Deloitte says that 2013 is the year when 7 digit passwords won’t be secure enough. Why? Cheap computing power, and cloud based crackers can brute force their way through 5, 6, and 7 digit passwords in a matter of minutes.
Now, that’s not trying your username and random passwords on your Gmail login page. That’s cracking the hashed password stored on a website’s master database of passwords. And if the website gets hacked, and that master file makes it to a malicious person, and he cracks those passwords, then there is a quick question. Where else did you use that password? Do you have the same password on your Gmail, Bank accounts, work laptop, and medical records? Is it close, maybe off by one digit?
OCL-Hashcat, a password cracking project, found that they could crack encrypted passwords pretty quickly if they assumed some rules. They actually built their “Mask Attack” for this. People normally capitalize the first letter of the password, put 2 numbers on the end, and add a special character to the end or the beginning of it. Does yours follow any of these “rules”?
How about any password you enter on your phone? With a tiny keyboard, and being that it’s much harder to enter special characters, are your mobile passwords not as good as your regular ones?
So what do you do? Use a password manager, like Pocket, or Keypass. Use randomly generated passwords, with varying lengths, and try to find 2 factor authentication, when you can. Gmail has it, Ebay and Paypal have it, too. Some banks are starting to use it. Find them!! Use them! List them in the comments!
Remember, if your password is 1234567, or Password1, it’s probably not good enough.
Joshua Marpet is on the Board of Directors of two Infosec conferences, BSides Las Vegas, and Security BSides Delaware. He is also staff at Derbycon, Shmoocon, and as the “InfoSec Megaphone”, anywhere else he goes. Joshua is an experienced Forensic, Incident Response, and mobile forensics expert and researcher. As an adjunct professor at Wilmington University, he teaches Information Security at an NSA/DHS certified Center of Academic Excellence. In his professional life, he is a managing partner at Guarded Risk, a proactive forensics and proactive incident response firm.