Password strength
Are there criminals hiding in the cloud? BBC Click, Sunday, 8 May 2011.
http://news.bbc.co.uk/1/hi/programmes/click_online/9477968.stm
“Rogue cloud service providers based in countries with lax cybercrime laws can provide confidential hosting and data storage services,” Brendan O’Connor, the Australian minister for Home Affairs said.
Does it mean that clouds in obedient countries are not confidential..?
Amazon says it continually works to make sure the services aren’t used for illegal activity.
The technique allows 400,000 different passwords to the encryption to be tested per second. They are already experimenting with speeds that could allow one million passwords a second to be tried.
Passwords!
Calculate password combinations
Let’s assume that we use a password that contains some of upper case letters, some of lower case and some of those of so called special characters. And numbers of course. Maybe a funny limerick in a very Central European Uralic language that has got (up to) 64 cases (as opposed to just 2 in English language) to fight a dictionary attack. How many characters long has a password to be to resist a hundred years of brute force hammering?
Uppercase 26 + lowercase 26 + specials 10 + numbers 10 = ca 72 different characters. Power of 72. Million combinations per second. 8 places long password takes 23 years to get cracked. Adding one more character adds 1626 years. Or not - probability allows the next place to be guessed at the first attempt. That means a 9 places long password is as strong as 8 places long password. 8 places long password is as strong as a 7 places long password.
places power combinations speed years 9 72 51,998,697,814,229,000 1,000,000 1,649 11 26 3,670,344,486,987,780 1,000,000 116 3 400,000 64,000,000,000,000,000 1,000,000 2,029
A lowercase only password consisting of 11 characters takes theoretically 116 years to get cracked. tototorrara is 11 characters.
12 characters should be enough.
Brute force cracking
In what sequence they take to crack it? Who knows. Bruce Schneier has written a nice essay Secure Passwords Keep You Safer
Maybe they try first a dictionary for an easy catch. 2 words password, dictionary of 400,000 words = 2 days. Words in the password can be written together or over a space. A space between the words doubles the time. 4 days then. Adding the 3rd word rises the theoretical cracking time to 2000 years. What if the third word happens to come out with the first guess? Then the three word password appeared to be as strong as just a 2-worder. 4 words long password seems to be sufficient. How many places are in 4 words (spaces included.)?
In case they plan to go first through all lower case characters, we need 11 + 1 = 12 places to stay on safe side (116 years).
If they employ 100 machines? Then we need 12 + 1 = 13 places for all lower case, or 10 places for a mixed chars password.
Intelligent password cracking
Use mixed chars and about 12 places. It engages one machine for 615 million years. Who cares to wait so long? Quite probably they will ask us directly. They ask so politely that after 24 hours of continuous conversation we become very very co-operative and recall all our forgotten passwords. No super computers involved.
Prudent and most probable way passwords are solved
Software creators are advised to make sure the software aren’t used for any illegal activity… by leaving in backdoors for G-Men.
Bruce Schneier: For years, I have said that the easiest way to break a cryptographic product is almost never by breaking the algorithm, that almost invariably there is a programming error that allows you to bypass the mathematics and break the product. A similar thing is going on here. The easiest way to guess a password isn't to guess it at all, but to exploit the inherent insecurity in the underlying operating system.
Password strength
No matter what sort of public servant or member of public may be interested in us (if at all), we need an illusion of privacy. Password strength gives us that feeling of safety.
A strong password consists of 4 words, 12 any characters or 10 mixed ones. In our own system we set a long time-out after 5 consecutive fails.
Password manager
A password manager is software that helps a user organize passwords and PIN codes
A compromised master password renders all of the protected passwords vulnerable. The master password may be attacked and discovered using key logging or acoustic cryptanalysis.
Password managers that do not prevent swapping their memory to hard drive make it then possible to extract unencrypted passwords from the computers hard drive, though turning off swap prevents this risk.
The major disadvantage of online password managers is the requirement that you trust the hosting site.
Password Safe - pwsafe.org.
With Password Safe, a free Windows utility designed by Bruce Schneier, users can keep their passwords securely encrypted on their computers. Not so slick look of their web page lets assume that they are more paranoic geeks than businessmen, ecourasing.
LastPass - lastpass.com
LastPass free version throws advertisements. LastPass will soon be tightly integrated not only with your browser, but also into your Windows operating system...
2011.
Web Management - website set up, domain administration, DNS administration, server administration, site maintenance.