Defending The Kingdom

For those who are using Password Safe, or some other password management program, a quick word of caution: back up your password databases! Send copies to your email address. Store them on USB sticks. Send copies via email to friends. Upload them to Dropbox.

Since good password management systems store passwords in encrypted databases, it doesn’t hurt to have a few copies of the database floating around in the world. If your database gets corrupted or you lose your database, you can always revert to one of the backups. I’ve had two corrupted PasswordSafe databases in a few years of usage, so it’s a rare but perfectly plausible event that you should plan for. There’s also the possibility that your hard drive crashes or your laptop gets stolen, and you lose your database that way. So plan for the worst, and make frequent backups of your database!

Commenter dearjym notes that, in some instances, crooks may be trying to crack your passwords at a rate of hundreds of thousands of passwords per second. He’s right.

Where true, the math I presented in this recent post starts to look a little shaky. See this rather arresting summary via a blogger who used to post on topics similar to those featured at Defending the Kingdom.

So let’s be specific about where we’re likely to get into trouble with short-ish passwords. First, it’s unlikely that internet bots can try more than one (or maybe a few) passwords per second over the internet. Bandwidth speeds and server response times are the primary breaks on the process, and some websites purposely slow things even further after a few wrong tries. Some programs on personal computers also make an effort to retard the password verification process in computer time (making the process last 0.5 seconds rather than 0.0001 second, perhaps, which is indistinguishable to most users but not computers). Password Safe is one such program.

But some programs are not built so securely, and this is where we can run into trouble. As generic advice, it wouldn’t be a bad idea to use very long passwords (15 to 30 digits) for Microsoft Office files, Zip files, password protected folders, or any other program for which you’re unsure what password trial limiting features it has.

Dictionary words as passwords

The commenter also makes an interesting point about using multiple dictionary words to make memorable yet safe passwords. He suggests that putting three dictionary words together can make for a very good password. He’s right. Apparently, there are around 170,000 words in a very popular dictionary. Assuming that all of them are equally suitable as memorable words for use within a password (or, more to the point, assuming that password crackers wouldn’t be able to distinguish memorable from unmemorable words), that makes for 5,000 trillion possible password combinations. Note, though, that the number drops to around 5 trillion combinations if we assume that only 10% of words in the dictionary are memorable enough to use within a password.