A report by Anthony Mason on the CBS Evening News recently highlighted the latest consumer security concerns about hackers. A “white hat” expert from the security firm Trustwave managed to break Mason’s 7-character password in just 37 seconds. And it wasn’t an obvious one that the machine somehow guessed either, like the supposedly most commonly used one these days, “password1”. No, it was cracked by good old-fashioned number-crunching.
The ability to break passwords by sheer brute force, running through every combination there is until the right one is stumbled upon does not depend in the least on how the password was created or what it signifies. The algorithms don’t try to guess meaning or substitutions – they don’t care about your mother’s maiden name, capitalization or whether you used a lower-case “l” or the number “1”, or anything at all other than length.
A password, using the standard English alphabet with both upper and lower case letters (like “E” and “e”) plus 0-9 numbers and various punctuation characters, can be made out of roughly 72 or so elements. So for a 7 character-password, that’s over 10 trillion possible combinations; while adding just one character increases it to over 722 trillion. Therefore if it took 37 seconds to break before , now it should take 44 minutes 24 seconds. Hopefully, that will be too much time and trouble, with so many other, easier targets available.
So the best strategy is simple: the longer the better. Instead of a password, pick a passphrase: a favorite phrase or sentence that you can flawlessly remember. Mason suggested “thisismypasswordIreallymeanit”. At 29 characters, that should be enough to discourage any busy hacker – for now, at least.