'Open Sesame!' - Is Your Password So Easy To Guess?
Mar 4, 2013 9:58am
The following is a guest blog by Jetico CEO Michael Waksman
When I was a child, I loved hearing folk stories. One of my favorites was the legendary tale of Ali Baba and the Forty Thieves from 1001 Arabian Nights. Wasn’t it amazing how just a couple little words could be the secret to opening up a world of treasures! Ali Baba was lucky to discover the secret password, ‘Open Sesame!’ by overhearing the Master Thief as he commanded open the mouth of the cave. But what if Ali Baba had to figure out the secret password by himself? Just how long might it have taken to test all the infinite possibilities? Would he have ever succeeded? Or maybe the legend of Ali Baba might have never been told.
How hard could it really be to guess a password?
Well, let’s pretend to be Ali Baba, but not so lucky to overhear the secret password – and of course living in a time before computers. How challenging would it be to guess the password, ‘Open Sesame’?
Let’s assume we know the password isn't very long, maybe 10 letters or so. We try to consider all possible combinations of all letters. We know in this case that the password was verbal and not typed, so it must only contain a combination of letters, with no numbers or symbols.
If it takes about one second to say aloud each 10-letter phrase, then the time to guess all possible 10-letter phrases amounts to about 3 million years! And there most definitely would not have been a story about Ali Baba.
Fast forward to now. With all our technological advances, it's now relatively easy for computers to guess passwords. Commercial tools exist that claim to test up to 2.8 billion passwords per second using just a standard desktop computer. If Ali Baba were fortunate to have such a powerful device at his fingertips, he could crack the thieves’ password in just one day!
So – as the NCSA advises – how can you make a password long and strong?
Thankfully, modern technology now allows for more complex passwords. Nowadays, with upper or lower case, numbers and special characters, our passwords today can be composed from about 100 different symbols – and many more by using Alt-codes or different languages. A ‘brute force’ attack to guess a 10-symbol password would now take about 3000 years.
Yet password-guessing programs, such as a dictionary attack, can test only likely possibilities instead of all combinations – reducing this amount of time considerably.
We need our information to be safe online. So we must have a reliable way to create good passwords that are unlikely to be found in any dictionary.
Here are some ideas:
Always keep an open mind. Invent your own algorithms. In line with the guidance promoted by the NCSA, make your password unique to your life and not something that is easily guessed. Just one method is never enough. The best is to use a combination of methods, like so…
Let's return to the story of Ali Baba, but this time he wants to be more security conscious. After finding 'Open Sesame', he then decides to change this secret password so nobody else can access the treasure.
Final thought – Watch out for keyloggers!
In the story of Ali Baba, the password was spoken out loud so he was able to overhear it. When our passwords are typed on a keyboard, a different kind of 'hearing' is possible. Your keystrokes can be recorded as you type by so called, 'keyloggers'.
To protect yourself from keyloggers, encryption software is available with an ‘anti-keylogger’ built in. This is the only way to ensure that your password – and therefore your personal information – stays safe and private.Michael Waksman is the CEO of Jetico, a company that provides military-standard data protection software for all highly sensitive information and mission-critical data throughout the lifecycle. For over 10 years, Jetico's BCWipe has been trusted by the U.S. Department of Defense to securely erase sensitive data.