Saturday, February 14, 2015

Choosing A Strong Password To Protect yourself from Hackers

Choosing A Strong Password
How To Protect Yourself

Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

1.Minimum length 8 characters :
►As a rule of thumb, your password must never be below 8 characters. If an attacker happens to use a brute-force attack on your account,which is just trying every possible comobination - with every addition of a character the time taken for the BF attack to crack your password increases exponentially. On average, while it may take just a few minutes to crack open a 6 character password, the time taken for cracking an 8 character password is measured in days and weeks. Assuming your attacker doesnt have a a billion dollar ExaFlop supercomputer after your account, your password is reasonably safe if it is over 8 characters in length(
ExaFlop = 10^18 calculations per second).

2.Names and 123 are out of the question :
►The most common passwords are "Name123". Whenever someone is after your account, the first thing they try is common passwords like this. Whoever that person is, you have to assume the worst. It might be some random old guy in his moms garage or maybe your best friend goofing around, you must assume they know everything about you- your name(duh), amily members names, favorite sportsmen, actors, singers- everything. This is the safest way to go. A surprisingly large number of people simply append a 123 to the front or back of a common object thinking they are very smart, but this is the most predictable password there is. Most hackers will start straight away by adding that 123, and if your password is anything like this, youre screwed. Change it ASAP!

One more thing that deserves mention here is the so called "Security Question". Reason being that people who know you will know questions about you like "What was your first pets name?" or "In what town were you born?" - some of the most common security questions. Plus, the people who know you are far more likely to be interested in taking a peek at your private messages than a random old guy in a garage.
Hence, I recommend to never actually use the security questions in the way they are meant to be used. Dont use a direct answer, use something that the question reminds you of. While these may offer another layer of protection from annonymous attackers, they can make cracking your account fairly easy by the people who know you. As an example, someone you know well if left alone with access to your mobile phone might be able to get into your Facbook account with no difficulties at all. Always treat security question as an emergency password, it should be unobvious but easy to remember.

3.Random things? Think again.
►Theres something called a dictionary attack. In a nutshell, it means that your attacker has a dictionary, and a program that will throw every word in the dictionary as an attempt to crack your password. After trying out your own and related names +123, this is what the Hacker is going to try next - A dictionary attack. So it is better if you keep your password well away from any real words.
Although still not a 100% safe, potjack123 is much safer than jackpot123.

4.Turn it around :
►Now a password like aGF$hvYH916!~** is probably as safe as it can get, but its not exactly easy to remember and definitely not easy to type quickly. For this reason, I(for one) turn words around. What I mean by that is instead of using velocity, use yticolev. While as a normal word, its easy to guess but after reversing the characters its unrecognizable.
After a few times, youll get used to it and will be able to type it as quickly as the other one.

5.Throw in symbols and numbers easily :
►If youre like most people, your current passwords probably dont have any weird symbols. But I have a quick way of adding both numbers and symbols to your password.
Heres an example -
567yticolev%^&

Looks weird, right? Well thats the point. What we have here is, the base word velocity - reversed, a 567 at the start (which is much better than a 123), and at the end I have seemingly random symbols which are actually just SHIFT + 567, that is these are actually the ones written above 567 on your keyboard respectively. So all you have to remember is velocity and 567 and within a few days youll be able to type this as fast as any other password but only this one will be relatively impenetrable. (Unless of course you have a supercomputer after your ass, in which case youre screwed XD)

6.Capitalize- The final blow :
►You might be wondering whats the point of adding so much random stuff to your password. Our main goal is basically to expand the number of characters which your attacker has to test to find your password. So - Small alphabets = 26 characters, Numbers = 10 more, Symbols = around 20 more. But if you throw in even just one Capital alphabet, that means your attacker has another 26 freaking characters to test which means, in this case, hes screwed. Reason being the brute-force attack I mentioned earlier. Say your password is the one in the last point with a capital V and Y :
567YticoleV%^&

So thats 14 characters with upper and lower case alphabets, numbers and symbols. Believe it or not, such is the power of exponential growth that it will actually take an average computer BILLIONS even TRILLIONS of years to crack your password. Now even if your insane attacker can somehow get a supercomputer, it would take him several thousands of years to get your password. After even a fraction of this time we can safely assume that he would have lost all his money buying the supercomputer and the will to do whatever he wanted to do with your account. (You can calculate the exact time by using permutations and combinations and the speed of the CPU)

One last thing, by using the same passwords for several different accounts youll only be making the hackers job easier. But yes, remembering a dozen passwords is probably not worth it. For this I suggest making tiny changes. If you use 567velocity for gmail, you can use 
456velocity for facebook, 678velocity for yahoo etc. To hack the next account the hacker will have to go through all the combinations all over again and that for him, will probably not be worth it.

So there you have it! For all practical purposes a password like this will be impenetrable throughout your lifetime. (Nevertheless, I still recommend changing your password around twice a year or so. Thats because youre not the only one reading this article.)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.