in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Information Security: What Is A Weak Password?

In the real world, the strength of your laptop encryption doesn't matter: hackers assume it's very strong (and they usually wouldn't be wrong in making this assumption) and attack the system in some other way.  While it isn't anyone's first choice of attack, attempts at guessing the password that unlocks access to encrypted systems is a time-honored and frequently used one.

Having a strong password matters.  Certainly, there are many ways of gaining access to systems, including the use of malware to grab passwords, which renders moot the use of a strong password.  On the other hand, it's hard to find any security professionals recommending the use of weak passwords.  For example, if your password is "password," an often used password, you'll get an earful from any security expert.

So what is a strong password?  That's actually a hard question to answer.  It might be easier to answer "what is a weak password?" and then use the opposite of that as a definition of a strong password.

What are Weak Passwords?

Weak passwords refer to any passwords that can be easily guessed, either because it's so personal to a person or because it hardly takes any time to find it via the brute-force method, where a hacker (here, a hacker being anyone who's intent on finding your password, be they a criminal in Belarus or your nosey kids) runs through all possible password options.

For example, if your password is "aa" and the hacker starts with "a," it will take him possibly 37 tries before finding it: a through z (26 tries); 0 through 9 (10 tries); plus "aa."  Compare that to "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa," which will take a while to reach using the same logic.  In this sense, the longer the password, the more secure it is

However, this is not always true.  Because people tend to choose information that is personal to them as passwords, if your kids' names are Michael or Estelle, these are less secure than an unrelated, shorter name such as Amy: Hackers will exploit the "personal" aspect and try out Michael or Estelle before trying something else.  This is the reason why dates of birth are discouraged as passwords: of 366 options, you'll probably choose your own, your kids', or your spouse's.

Generally, the more information a hacker has about you, the greater the chances, on average, of figuring out your password, which is why publicizing your mother's maiden name; significant dates (birth dates, wedding dates, etc); pet names; etc. on the internet is discouraged.

Another way that hackers curtail their potential pool of passwords is by using a dictionary.  Because people tend to use real words--correctly spelled, of course--a hacker's job is simplified by using a dictionary.  How is it simplified?  Well, the English language consists of approximately 750,000 words, including the stuff that no one would normally use.  In comparison, over 8 trillion non-words can be created using the alphabet alone, assuming the password is seven characters long.  (The figure doesn't include the 6-character long, 5-character long, etc. passwords that a hacker would conceivably have to go through if he starts from "a.")

But, there is a caveat to this non-dictionary rule as well: if you happen to love the string of characters @A1$Ad*((nssafSAD so that it's engraved into your laptop cover, printed on your t-shirt, used to personalize your pencils, etc., it falls into that "personal aspect" category that makes it ineligible as a strong password.

So, in summary, a weak password is something that is:

  • Short
  • Found in a dictionary or other list
  • Personal to you (and made public somehow)

A strong password can supposedly be created by avoiding the above.  In theory, it's not that easy.

The Trappings of a Strong Password

As many experts point out, the problem with using the above rules is that passwords will be so confusing that one may not be able to memorize it.  Is #@FWFfs!@123 something you could remember easily?  (Technically, that 123 at the end is a no-no for the virtue of being 123, a common string of numbers used in passwords.)

And even if you could, you might find yourself having to memorize a new one every three or six months.  This requirement would be easier if your password was more personal, but we've established why that's a bad idea.

Pushed to its extreme, strong passwords can become a security liability because a significant number of people will end up writing the password down to reference it.  And why wouldn't they?  After all, that's what some people do with their encryption keys: they write it down and place it in a bank vault.

The reason?  They're so long and complex that the keys cannot be memorized--which is why they can ensure data security to begin with.  Of course, IT administrators that follow this procedure can afford to do so because they'll have to reference that encryption key once in a blue moon, if ever.  If they had to pull out those encryption keys and reference them on a daily basis, it would be a very weak link in their data security chain.

So what to do? Well, there are certain tricks that can be used to create a strong password that is also memorable.  They're less secure, in a sense, than completely random passwords, but much stronger than the usual passwords found out there (such as dictionary words combined with 123 at the end of the word: password1, for example).

  • Use a phrase, not a word, and enter certain symbols in between the words in the phrase.  For example, take "this is my pencil" and create the password this@is*my&pencil.
  • Use a longer phrase and take the first letters of each word to create a password.  See how here.
  • Combine unrelated words and numbers.  For example, your birth date, "kimchi," and John Travolta's birth date would result in: 01011960kimchi02181854.

That's a long password, and if you forget Travolta's birth date, you can always look it up.  Plus, it's a pretty random password.  What do you, kimchi, and Travolta have in common?  I'm guessing nothing.  Of course, if there is a commonality, you want to pick some other word or some other number.

Again, this password is not as secure as completely random one.  However, it's good enough if combined with other data security measures.  For example, in AlertBoot endpoint encryption, you can set a maximum number of tries before rate limiting kicks in:

What's a rate limit?  That's when you limit how often you can enter a password when the previous attempt was a wrong one.  For example, for the first three wrong attempts, perhaps the encryption software instantaneously checks the password to see if it's valid.  But, the fourth attempt is delayed by two seconds, the fifth by 5 seconds, the sixth by 10 seconds, the seventh by 20 seconds, and so on.  Soon enough, you can only enter a password per minute, dashing any hopes of guessing the correct password any time soon.

Combine a non-weak password with the above, and you've handicapped people from accessing your data.

 
<Previous Next>

Hard Disk Encryption: Guam Advisors Unlimited Has External Hard Drive Stolen

Disk Encryption Software: Cooper University Hospital Residence Data Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.