Technical information
Page 6
throw in some numerals, punctuation, symbols and upper-case let-
ters and you get your huge haystack.
The basic idea is that you’re better off making your passwords
long and memorable than short and complex. In the simplified car-
toon example above the password is simply made up of 4 common
words, but Steve Gibson suggests you should add some padding
around those words to make the passwords much harder to guess.
I briefly demonstrated the two websites below and discussed
passwords at the recent October 2011 meeting. It seemed to cre-
ate a bit of discussion.
Password Tester
Steve Gibson has developed an Interactive Brute Force Pass-
word “Search Space” Calculator on his website: www.grc.com/
haystack which allows you to enter passwords and see his cal-
culations for how long it would take to crack with a brute force
search (brute force search consists of trying every possible code,
combination, or password until the right one is found). Have a play
with it and see that one of the most popular passwords “123456”
would only take 18.5 minutes to crack whereas just adding three
more different characters “!Aa123456” would increase this to two
hundred thousand centuries!
Password Creator
The person leading the password discussion on the podcast,
Bart Busschots, has chipped in and created “xkpasswd” - an on-
line secure memorable password generator: xkpasswd.net . There
you can customise the number of words to use, the length of the
words, capitalisation, letter substitutions, separators between words,
numbers before and after words and padding. With the default
settings it generated the following password for me: “---700-lift-
believe-lone-late-337---”. You can then plug this password into
Steve Gibson’s calculator and see how many trillion centuries it
will take to crack!
A Real World Theft
Before the Sony website was hacked a couple of times
earlier this year compromising over 100 million user accounts
there have been many other instances of user passwords being
stolen. In December 2009, a major password breach occurred
that led to the theft of 32 million passwords (rockyou.com).
Further, the hacker posted to the Internet the full list of the 32
million passwords (with no other identifiable information). The
passwords were stored in clear- text in the RockYou database
so no decryption was necessary. The Imperva Application De-
fense Center analysed the strength of the passwords and came
up with a Password Popularity Top 20 Table based on this one
site. It makes interesting reading:
Rank Password
Number of Users
with Password
1 123456 290,731
2 12345 79,078
3 123456789 76,790
4 Password 61,958
5 iloveyou 51,622
6 princess 35,231
7 rockyou 22,588
8 1234567 21,726
9 12345678 20,553
10 abc123 17,542
11 Nicole 17,168
12 Daniel 16,409
13 babygirl 16,094
14 monkey 15,294
15 Jessica 15,162
16 Lovely 14,950
17 michael 14,898
18 Ashley 14,329
19 654321 13,984
20 Qwerty 13,856
Is your password one of the above?
Oh, by the way, my favourite Mac Podcast is NosillaCast by
Allison Sheridan http://podfeet.com .