feature: Keeping Secure with OpenSCAP
Linux Today - Run Applications in Secure Sandboxes with SELinux
Security Blanket Technical Blog: Tips for Securely Using Temporary Files in Linux Scripts
Linux Today - Weekend Project: Scrub Files and Old Hard Drives Securely on Linux
Linux Today - 9 Best practices to secure your Linux Desktop & Server
Linux Today - Knockd, to secure your ports on Linux
» Linuxaria Knockd, to secure your ports on Linux
How To Secure Your Ubuntu 10.10 Desktop With LinOTP 2 | HowtoForge - Linux Howtos and Tutorials
SafeCopy Backup - online backup, file sharing and secure access service for Mac, Windows and Linux
CCleaner version 3 goes 64-bit, adds secure disk wipe, Windows 7 integration
SafeCopy Backup - online backup, file sharing and secure access service for Mac, Windows and Linux
Linux Today - Fedora 14 Spotlight Feature: Keeping Secure with OpenSCAP
Linux Today - Fedora 14 Spotlight Feature: Keeping Secure with OpenSCAP
Linux Today - Is Google's Android Insecure?
Packet injection - Wikipedia, the free encyclopedia
Linux Today - Is Google's Android Insecure?
Publisher Application » Google Affiliate Network
Extracting secured firmware from Freescale Zigbee radios - Hack a Day
Brother Solutions Center: Contact Us - Linux
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)