For a pretty strong password, think 10. If your password contains 10 characters, you should be able to sleep well at night — perhaps for 19.24 years.
That’s how long it would take hackers to try every combination of 10 characters, assuming that the password is encrypted and that the hackers have enough computing power to mount a 100-billion-guesses-a-second effort to break the encryption.
But if your user names and passwords are sitting unencrypted on a server, you may not be able to sleep at all if you start contemplating the potential havoc ahead.
The hacker group LulzSec, for example, recently said it had gained access to Sony’s servers, where it could get at names, home addresses and passwords for more than one million Sony customers: everything was stored in plain text form. It posted information for more than 37,000 user accounts.
Sony Pictures issued a statement saying that “we deeply regret and apologize for any inconvenience caused to consumers by this cybercrime.”
Hackers would love to get their hands on a complete collection of all of your passwords, like those held at LastPass, a cloud-based password management service. At the instruction of its customers, LastPass stores user names and passwords on its server as each Web site is visited, then fills in everything automatically on subsequent visits.
LastPass reported last month that it had noticed some odd behavior in its network traffic logs and might have suffered an online break-in.
I’ve been a customer of LastPass since last year and felt a twinge of concern upon hearing the news. But my nerves were calmed by the enthusiasm of independent security experts who view LastPass’s security model to be exceptionally well designed. LastPass does not store actual passwords, only the encrypted forms. It does not hold the key to decrypting them — only its users hold that. It doesn’t even store the user’s master LastPass password, the one used to gain access to all the others: this, too, is encrypted before it is sent to the cloud and arrives at LastPass.
Steve Gibson, a security expert and chief executive of the Gibson Research Corporation, a publisher of utility programs for PCs, says he uses LastPass because its service adheres to his dictum that data “should be encrypted before it goes up to the cloud and then decrypted when it returns.”
LastPass, based in Vienna, Va., is a relatively new service, having started in 2008. Joe Siegrist, its chief executive, says that from its inception the company built systems to withstand every kind of imaginable threat, including the possibility “that its own employees cannot be trusted.”
LastPass does have a possible vulnerability that Mr. Siegrist makes no effort to shy away from: it depends on the user’s selecting a strong master password, one not found in a dictionary in any language.
If LastPass, or any company that stored passwords in encrypted form, were to suffer a data breach, the risk would be that the thieves could apply a brute-force attack at their leisure, offline, methodically trying every possible combination of characters until a match was found. With a physical safe and a combination lock, the thieves would need nearly infinite patience and a nearly infinite life expectancy to work their way through the possibilities.
Computers, however, work at a different speed.
Mr. Gibson posted a Web page that allows visitors to see how long it would take for a computer to try every possible combination of letters, numbers and special symbols to crack an encrypted password.
Here’s a little quiz: Which is the stronger password? “PrXyc.N54” or “D0g!!!!!!!”?
The first one, with nine characters, is a beaut. Mr. Gibson’s page says that it would take a hacker 2.43 months to go through every nine-character combination offline, at the rate of a hundred billion guesses a second. The second one, however, is 10 characters. That one extra character makes it much, much stronger: it would take 19.24 years at the hundred-billion-guesses-a-second rate. (Security researchers have established the feasibility of achieving these speeds with fairly inexpensive hardware.)
Don’t worry about the apparent resemblance of “D0g,” with a zero in the middle, to the word in the dictionary. That doesn’t matter, “because the attacker is totally blind to the way your passwords look,” Mr. Gibson writes on his Web site.
“The old expression ‘Close only counts in horseshoes and hand grenades’ applies here,” he says. “The only thing that an attacker can know is whether a password guess was an exact match or not.”
Mr. Gibson says that as long as the password is not on a list of commonly used passwords and is not found in a dictionary, the most important password factor is length.
A SKEPTICAL voice comes from Paul C. Van Oorschot, a professor of computer science at Carleton University in Ottawa. “I believe any system will fail,” he contends. Consequently, he says, “I don’t use a password manager; I write my passwords down on paper, slightly obfuscated.” Even this, however, does not give him enough comfort for some things: he does not have an online banking account because of his concern about hacking risk.
An alternative response to that risk is to use strong passwords, gibberish characters adding up to at least 10 characters. Of course, it is absolutely imperative that Web sites store your password in encrypted form. Always, always, always.
If Sony had built more secure systems, it would not find itself being mocked in the public square. A new Web site has popped up: HasSonyBeenHackedThisWeek.com.