Protecting your password

Today I was going to continue writing about the ColdFusion logs and how wonderful they can be, but instead I wanted to touch on something that is near and dear to all IT security people.  Passwords.  Now most people outside of IT hate passwords (heck, some of us in IT hate passwords).  They have the same lame password for everything they need it for because it’s a pain to remember 50 user names and password combinations for all of the random things we sign up for or log in to daily.  I don’t want to have to remember all different ones.  And why the heck does it have to be something I’ll never remember like ‘e46*jk9%’?  Well, I will tell you why.

For every honest IT security person out there, there are many many more that would love to get their hands on personal information, either for fun or for profit.  You can do a search on google for ‘brute force password cracker’ and at this moment find 758,000 results.  That’s a lot of programs just to relieve users of their passwords.  So what do these programs do?  Well, the simplest of them usually start with common words, called a dictionary attack.  They take common words and check the password against these words.  The next in line is the brute force attack, which just throws together combinations of letters (and numbers and alphanumeric characters) to guess at a password.  Here’s where mathematics come into play.  For each character in your password, from each type of character set, you have a number of possible combinations.  For example, there are 10 single digit numerals.  If you have 2 characters in your password, all being numbers, that is 10^2 or 100 possible combinations.  Another example, the full english alphabet (case insensitive) is 26 characters.  If your password is 6 characters long, the combination possibility goes up to almost 309 million.  Now, what does this mean to a cracker?  Your crappy password is childs’ play.  It would take less than an hour to brute force crack that 6 letter password, and they could still be paying 100% attention to fragging the heck out of some area in Halo 3.  The more combinations and numbers of characters you can use, the stronger your password is, the less likely those ADHD riddled script kiddies will bother trying.  Of course, if they’re really intent, they will wait it out, but your chances are still better with the longer passwords with letters, numbers and other random characters that don’t fit into that group like %.

So, to sum up, strong passwords are important.  They don’t have to be crazy unless you’re into ‘keeping it from the man’ and in that case you should just go back to your basement and your tin foil hat, but they should be better than what you named your first goldfish.  My recommendation is at least 6 characters of letters, numbers and symbols.  Sure that may still be broken in a couple of days, because there is nothing in the world that is 100% safe, but your chances are much better.