October 23, 2012

Creating Secure Passwords: The Rules Have Changed (Again)

Law Practice Magazine Logo
MONEY AND MANAGEMENT  Law Practice on Facebook!

 Table of Contents | Features | Frontlines | Technology | Business

November/December 2010 Issue | Volume 36 Number 6 | Page 24


Creating Secure Passwords: The Rules Have Changed (Again)

As a result of revolutionary new processing capabilities, cybercriminals are bound to get smarter and faster at cracking password codes. Use these tips and tools for an effective balance between convenience and security.

Passwords might seem like a tired subject to some, but just when we all thought we knew the rules of the game, the security standards have changed once more. The new news is that it’s high time to say good-bye to those wimpy, eight-character passwords. So why the major change? Let’s discuss that first and then explore some steps you can take in response.

A Few Characters Can Make a Monumental Difference

For a number of years, a commonly recommended length for passwords has been six-to-eight characters. But that length is no longer sufficient for effective security, according to a report recently published by the Georgia Institute of Technology. The Institute’s researchers put the capabilities of today’s new CPUs through their paces and, in essence, here’s what they found: They were able to use clusters of graphic cards to crack eight-character passwords in less than two hours. And trust us, if the researchers are doing this, so are the cybercriminals of the world.

The researchers discovered, however, that by applying the same processing power to 12-character passwords, it would take 17,134 years to crack the codes. That means cybercriminals, even when highly motivated, are pretty unlikely to go after 12-character passwords—there are just too many folks out there asking for their security to be violated with less-secure passwords.

Richard Boyd, a senior research scientist who worked on the project, has recommended that 12-character passwords should thus be the de facto standard that we all use. But why not just 9, 10 or 11 characters instead?

Here’s how the research team came to its particular recommendation: They assumed a sophisticated hacker might be able to try 1 trillion password combinations per second. If that were the case, it would take180 years to crack an 11-character password. Yet if you add just one more character, it would now take those 17,134 years to break the password. Given that the computing power of those with evil intent continues to accelerate, that added character gives—for the foreseeable future—a good level of security.

So, the new recommendation really strikes a balance between convenience and security—and it assumes that password-cracking capabilities will continue to increase, as has certainly been true since computers became an integral part of our lives.

Think About “I’msickofLindsayLohan!”

Generally, lawyers have gotten smarter about creating passwords over time and nowadays most know better than to use their birthdates, their children’s names or other kinds of commonly known facts for their passwords. We do, though, still find passwords on sticky notes on monitors or in desk drawers, which is an unending source of despair to all security experts, but apparently most of us cannot remember our passwords. And indeed, we have a lot of sympathy for the fact that a lot of us have so many passwords that it’s tough to memorize them all!

So what to do now, when your passwords need to contain even more characters for you to remember? Try this: Use full sentences or passphrases as your passwords, which will make them much easier to recall.

For example, the phrase “I’msickofLindsayLohan!” is simple enough to remember but complex enough to confound a would-be password cracker. Using characters that are non-letters also helps add to the complexity and, therefore, to your security. While the English alphabet contains just 26 letters, remember that there are a total of 95 letters and symbols on a standard keyboard—and mixing them up makes it even more difficult to break a password.

We’ll note that some, including Microsoft, will argue that users should not use real words or logical combinations of letters because they may be guessed by a “dictionary attack” using a database of words and common character sequences. Maybe,but we think that is overkill unless you’re dealing with national security data or the formula for Coca-Cola.

At the same time, let’s point out that the research used at Georgia Tech was a “brute force” attack, meaning that they simply tried all possible combinations of characters. The computer graphics cards they deployed are very cheap and easily programmed to perform these sorts of computations. The processors in the cards all run simultaneously, working to crack the passwords. Amazingly, these processors, running together, now have the processing power of what we used to call “supercomputers.”

So given all of that, let’s say you accept the need for 12-character passwords. Then you should be aware that several related issues may arise, at least for the short-term. One is that your bank, your stock brokerage firm or the like may not allow for 12-character passwords on their sites. In fact, there are currently a lot of Web sites out there that still do not permit long passwords, although with each passing day, that is changing.

More problematic, though, is that many sites do not enforce the longer passwords. Or, they may not insist that you use non-letter characters. This remains a significant problem, especially as many sites containing sensitive data have not yet caught up with security requirements for the coming decade.

Helpful Types of Tools to Aid Your Memory

Still, perhaps the greatest problem is remembering all these passwords. One solution is to use an encrypted flash drive such as the IronKey ( www.ironkey.com), which has Internet protection services, including a password “vault” application that remembers all the characters for you. Be careful, though—these devices are small and therefore can be easy to lose. But at least there is an insurance policy—you can store your passwords (encrypted) on the IronKey site so you can still access them if you lose the flash drives.

In addition, there are various Web sites that will store, or even generate, your passwords for you, with LastPass ( http://lastpast.com) as one popular example. But again, a caution: If you use one of these sites, then you must have full trust in the security levels (and employees) of the site.

As another option, you can turn to a product like eWallet ( www.iliumsoft.com/site/ew/ewallet.php), which for $19.95 will store your passwords in encrypted format and allow you to sync access to it from multiple devices, including smartphones, though you’ll need to check whether yours is supported. This may be the best solution currently available for busy lawyers. One of your authors (John) uses eWallet as a backup to his IronKey (synced to the BlackBerry). With a 30-day free trial, it’s hard to go wrong by giving it a try. And there are other, similar products out there, but research them carefully before selecting one.

Whatever you do, make sure you do take passwords seriously. At least take heed of the message conveyed by the Georgia Institute of Technology and make your passwords 12-characters strong. Then you will have demonstrated that you sincerely try to take “reasonable measures” to protect client confidentiality in this ever-changing computing environment.

About the Authors

Sharon D. Nelson and John W. Simek are President and Vice President, respectively, of Sensei Enterprises, Inc., a computer forensics and legal technology firm based in Fairfax, VA. They are coauthors of The 2010 Solo and Small Firm Legal Technology Guide (ABA, 2010).