The topic mentions "Strong Passwords" but doesn't seem to address them in the post.
The reason our passwords may be compromised is that whoever hacked the site most likely has the hashed values of our passwords. They can use a password cracker to attempt and crack the passwords... the weaker your password is, the more likely they'll be able to crack it.
If your password is strong enough (any password can be cracked- it's just a matter of time. A weak password will be cracked in less than a second. A sufficiently strong password can take months, or even years, to crack)
A few tips on creating strong passwords:
-Use a minimum of 8 characters for your passwords. Passwords become exponentially more difficult to "crack" with each character. A password that is 8 characters is significantly more difficult to crack than a password with 7, which is significantly more difficult to crack than 6 (and so on). The reason 8 characters is the 'magic number' for minimum goes back to older Window servers that use the old LM Hash scheme for backwards compatibility. Basically, LM hash would break a password into two halves of 7 characters each. If a password only had 7 (or less) characters, the second half was full of 0s and would be cracked instantly. You can read more about that
here -Never use dictionary words Passwords are stored in a hash format usually (and most likely done on this very forum). Hashes, unlike encryption, can
NOT be reversed. "Cracking" a password, therefor, is actually a trial and error process where random strings of text are hashed over and over again until a hash matches your password's hash. (For example, your password when hashed is "abcd". A 'cracker' will try random characters until it gets a result of "abcd"- the string it uses is [usually] your password). Password "crackers" will usually first use a file containing a list of dictionary words to attempt and crack the password, as many people use dictionary words for their passwords. Most crackers are sophisticated enough to automatically capitalize the letters and add numbers to the beginning and end of the words. (I.e, using 'Password123' for a password is a very weak password)
-Use a mix of upper and lower case letters, numbers, and special characters This ties in with a passwords' length. To computers, the character 'a' and 'A' are two completely different characters. This means that the password 'abcd' and the password 'Abcd' are two completely different passwords. Furthermore, the difference between 'a' and 'A' is just as different to a computer as 'a' and 'z' or 'a' and '!'. If the dictionary list fails, a password cracker will resort to a 'brute force' attack, where it simply tries every combination possible.
Locktown.co.uk has some excellent info on the time required to crack passwords from 2007 (so times will be even faster now). As you can see, if you use a password with only lower case letters (26 possible characters) and it's 5 characters long, a cracker has up to 11.8 Million different combinations to attempt before it cracks the password. If you add numbers to the mix (lower case and numbers), the cracker has up to 60.4 million combinations to go through. If you add upper case and special characters to
that the number of possible combinations goes up to 8 Billion (8 character long passwords, by the way, have a possible combination of 7.2 Quadrillion)
In conclusion, try to include at
least one upper case letter, one lower case letter, one number, and one special character in your passwords.
-Substitute numbers and special characters for letters To make passwords easier to remember, you can substitute letters and special characters in for letters. You can use @ instead of 'a' for example, or 0 (zero) for the letter o. Try 3 for 'e' or an exclamation mark for the letter i. For example, Microsoft commonly uses 'password' for passwords in their courses to make things easier (students forget passwords...).
However, as their software often requires strong passwords, "password" is often written as P@ssw0rd. It's 8 characters long, contains an upper case letter, a number (zero is substituted for the letter o) and a special character (@ is substituted for the letter 'a'). While the password is, in fact, a dictionary word... it's still quite strong because most crackers don't consider it the same as 'password', even if they are able to try substitution.
Of course, P@ssw0rd is commonly known and in virtually every dictionary file list out there...making it just as weak as any other dictionary word. (So don't use it ;) )
-Try using a phrase instead of a word To help create a password that isn't a dictionary word and isn't impossible to remember, you can take a phrase or a lyric from a favorite song instead and simply take the first letter of each word. For example:
"
And
I,
for
one,
welcome
our
new
WoB
overlords"
becomes: AIfowonWo
Okay, not too bad. We've got something here. We've got 9 characters... that's pretty nice. We've also got upper case letters (each capitalized letter in the sentence) and lower case letters (each non-capitalized letter in the sentence). No dictionary list is going to have that word for sure!
But we can make it better. Let's try to get some numbers in there. One of the words in the phrase is 'one'...well, that's easy enough. Let's swap that 'o' for literally the number 1. We can do the same thing for the word 'for', which gave us the letter f.
Okay... we've got AI41wonWo
Better, definitely better. Now we've got three of the four types of characters in there. Upper and lower characters and numbers. Let's try to get a special character in there: Let's swap that capital A for an @...
@I41wonWo
Perfect! ...or is it?
-You can pad passwords too Just like how the LM hash will pad out a password to make it 14 characters long (so it can break it into two groups of 7) we can pad our passwords too. This can be as simple as putting brackets around our password such as
(password
) or quotation marks
"password
" or just adding some extra exclamation marks: password!!!
Taking our password from above, let's put some quotation marks around it, as it's a phrase Ken Brockman says in a Simpsons episode: "@I41wonWo"
And because we really,
really love our new Word of Blake masters... let's put some feeling into that phrase. We should
exclaim it! We'll add an ! at the end, between the last word (overlords) and the ending quotation mark.
We get: "@I41wonWo!"
Which is... 12 characters long (Nice!), all four types of characters (in fact, we could change the @ back to A to make things easier to remember) which is even better, PLUS, it isn't a dictionary word...so even a cracker substituting numbers and special characters into dictionary words won't be able to crack it.
It's also not *too* hard to remember... so long as we continue to keep faith with the Wobbies. ;)
