It certainly makes for a good headline doesn’t it?
Even though that’s not what Business Week used as the lead for their article about password security last month, it might as well have been.
The article lists off a bunch of password combinations including length (from 6 to 9 characters) and complexity (with or without upper/lower case and with or without special characters) and then gave the approximate times it would take a dedicated hacker to crack those passwords.
The first combination, 6 all-lowercase characters with no numbers, change of case or special characters, can supposedly be guessed in as little as 10 minutes. That claim is designed to scare you as well it should.
The last combination, 9 mixed-case characters with numbers and special characters will take a mind-blowing 44,530 years to crack.
Okay then, case closed right? Everyone just needs to use this combination for their password – or even the slightly less secure 8 character version which will still take 463 years to break – and the hackers will be out of business and we’ll all sleep peacefully knowing our precious Facebook status updates can’t be hijacked by some jerk.
While I would love it if things were that simple, I was skeptical after reading the article and decided to reach out to a security expert for a quick sanity check.
Marc Fossi, Executive Editor, Internet Security Threat Report over at Symantec spoke to me by phone and helped shed some light on the whole password security issue.
The bottom line for Fossi? “There’s no single silver bullet for security.”
“Security is a process,” he says and by that he means that if you’re taking comfort in the fact that you have one of those 44,530 year passwords, you should be thinking bigger-picture.
The fact is, most successful password hacks aren’t hacks at all. They’re the result of malware infecting your computer through a variety of means – perhaps you opened an infected email attachment, or loaded a file of a USB key that had been previously altered or you grabbed a BitTorrent file that had been seeded as a honey-pot. The list, sadly, is long and varied. However it happens, it’s this virus sitting silently inside your PC that is the real thief and threat. It can track every keystroke you make on your keyboard and hand-deliver it to the waiting hacker who simply has to read through the resulting text to find exactly what s/he’s looking for.
And thanks to our own lazy habit of password re-use, which Fossi flags as a serious problem, that one password maybe the only one the hacker needs to gain access to your financial institution(s), email or corporate intranet.
Suddenly that crazy 9 character string of nonsense doesn’t seem so safe does it?
In case you haven’t already guessed, and there really should be no surprise here – Fossi suggests using an security product such as Symantec’s Norton 360. There are other options as well ranging from the free AVG and Avast! to monthly paid options from your ISP.
But even the combination of strong passwords and a comprehensive security suite can’t provide 100% protection. Especially in our wireless world of Wi-Fi. Unlike with many password-protected websites which often limit the number of incorrect login attempts, thus keeping the brute-force method somewhat at bay, there is no such protection on most home Wi-Fi routers, leaving them open to a hacker in a car with a powerful laptop. Fossi notes that even the outrageously long times cited in the Business Week article could be cut in half or much more with today’s modern quad-core processors. Worse yet, if the hacker has access to a network of cloud-based computers, the total number of CPUs that could be brought to bear on the cracking of your password could number in the hundreds. The article simply doesn’t say what machinery was used to come up with those numbers.
So while there may not be a “silver bullet”, there are still some best practices when it comes to keeping your data from prying eyes:
– Definitely use a “strong” password of at least 8 mixed-case letters with numbers and special characters. It may not provide complete protection but it is far better than a simpler password.
– Having trouble remembering that combination? Use what Fossi calls a “pass-phrase” instead of a password: Take the first letters from the words in an eight-word phrase that is easy for you to remember, for instance “Honey Can You Please Take Out The Trash” and convert it into: HcYpT0T# (note the “O” from “Out” is now a zero and “Trash” has become the # sign).
– Use anti-virus software, keep it up to date, and make sure you scan ALL files and attachments
– If you have Wi-Fi at home, make sure to use WPA2 as the security protocol – it is FAR more secure that the older WEP and WPA protocols
– Change your passwords regularly. Even if a hacker manages to get one of your passwords, it may be days, weeks or months before they get around to trying it – hey they deal in volume after all – by that time you will have moved on and they’ll be locked out.
Readers, do you have any suggestions to add to this list?