Where true, the math I presented in this recent post starts to look a little shaky. See this rather arresting summary via a blogger who used to post on topics similar to those featured at Defending the Kingdom.

So let’s be specific about where we’re likely to get into trouble with short-ish passwords. First, it’s unlikely that internet bots can try more than one (or maybe a few) passwords per second over the internet. Bandwidth speeds and server response times are the primary breaks on the process, and some websites purposely slow things even further after a few wrong tries. Some programs on personal computers also make an effort to retard the password verification process in computer time (making the process last 0.5 seconds rather than 0.0001 second, perhaps, which is indistinguishable to most users but not computers). Password Safe is one such program.

But some programs are not built so securely, and this is where we can run into trouble. As generic advice, it wouldn’t be a bad idea to use very long passwords (15 to 30 digits) for Microsoft Office files, Zip files, password protected folders, or any other program for which you’re unsure what password trial limiting features it has.

Dictionary words as passwords

The commenter also makes an interesting point about using multiple dictionary words to make memorable yet safe passwords. He suggests that putting three dictionary words together can make for a very good password. He’s right. Apparently, there are around 170,000 words in a very popular dictionary. Assuming that all of them are equally suitable as memorable words for use within a password (or, more to the point, assuming that password crackers wouldn’t be able to distinguish memorable from unmemorable words), that makes for 5,000 trillion possible password combinations. Note, though, that the number drops to around 5 trillion combinations if we assume that only 10% of words in the dictionary are memorable enough to use within a password.

The problem is that most security question answers, if generated as intentioned, typically make poor passwords. You can have the strongest primary password in the world, but if you use your mother’s maiden name as the answer to the security question a website offers, then you can forget about the strength of your primary password. Your effective password might as well be your mother’s maiden name, since knowledge of that will get you into the website as sure as knowledge of the primary password will.

You should keep that in mind when creating answers to security questions. Instead of providing the actual answers, I recommend creating real passwords as answers to these (i.e., your mother’s maiden name could be entered as “d9IgzUe33s”), then keeping track of these additional passwords in a program built for the job (I’ve discussed such programs before).

The fortress problem

Now that you’ve gussied up the backdoor, strengthening it with a stronger password requirement, you may run into the problem that backdoors were invented to solve: what if you suddenly find yourself locked out of your fortress? What if you lose both passwords? If you are using a password management tool, what if your password database gets corrupted? What if you accidentally erase an entry in your database (this is scarily easy to do)? What if your hard disk crashes and you lose your database?

The answer is that you need to create backup systems for yourself. These backups need to be in two forms:

1. If you use a password manager, create backups of your password database. After creating a new entry, store a copy of the database on a USB flash drive or send a copy to a family member’s email address. As long as the database itself is password protected, you needn’t worry about making copies and leaving them lying around or giving possession to others. In fact, the more copies you make and the easier they are to find, the better.
2. If you use a password manager, you need to protect against the possibility that you forget the master password that unlocks the database. If you’ve used this method, that should never happen. But sometimes bad things do happen, and you should plan for that. A low-tech method would be to write down your database password and store it in your wallet. That is safer and more sensible than many people suspect. A second option would be to write down your master password and store it in a safety deposit box at your bank. The latter option has the advantage of finally sealing up that backdoor to be both safe and useful – if you lose your safety deposit box key, for example, you can regain access to it by proving your identity to your bank, something that should be extremely difficult to do for an imposter but relatively easy for the true account holder to do.

Pragmatic security and powerful bots

This blog has always taken the pragmatic route to security, recognizing that there will always be a tradeoff between security and time and money. In other words, don’t worry about being 100% safe — instead, focus on being safer than average.

What does that mean for password length? Consider this: computing time is so cheap today that it’s not inconceivable that every one of our email accounts has a bot trying to access it about once per second, every day, 365 days per year.

Still feel safe with the password you’re using right now? Personally, I’m starting to feel queezy, but let’s look at the problem carefully.

Is eight still enough?

I used to recommend an eight digit password. Is that still enough? The Microsoft Password Checker, a tool I’ve recommended before, does not seem to think so. If you type, for example, “t8Uh10xI” into the checker, it tells you that you’ve made a weak password. Is that the case?

To answer that, suppose you found one of those bots that is, in all likelihood, pounding at the gates to your email account. Feeling generous, you give the bot a bit of information. “Look,” you say, “my password is eight digits, so don’t bother guessing passwords of any other length. And I use numbers, uppercase characters, and lowercase characters. I don’t use any special characters.”

Now, how scared should you be?

Well, you’ve made the bots job a bit easier, but let’s take a look at the math. The key statistic is the number of possible permutations of passwords you could have made using those parameters. To find out how many permutations there are, and therefore how many different passwords the bot would have to try, we need to compute the following:

Permutations = (26+26+10)^8

That is, there are 62 ways to pick the first digit of your password (26 uppercase letters, 26 lowercase letters, and 10 numerical digits), 62 ways to pick the second, 62 to pick the third, and so on — eight times.

The solution is that there are 218,340,105,584,896 possible eight character permutations. That’s 218.3 trillion. Supposing that a bot can try one password per second, it would be able to try 31,536,000 in a year. In just under 7 million years, it could try all the possible permutations.

So the answer has to be “yes, eight is still enough”.

On the other hand, if you’re using a software tool like PasswordSafe, the cost of upgrading your passwords to be a bit longer is so low that it’s difficult to think of a reason not to do so. Personally, I’ve begun to use 15 to 30 digit passwords for some applications because it increases my safety without increasing my costs appreciably. But I still feel secure knowing that the master password that unlocks my PasswordSafe database is less than ten characters long. If I lose my PasswordSafe database on the subway again (yes, this has happened once already), I won’t worry.

