Early yesterday morning I got an e-mail from Make saying that my DrawBot project had been accepted to the “Road to Maker Faire Challenge!” If you check out Make’s latest post inviting applicants for the “Road to Maker Faire Challenge,” you’ll notice the tiny image in the bottom left is from this post. How cool is that?!
Default Series TitleMonthly Archives: April 2013
Perpetuating Password Myths
Today at work I got an e-mail from the IT department saying everyone needs to set new, stronger, passwords.1 They suggested several things, like:
- “tomandjerry” is not as strong a password as “$H2mlf”
- “Fishing123” is not as strong as “Fish123ing”
Assuming a black hat hacker is really determined to crack your password, they’re probably going to attack it like they mean it. Let’s assume there’s no defect in your system that allows a cracker to get in without actually entering the correct password. They might try a dictionary attack first, followed by a database of common passwords, but after that they’re left with brute force.
Here’s the most amusing part. Assuming none of the four “passwords” above are in any dictionary or a database of common passwords. Let’s rank the passwords, 1 being the strongest and 4 being the weakest.
- “tomandjerry” is strongest, with 11 characters
- Fishing123″ is tied exactly with “Fish123ing”, with 10 characters each
- “$H2mlf” is weakest, with only 6 characters
The only things that really matter in passwords are that you’re not using (a) a dictionary word or a common password and (b) the length of your password.2
In any case, it’s concerning when information technology professionals don’t understand fundamentals of password security or how a malicious attacker would attempt to compromise a system.
- Photo courtesy of akashgoyal [↩]
- If you’re using a multi-word password, it is possible an attacker knowing this could use a system that combines words – but this doesn’t really save them a lot of time – we’re talking about numbers with 20-30 zeros in them [↩]