## Thursday, December 22, 2011

### Strength in length

The time will come when, if you want to have a secure password, it will have to be something like

Now i\$ the t1m3 4 all g00d men 2 c0m3 2D aid of th31r Cntry

or, if spaces remain disallowed,

Nowi\$thet1m34allg00dmen2c0m32Daidofth31rCntry

Now that larger numbers of cyber criminals have turned from stealing data to stealing money from online banking systems, protecting online accounts is even more necessary. The most frequent attacks recently have been aimed at an institution's customer records. If your bank is any good, your password is not stored with your account, but a "hash", or encrypted version of the password. When you log in, your password is encrypted to a hash and compared with the hash on file. If a criminal obtains those online records, the password is difficult to extract from the hash…difficult but not impossible.

Suppose that, like many, your password is only six characters, all lower case, perhaps with a numeric digit or two included; a password like my1dog. Someone wishing to crack your record will start with letters-only, then letters plus one digit, and so forth. A six-letter lower-case password will be one of 266 possible strings, from aaaaaa to zzzzzz, a total of about 309 million possibilities. Let one letter be a digit, and the total becomes 428 million. Those sound like a lot. But the criminals in this billion-dollar industry aren't afraid to spend money on hardware, and a recent exploit by the system Deep Crack was able to test nearly 100 billion possibilities per second. Your password would be extracted within 0.004 seconds!

Of course, for some time, it has been required at most banking sites to use at least eight characters, and it is "suggested" that both lower case and upper case and digits be mixed. The possibilities then get more numerous, because 26+26+10 = 62, and 628 = 218 trillion. That's more like it! Let's see, 218 trillion divided by 100 billion = 2,180 seconds, or about 36 minutes. If someone wants those passwords bad enough, and has the equipment, the hard part is getting the banking records in the first place. That done, passwords can be extracted at the rate of forty per day of CPU time. That is still not very comforting. Eight is not enough.

In length is strength. For the current time, it is better to use nine or ten characters, and keep things mixed up. Each added character multiplies cracking time by 62: 9 char means 37 hours and 10 char means 97 days. That is more like it. However, each decade that passes, ultimate computer speeds increase by a factor of 1,000. In about 2020, cracking a 10 character alphanumeric password will be achievable in about 2½ hours.

If you want a password to last a while, the time is now to go to at least 12-character passwords, which are nearly 4,000 times as hard to crack as 10-character ones. If your banking site allows certain punctuation marks also (such as \$ # % @ * ), that just makes things even harder for the criminal.

Now, however are you going to remember such passwords? I find it hard to remember 5Zep38xN, which was suggested to me by an institution not long ago. Of course, I didn't use that, but created a longer one, based on an algorithm. I have a different algorithm now, so I can discuss the older one in relative safety. It worked like this:
• Choose a 12-letter word such as homozygosity.
• Break it into two or three parts (I usually used 2, but let's use 3 here): homo zygo sity .
• Mix the three in sequence: hzsoyimgtooy .
• Replace certain letters with numbers or punctuation: hz\$oy1mgt00y (notice I didn't change one of the o's to a zero).
Now you have the problem of remembering it! hz\$oy1mgt00y is not memory friendly. You simply have to keep a list. I keep my list in two parts: Part 1 contains such passwords and their generating words, and Part 2 has the account identity and just the generator word. I carry Part 2 and keep Part 1 hidden away. For further security, I have user names, wherever possible, that are as obscure as the passwords. I keep the decoding information on Part 1 and "reminders" on Part 2. With practice, if I can't remember the password from the hints on Part 2, I can regenerate it on the fly.

Passwords such as the one created here (Don't use it! Use a different starter word) will require a cracking computer to go through nearly 4x1021 combinations, which will require more than 1,000 years. In another ten years, it'll still take a year or more, so somebody will really have to want it bad to attempt it. And by then, who knows, maybe the web site will look at me through my web cam, listen to my voice, and "recognize" me. I'll address the problem of duress later…