1. You can ask the program to automatically fill in password fields on websites. Cutting and pasting wasn’t hard, but this is twice as easy!

2. It’s now possible to customize the passwords the program generates for you. Choose the number of characters, the number of characters that should be lowercase, the number that should be uppercase, etc. You can even ask the program to generate passwords that are readable (rather than gibberish).

Yes, those features are for lazy people. But laziness in these areas will give you more time to spend elsewhere, like replacing old passwords every few months.

If Password Safe doesn’t quite do it for you, Beta News has a review of a range of password managers. Perhaps one of them will strike your fancy.

If you’re using one of these passwords for your iPhone (or anything else, really), stop it!

Here is another list of passwords to avoid, many of which are unsurprisingly similar to the first list.

There are a lot of technically difficult and time-consuming ways to protect your security, and there are justifiable reasons to balk at them. Avoiding the most common passwords, however, is not one of those ways. It is the ripest and droopiest of the low-hanging security fruit. Pick it.

There is actually a third possibility I failed to mention. I used to log in to my Hotmail account via this page:

I should have been using this page:

Notice the difference?

The page I should have been using has been verified by VeriSign to be an authentic Microsoft website (hence the green banner in the ULR bar) and it is also a “secure page” that will protect my username and password from “eavesdroppers“. I know this because the URL for the second page starts with https rather than just http.

The reason the second page is deemed secure is that when I enter my username and password, that information is passed along to Microsoft’s servers through an encrypted tunnel. The concept is very similar to VPN security, which I’ve written about before.

The upshot is that the second website will prevent eavesdropping and man in the middle attacks, both of which can be a problem if you are sending important information (like username and password details) through the internet while using a wi-fi hotspot.

Perhaps my email account got hacked last year because I logged on through the unsecure site while using a public wi-fi network somewhere. Don’t make that mistake.

Dear Hotmail…

If you’re listening, please remove your unsecured log in page from the web!

At the time, I implored Hotmail to change their security system so that guessers would have to enter a CAPTCHA with every few wrong guesses. That would slow them down enough to make it nearly impossible to brute force their way into any account with a reasonably strong password.

I doubt the Hotmail folks read this blog and decided pull up their socks as a result, but I was delighted to see, upon my most recent Hotmail login attempt, a similar change to the one I recommended (see picture below). My account is obviously still under siege, and Hotmail is preventing too many password guesses. The only downside is that they won’t let me into my account, either.

So I feel satisfied that Hotmail now has security features that will keep my account safe, even without the strongest possible password. Just in case, though, I’ve updated my password to be ultra-strong. It’s more than 16 characters long (I don’t want to say exactly how long, because that would make it easier for a hacker to guess), contains numbers, letters, and freaky characters. It looks something like this: gA4wL[l0iX+yJ$j1. Hackers, I wish you good luck .

An old and out of use Hotmail account, which I log into every couple of months just to prevent Hotmail from letting my account expire, was hacked in late May. Whoever or whatever (I suspect it was a machine) hacked into my account didn’t do anything terribly malicious. They simply borrowed my address for a month and sent out loads of spam to everyone on my contact list and many more who were not. Sorry! And thanks to the friend who I inadvertently spammed and gave me the heads up about the problem.

What Went Wrong

I have no way of knowing how my account was compromised, but I suspect a brute force attack. Hotmail doesn’t lock accounts or insert any other barrier after a few (or even many) unsuccessful password entry attempts, so a machine could go on happily guessing at least one password per second for as long as it took to find the right one. Unfortunately, I made that process easier by having a password that was all lowercase and lacked special characters. Worse, even though I change most passwords every three or four months, I hadn’t changed that password since I opened the account. It wasn’t a giveaway password – it was 8 digits long and had a combination of letters and numbers – but I could have and should have done more.

Thankfully, the hackers didn’t change the locks while they were making use of my little piece of online real estate, and I was able to log in and reclaim full possession of the account. I set the new password to be extra robust.

Dear Hotmail…

And if anybody from Hotmail stumbles across this post: please consider asking people and machines who get their passwords wrong, say, five times in a row to pass a captcha test. Gmail does it. You should, too.

Risk vs. Effort

As it happens, this threat seemed plausible at one point last month. Now it appears that the danger was probably exaggerated (although that’s what the Facebook folks would say, isn’t it?):

Facebook’s assessment of Killros is that he is a low-level player and that he had nowhere near the 1.5 million accounts he advertised. Most likely, he had a few hundred accounts most of which he likely created himself. Through some interesting and impressive forensic work, the Facebook security team identified the real Facebook accounts owned by Kirllos, reset the passwords, and notified the account owners.

But for fun, let’s take the hacker’s advertising at face value. How big of a risk is it to you, the average Facebook account holder? Well, to start with, there are over 400 million Facebook accounts, so the chances that yours is among the 1.5 million currently on sale are less than half of one percent.

I’ve written before that the prices criminals are willing to pay to get your account details are good magnitude of risk indicators. In this case, if the value of each Facebook account is less than 5 cents, criminal buyers must not be expecting much more than the value of their time as a return on hacking into accounts.

You should be much more concerned about your bank account login details getting stolen, as that information apparently sells for about 1% of the account balance. In other words, buyers of this information expect a reasonable payoff in exchange for their investment and the risks they are taking.

So my take on the Facebook news is that it was initially alarming, but probably nothing to get worked up about. Of course, there’s no harm in updating and/or upgrading your Facebook password if you haven’t done so in a while.

Read this list of commonly used passwords and see if you get a little nervous. Double twangs of deserved nervousness if you use the same password for every account.

The post has some solid advice about making and managing great passwords, too.