Tuesday, May 29, 2012

Steve Gibson's Haystacks & Needles (Understanding Passwords)

I am a big fan of Steve Gibson, if your a computer Nerd you probably know who he is, if not let's just say he knows Computers & Computer Security better than anyone your likely to meet.

He is also an excellent communicator, he is one of the best people I know, for taking a complex & arcane topic and explaining it so anyone can understand it.

I strongly recommend reading his article on Passwords at https://www.grc.com/haystack.htm

There are many important components to good passwords, and I suggest reading his article, but if your not going to, I would say the 2 key points to a strong enough password for most of us are the following.

First, Password Length, size matters!

[Thinking of it that way will ensure you remember that important fact.]

Longer is better!!

Second, use a specific minimum complexity, in Steve Gibson's own words [types of characters:  Lower case letters, upper case letters, numbers, and symbols ie "@<>$&*"]:
"The use of every type of character forces the attacker to search through the largest possible space. We must always assume that an attacker is as smart as possible (and most are). So, knowing that 41.69% of all passwords consist of only lowercase alphabetic characters, a smart attacker who is forced to resort to a brute force search won't initially bother spending time guessing passwords that contain uppercase, digits and symbols. Only after an all lowercase search out to some length has failed will an attacker decide that the unknown target password must contain additional types of characters.

So, in essence, by deliberately using at least one of each type of character, we are forcing the attacker to search the largest possible password space, because our password won't ever be found in any of the smaller spaces

Links & Info
Steve Gibson's Password Podcast:
Wikipedia on Steve Gibson http://en.wikipedia.org/wiki/Steve_Gibson_%28computer_programmer%29

Steve's Little Corner http://www.grc.com/stevegibson.htm
Steve's Twitter http://twitter.com/SGgrc
Steve's Blog https://www.grc.com/news.htm

No comments:

Post a Comment