Thursday, May 30, 2013

Password Security


Most people know the importance of creating a unique password for each website the user logs into.  Following that "rule" is important.  Many people also understand that the password should be complex.  The article in ARS Technica this week demonstrates that a hacker who gets access to hashed passcodes can decipher the passwords, even the hardest ones, in a short time.

Many sources prescribe that a "good password" contains several ingredients:
  •    The password should be no shorter than 8 numbers or letters long.
  •    The password should have UPPER CASE, lower case, numbers and special characters.
  •    The password should NOT contain a word from the dictionary (any language)
  •    The password should be comprised of a passcode.

This article suggests that a good password cracker can defeat even a very complicated password hash, sometimes, in a matter of a few hours.  According to the article, password expert Jeremi Gosney (Stricture Consulting Group) used a single computer with a AMD Radeon 7970 graphics card to successfully crack 90 percent of the 14,734 password hashes provided to him in a matter of 20 hours.  The least successful expert cracked 62 percent of the hashes -- in one hour. 



What are users to do?  Creating a good password simply isn't enough.  It is the only thing a user has power over, however.  A website owner has a great responsibility to securely store account information.  This includes on the server as well as on backup tapes, on paper, etc.  I mentioned that users have no control over how securely this information is stored.  It's important to recognize that users have limits to what can be controlled.  Given the lack of complete control I have a few suggestions:
  1. NEVER store credit card information on a merchant website.  Many merchant sites allow the user to save credit card information.  Just say "no".
  2. Maintain the practice of using a complex password.
  3. NEVER re-use a password on two merchant websites.
  4. If the merchant website requires you to save your credit card data on their website use a re-loadable credit card.
  5. Use a Password Manager to create a password for you.  Store the password securely.
It's a cruel world out there.  Protect yourself!


No comments:

Post a Comment