Archive for the ‘Passwords’ Category

NIST’s new password security rules beg a question …..

August 16, 2017

How long does it take to hack a 16-character password?

=======

Last week, NIST ((the National Institute of Standards and Technology) issued new guidelines for password security.

After a review, NIST concluded that its former rules — passwords to include upper and lower case letters, numbers, special characters — made logins more complicated but didn’t materially improve online security.

Now, NIST is recommending using long, easy-to-remember phrases instead of relatively short strings of mixed letters, numbers and characters.

The rationale: the longer the string, the harder it is to crack.

For example some researchers concluded that it would only take 3 days to crack a password like “Tr0ub4dor&3” —  but over  550 years to crack the password “CorrectHorseBatteryStaple”

computer hacker

Oh really?

The story reminded me of a prior HomaFiles post that reported on a hacking test.

Hackers were given 1 hour to crack more than 16,000 cryptographically hashed passwords.

Her are the (frightening) results …

 

(more…)

Gotcha: How long does it take to hack a 16-character password?

August 4, 2016

First, how many of us have a 16-character password?

If the over-under is 1, I’m betting the under.

 

image

Still, let’s pretend that that your passwords are 16-characters long – a mix of capital and lower case letters, numbers and special characters.

Here’s how long it takes to crack it …

(more…)

Road rage is so yesterday … today, it’s password rage.

August 3, 2016

Here’s a shocker for you.

According to a survey taken by Centrify, a leader in identity management, 1/3 of online users admit to suffering from ‘password rage’ … with many of them driven to crying, screaming and swearing.

clip_image001

=======

Here are some of the survey’s more interesting findings:

(more…)

Hacked: Are periodic password changes worth the trouble?

March 15, 2016

Cyber-security folks always advise us to use different passwords for all accounts and to regularly change them.

Intuitively, that makes sense.

And, many organizations now force employees, as a matter of policy, to change their passwords every couple of months.

clip_image001

But, a recent study by the FTC’s chief technologist, suggests that the security benefits of changing passwords may be more apparent than real … and, may do more harm than good.

 

==========

According to the Washington Post

“The longstanding IT security practice is based on the idea that flushing out old passwords will cut off access for bad guys who may have figured them out.”

But according to the Federal Trade Commission’s chief technologist, Lorrie Cranor, the strategy has some major holes.

“Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases.”

Why?

“Because forcing people to keep changing their passwords can result in workers coming up with, well, bad passwords.”

=======

Some evidence …

A study at the University of North Carolina looked at a data set of thousands of old passwords belonging to former students, faculty and staff at the university who had to change their password every three months.

They found that users often followed patterns that linked old passwords to new passwords — such as swapping the order of meaningful numbers and letters, replacing a letter with a common number or symbol substitute (think changing an E into a 3), or adding or removing special characters like exclamation marks.

Using a tool they designed to predict those type of changes, the researchers could predict how users would change their passwords for 41 percent of the accounts in less than three seconds using a relatively low-powered computer.

The researchers also determined passwords for 17 percent of the accounts in fewer than five guesses.

======

My take:

The problem isn’t periodic password changes … it’s benign neglect or passive aggressive behavior by folks who are annoyed by policies that attempt to save them from themselves.

Passwords should be strong … and they should be changed periodically … and, they should be varied across accounts. Period.

Fool-proof?

Heck no … but improves the odds.

And, whenever possible, use a 2-step process (e.g. challenge questions) for your most sensitive accounts.

Trust me, it’s less hassle than getting hacked.

======

#HomaFiles

Follow on Twitter @KenHoma            >> Latest Posts

=======

How long does it take to hack a 16-character password?

January 15, 2015

You gotta start scratching your head a bit when the Dept. of Defense gets its Twitter account hacked and issues an internal directive to change social networking passwords.

Not obvious to me why the DOD even has a Twitter account, and laughably frightening that they didn’t already have a policy for frequent password changes.

The fiasco reminded me of a competition to see how long it would take uber-hackers to crack 15,000 15-character passwords

 

image

 

Let’s pretend that that your passwords are 16-characters long – a mix of capital and lower case letters, numbers and special characters.

Here’s how long it takes to crack them …

(more…)

Gotcha: How long does it take to hack a 16-character password?

June 3, 2013

First, how many of us have a 16-character password?

If the over-under is 1, I’m betting the under.

 

image

Still, let’s pretend that that your passwords are 16-characters long – a mix of capital and lower case letters, numbers and special characters.

Here’s how long it takes to crack it …

(more…)