The Myth of the Unbreakable Password

Complete books have been written about the topic of security and the correct way to create passwords. Each expert claims that if you only adhere to the conventions that he or she sets forth, that your computer will be safe. Let me say up front that the unbreakable password is a myth. Yes, you need to come up with something a lot better than “Secret” or your birthday, but be assured that any password you use is breakable. In fact, in the real world, what you’re striving to do is create a password that takes longer to break—realizing that anyone who really wants access to your system will gain it. Computer hardware has become so powerful that seemingly unbreakable cryptography is quite vulnerable today.

Many security experts want you to use completely undecipherable passwords such as @f*/L12-X]. If you can’t come up with a good password of your own, PCTools actually provides a generator to create one for you. If you’re unsure about the safety of your password, you can have it checked to determine how long it would take to crack. (Unfortunately, the number you get isn’t completely realistic because computer technology for cracking passwords improves all the time, as does the capability of the hardware used to crack it.) Of course, it would be absolutely impossible to remember such a password, so anyone having such a password is going to write it down. All someone has to do is pose as a janitor and pick up all the yellow stickies that have the password printed on them (or write them down as they pass through to avoid suspicion). For that matter, social engineering attacks can often yield passwords through a phone call in a few minutes.

Because truly secure passwords are the stuff of science fiction, other experts have come up with the passphrase. A passphrase such as “My yellow car is gr8!” theoretically has a long crack time and are easy to remember. Unfortunately, recent advances in cracking technology seem to make passphrases a bad bet too. It seems that the crackers now use grammar as part of their strategy to figure out your password. They use applications to figure out the most common words that would come in a sequence of words.

The advice today is to use unrelated words separated by special characters—something I have advocated in any book I write that contains information about security. A password like “Elephant*Green?H3llo” is infinitely easier to remember than @f*/L12-X], but still quite secure. Even so, if someone is determined, they can combine a dictionary attack with some brute force techniques and discover your password in a reasonable amount of time—assuming you don’t simply give it to them as part of a social engineering attack.

There are technologies that promise to make it harder for crackers to gain entry to a system, but they’re usually complicated. For example, you can add a retina (iris) scanner or thumbprint reader to improve security, but that means an additional purchase, specialized software, training, and other costly changes to your setup. Security cards are another option, but again, you have additional costs to consider and the use of a security card is open to social engineering attacks (unlike a person’s thumb or retina, which are firmly attached). Most organizations still rely on passwords or passphrases in the interest of saving money, so creating usable, easily remembered passwords that truly are safe should be the focus of administrators whenever possible.

One new method of securing systems does appear in Windows 8. In this case, the system displays a picture when you start it up and you use gestures to circle or otherwise identify pictorial elements in place of typing a password. There are some experts who are already saying the feature is easily cracked. It seems as if the technique would be unwieldy with a mouse and it has already been said that most people aren’t buying touch screens to use with Windows 8 (see my Some Interesting Windows 8 Information post for details), so this security feature may be a non-starter for most organizations.

Passwords and passphrases won’t likely go away soon, so the best approach for most users and administrators is to create a system where passwords are complex, easily remembered (and therefore, not written down), and changed relatively often. The combination of these three elements should make your PC safer from crackers. However, the best security is vigilance. Check your system for intrusion often. Rest assured, someone who really wants to get in will do so and without too much effort. Let me know your thoughts about passwords at John@JohnMuellerBooks.com.

 

Author: John

John Mueller is a freelance author and technical editor. He has writing in his blood, having produced 99 books and over 600 articles to date. The topics range from networking to artificial intelligence and from database management to heads-down programming. Some of his current books include a Web security book, discussions of how to manage big data using data science, a Windows command -line reference, and a book that shows how to build your own custom PC. His technical editing skills have helped over more than 67 authors refine the content of their manuscripts. John has provided technical editing services to both Data Based Advisor and Coast Compute magazines. He has also contributed articles to magazines such as Software Quality Connection, DevSource, InformIT, SQL Server Professional, Visual C++ Developer, Hard Core Visual Basic, asp.netPRO, Software Test and Performance, and Visual Basic Developer. Be sure to read John’s blog at http://blog.johnmuellerbooks.com/. When John isn’t working at the computer, you can find him outside in the garden, cutting wood, or generally enjoying nature. John also likes making wine and knitting. When not occupied with anything else, he makes glycerin soap and candles, which comes in handy for gift baskets. You can reach John on the Internet at John@JohnMuellerBooks.com. John is also setting up a website at http://www.johnmuellerbooks.com/. Feel free to take a look and make suggestions on how he can improve it.