I came across an article that has been making the rounds this past month that you can read here. It’s the story of one editor’s (Nate Anderson of Ars Technica) foray into password cracking and it can be very eye opening to the world of password security. In it, he goes over how he dipped his toes into the seedy world of brute-force cracking, using a computer to guess someone’s password a million times a second, and was able to accomplish a lot in a single day. You may find it enlightening how passwords are encrypted and stored. Hopefully it will get you asking important questions you may not have thought about before – how your security is handled; are passwords stored securely; are you using the same password everywhere.
One thing that struck me was the RockYou dictionary. I already knew about dictionaries (or wordlists). These are lists of words that are used when attempting to crack a password. What I wasn’t aware of was the RockYou list. This is a list of passwords stolen from a gaming company, RockYou, back in 2009 that were stored in plain text (not encrypted); over 32 million users were effected. A list of over 14 million unique passwords that people use to protect their accounts was exposed and is used in cracking as list of common passwords. That gave me pause. Nate even found a password he uses often in this list.
Correct Horse Battery Staple
One item that comes up a lot in these password security discussions, and is mentioned in the article, is a webcomic by XKCD. It boils the particulars of password security down into a easily palatable format – short, but insanely complex passwords do not ensure security; they can, in fact, jeopardize it. Dan Wheeler of DropBox also wrote an excellent blog on the topic, using this as his inspiration. He put this question to the test – complexity vs length – and produced a very worth-while password checker (please don’t use ‘real’ passwords in the demo unless you intend to run the open source version on your own server, available at github). I hope you play around with it a bit.
What you can take away from all of this is that length will win out, eventually. You do need to use some level of complexity, though, to ensure that you’re making a password unique enough to thwart a computer that has been taught a lot of your tricks. Also, using the same login and password for multiple sites is an invitation to disaster, especially if it involves any financial information. Once a username/password combo is cracked, you can expect someone to test and see if it works on another site.