DrPhill
Cyber Heretic
- Joined
- 15 Feb 2012
- Messages
- 1,153
- Reaction score
- 312
Obligatory XKCD:Below is some advise I put together sometime ago for a group of folks in my village. This may help some on here.
Also check out your email address on https://haveibeenpwned.com/ and your password on https://haveibeenpwned.com/Passwords
Use Strong Passwords
There is a lot of confusing and contradicting information about password security best practices on the internet. In an effort to clear up that confusion, let’s break down the basics of how using a strong password improves your security.
Whenever creating a password, the first item that you will want to consider is the length of the password. The list below shows the estimated time it takes to crack a password using a four-core i5 processor. A more powerful processor will take less time.
7 characters will take .29 milliseconds to crack.
8 characters will take 5 hours to crack.
9 characters will take 4 months to crack.
10 characters will take 1 decade to crack.
12 characters will take 2 centuries to crack.
So as you can see, adding a single character to your password can significantly increase the security of your login. A password that it is at least 12 characters long, random and includes a large pool of characters like “ISt8XXa!28X3” will make it very difficult to crack.
Unfortunately, some hackers are leveraging GPUs and stronger CPUs to decrease the amount of time needed to crack passwords. So to strengthen your logins, also be mindful of your password entropy. The higher the password entropy is, the more difficult the password will be to crack.
For example, based on just the length requirement, a password like “abcdefghijkl” is 12 characters, which is great and should take 200 years to crack. However, since the password uses sequential strings of letters, it makes the password much more predictable compared with a password like “rfybolaawtpm” which has randomized characters.
Randomizing characters decreases the predictability and increases the strength of the password. But both of these passwords have one thing in common that ultimately reduces the password entropy. Both are only using lower case letters, limiting the pool of possible characters to 26. That’s why it’s vital to include alphanumeric, upper-case letters and common ASCII characters to increase the pool of characters needed to crack the password to 92.
Example:
Password entropy
Password entropy is a measurement of how unpredictable a password is.
The formula for entropy is:
E stands for "entropy," which is the opposite of an ordered pattern. Entropy is good: the bigger the E, the harder a password is to crack.
________________________________________
We calculate password entropy by first looking at the pool of characters a password is made from.
For example, the password password would have a possible pool of 26 characters from the English alphabet.
Changing the password to Password would increase your pool to 52 characters. I made a table below to outline the rest.
Type Pool of Characters Possible
Lowercase 26
Lower & Upper Case 52
Alphanumeric 36
Alphanumeric & Upper Case 62
Common ASCII Characters 30
Diceware Words List 7,776
English Dictionary Words 171,000
________________________________________
Password strength is determined with this chart:
< 28 bits = Very Weak; might keep out family members
28 - 35 bits = Weak; should keep out most people, often good for desktop login passwords
36 - 59 bits = Reasonable; fairly secure passwords for network and company passwords
60 - 127 bits = Strong; can be good for guarding financial information
128+ bits = Very Strong; often overkill
While a password with 40-50 bits of entropy may be semi-safe now, it is only a matter of time until GPUs become more powerful, and password cracking takes less time!
________________________________________
Here is an example:
If your keyboard has 95 unique characters and you are randomly constructing a password from that whole set, then R = 95.
If you have a 12-character password, then L = 12.
The number R to the L power is 540,360,087,662,636,962,890,625 -- which is how many passwords you have available.
That's the same as 278.9 -- and the log2 of that is 78.9. In info-security lingo, it's 78.9 bits of entropy. That approaches the "exponential wall," where a password could be nigh on impossible to crack.
Hope this helps.
https://xkcd.com/936/