Thousands of gamers’ passwords easily cracked in 3 minutes

SplashData's worst passwords list is irrelevant for the most part; the real lesson is what makes the passwords so bad in the first place

1 2 Page 2
Page 2 of 2

Building a better password:

Passwords aren't going anywhere anytime soon. There has been some serious progress made in the authentication market over the last few years, and perhaps eventually passwords will go away altogether. But until that happens, passwords are what we have.

When it comes to developing a password policy for your organization or for yourself, the key thing to remember is - perfection isn't going to happen. Let it go. You'll never develop a perfect, impossible to crack password. It's not going to happen.

Humans cannot do random, and m@k1ng Y0ur P@55w0rd l00k 1ik3 th15 isn't going to help1234.

Eventually, given enough time and resources, someone or something can crack your password. The key is to make that process expensive in both time and effort.

As far as application development and password protection is concerned, organizations would be wise to follow OWASP advice [details here], including no limits on character sets and long max lengths (up to 160 characters) for passwords.

In addition, passwords should be salted and use an adaptive one-way function, such as PBKDF2, scrypt, or bcrypt.

For the rest of us, the easiest path would be to use a password manager.

There are several out there, including KeePass, 1Password, Dashlane, and LastPass. Recently, LastPass had some security problems, but to be fair they did address them quickly once the issue was brought to their attention.

(Note: I have never used Dashlane, but I have had it recommended to me. They have a free offering as well as a paid version.)

Why a password manager?

The rule has been drilled into the public for years – you need a long, randomly generated password for each website you have an account on. However, remembering all of those passwords is near impossible, so instead people pick a single password – one they assume is secure – and use it everywhere.

That's where the problem starts. Using the same password across multiple websites, or a variation of the same password, never works. The moment one account is compromised, all others are placed at risk.

Password managers remove the requirement to remember those long strings of random characters. They even remove the problems with randomness during the creation step, because they'll create a proper random password for you.

Now, all anyone has to do is remember the single master password that makes all the other passwords available for use.

Generating a solid master password:

One fantastic way to generate a solid master password is to use Diceware.

In 1995, Arnold Reinhold developed Diceware as a means to help people create strong and memorable PGP passwords.

You start with a wordlist (this one to be exact) and then roll five (5) six-sided die. Each roll will correspond to a word in the list. The goal is to get at least six words, but eight is best (for now). Anything less is risky.

There's a whole science behind Diceware, and it's a great way to develop something both memorable and secure, which has no real connection to you personally. If you wanted to support a small business, a sixth grader in New York City will develop a Diceware password for you, the cost is $4 per password.

Once you have a Diceware password generated, it isn't going to take too much effort to remember it. Another reason why it makes for a solid master password is the overall length and the randomness in which it was created.

If you don't want to use a Diceware password, and you'd prefer to create you own, the SANS guidelines are a solid starting point.

The best bet these days is to use a password manager and to generate a random, lengthy password, for each website you've got an account on. From there, use a master password that is long, such as a phrase that if ever spoken aloud, would make absolutely no sense to anyone around you. That's where Diceware comes in to play.

Pop Quiz:

For the password crackers out there, here's a test of sorts.

The following is an MD5 of generated Diceware password. No salt, nothing special. Can you crack it? If so, how long did it take? Email me with your guesses. The first person with the correct answer gets a mention in a future post, as well as $50 to the charity of their choice.


Copyright © 2016 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies