First, to cover my lack of posting here on my blog. Between my school work and my personal email gateway server project I have had barely any time to myself for anything else (including this blog :/ ). Hopefully my next post will be on how to configure an Exchange Email Filter Server (edge server) using Ubuntu Server, MailScanner, Spamassassin, and Clamav. I’ve been working on this for a couple of weeks now and I’ve almost got everything working flawlessly!
I’m writing this blog to cover the lack of password security in today’s society. Hopefully after reading this blog, you will be inspired to update your passwords and memorize pass phrases that are hard to remember for the sake of privacy and security. To start, I’m going to tell you and use my first 2 passwords that I ever used as examples to prove my points. My first password was “fish” and my second was “together”. I’m posting these because I’m fairly sure that I no longer use these passwords in any environment that I care about although they may still linger on old geocities, yahoo, etc accounts that I may have created years ago.
Using dictionary passwords is the ultimate downfall to any password that you could ever come up with. The reason why I say this is because passwords are generally turned into encrypted strings using several mathematical methods called algorithms in the computing industry. These algorithms include the md5 and sha encryption algorithms (among many) and they are theoretically irreversible (meaning if you have the encrypted string, there is no one solution to getting the original password back).
For the longest time, I used passwords such as fish to secure my files because it was easy to remember. I also used md5 encryption to protect passwords on my websites. Little did I realize that being a dictionary password, an md5 lookup database exists that has all the known dictionary words in it. This means that within a second of two, I can goto a rainbow table site and enter my encrypted (supposedly secure and irreversible password) and most of the time it will return my original password. In addition to dictionary passwords, the rainbow tables calculate many common combinations such as 123, abc, !@# (123) and tack them onto dictionary words. This means that passwords like fish123 are also insecure.
To fix this, many password encryption algorithms are supplemented by a salt. This is a random phrase of characters added to the original password prior to encryption to further make the md5 irreversible. This is great and all, but the salt usually can be easily retrieved if you compromise the system and get its value and the md5 password database.
As a system administrator, I am constantly paranoid about how secure my password is because I know how easy passwords are to crack if you use something easy or a predefined combination that is common. Because of this, I now use passwords that look similar to “sdk3#8*(&JdS”. I tend to use 10 characters that have no similarities or patterns to each other. To generate these passwords, I bang my head (or hands) on the keyboard and see what comes up then I randomize that further. Overall, I would consider the above password secure for about a year.
The reason why I say a year is because a super computer could easily brute force crack that password within a year going through every possibility up to 10 characters. There is a chance the md5 would return multiple results when decrypted, but overall you wouldn’t go over your limit of entering bad passwords. This is why it is strongly encouraged that you change your confidential passwords every few months or so.
For my server administrator accounts (full access accounts), I tend to use 25 character passwords that make cracking almost impossible. Unfortunately, at the same time, they are very difficult to remember and I use a password book that is within a fireproof lock box. I consider this secure since only 1 person (myself) has a key to this box. I still change this password every 3 months, but it is far harder to hack.
Finally to ensure that no one can run a super computer brute force method (try every combination), I always make my computer lock up after 5 attempts so that you have 5 guesses to get my password.
Hopefully this inspires you to change your password often like I do!
More From FamousPhil.com
Tags: md5, password, sha
Posted in Hosting / Server Administration
25 chars? anything over 16 is theoretically redundant for md5, or 20 for sha-1. ie, there will be a password under those sizes with the same hash
I’ve always been taught that more is better, but theoretically, you’re correct. My huge passwords could be hacked with much shorter versions.
That is a chance that I have to take.
Can come on dude, these facts* and proof* i indicate who’s posting* lol
Wonderful submit! I’ll subscribe at the moment wth my feedreader application!
[...] information could be retrieved by a third party is if you use a very simple password. I wrote a password security blog a while back that somewhat details what I’m getting to. Typically, a lot of computer users [...]