Being Cute with Passwords Eventually Might Be Very Costly

Compliance / Privacy
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Using a random-number generator, however, can give you an unbreakable password.

 

I've been writing for the past few weeks about security and encryption and ways to take care of yourself and your computer in the face of some pretty--shall we say--"obsessive behavior" by numerous people using the Internet who aren't very nice.

 

I have to confess that when I thought up my most common password, variations of which I use for just about everything, I imagined a classroom of sixth-graders sitting around trying to guess what it is. "No, Johnnie, that's not it! Try again!" I'm usually pretty good at guessing things myself, probably because I've read so many newspapers in my time that I've been exposed to a lot of information. One gal-pal challenged me to guess where her user ID came from, and I finally figured out it was the call sign, or tail number, from an airplane. Turned out the number had been on a plane owned by her father, who had since passed away.

 

One name I never guessed was the middle name of a gal I longed for when I was 22. She made guessing it a right of passage, for some reason, and I kept trying to guess it but never could. I finally read it in the newspaper in the notice of engagement--to someone else. Maybe he guessed it?

 

But here's the thing: Today, if someone is trying to get into your computer, they are not sitting around saying, "Could his password be his birthday? What about his social security number? Maybe he uses his street address?" And for some of us, they probably would guess it that way outright, but no, they are using very sophisticated software programs that already have tables of passwords that people have previously shown they already use. They are using botnets (robot networks) that employ the resources of not hundreds, but thousands of computers around the world that will try every conceivable possible password until they get it right in order to hack into your or your company's computer files. Now if your password is your son's birthday, just how long do you think such a password is going to hold up against such an onslaught?

 

"Oh, but we have nothing to steal. Why would anyone be interested in breaking into our computer? Besides, there are so many computers out there. By the time they get around to ours, we'll probably be dead." Such is the mindset of a lot of people who use "sexylady" or "joanie123" as passwords. Well, if you are so sure no one is going to break into your computer, then why bother with any password at all? Sadly, that is exactly the conclusion that many people today come to. They simply choose, quite consciously, not to secure their computers at any level. It's too much work.

 

If you're one of those people, then stop reading this article right now. I can't help you. No one can help you. You're beyond help. However, if you're someone who cares about your property and the property of others possibly in your charge, someone who wants to use a password that really can stop a tank, then I'll tell you how you can get some really brawny, really sinewy, well, essentially un-guessable passwords. This, of course, is especially important when configuring a wireless WEP or WPA network.

 

Come on down to Perfect Passwords. This is a site operated by a guy named Steve Gibson of Gibson Research Corp. (thus http://www.grc.com/), and it's quite amazing. Perfect Passwords is just one of the free services Steve offers while he's inviting people to his site from where he sells software, which you will probably be intrigued by too once you visit. I won't go into the other products or areas of the site, but Perfect Passwords is where you can go to get really bulletproof passwords. As Steve says on his site, "generating long, high-quality random passwords is not simple."

 

Each time the Perfect Passwords page is displayed, the GRC server generates a unique set of custom, high-quality, cryptographic-strength password strings that are as close to being unbreakable as you can get. The way it works is pretty simple but elegantly clever. Every time you click your browser's refresh button, the password strings change. The cool thing about them? They are as close to completely random as you can get. He calls it "pseudo random," but he's a purist. The passwords are 256 binary bits, which result from a string of 64 hex characters, since each character encodes 4 bits of binary data. Of course, you have to have network devices that allow the 256-bit key material to be specified as raw hex. Since many don't, you might consider running two WiFi networks in parallel or using weaker WEP encryption. But as even Steve concedes finally, "any encryption is better than no encryption."

 

When you look at these passwords produced by a random-number generator, ask yourself again if your imaginary sixth-grade class could even come close to guessing them. I think you will agree that the answer is no, no, a billion times no.

BLOG COMMENTS POWERED BY DISQUS