Longer Passwords Are Better

By Evan Corstorphine, Portable CIO

The telephone calls we get go like this: “Over the last couple of days, all of my friends/business associates have begun receiving emails from me that have a link to a weird website, and their antivirus goes crazy when they go to it, but I didn’t send them that email. Then, it happened again this morning, and I’m starting to get concerned. Is my computer hacked?”  No, your computer isn’t hacked, your email password is hacked.

What is happening? The bad guys are relentless in their effort to find email accounts from which they can send spam email links to their infected websites to millions of people. Their infected website usually contains embedded code that will automatically try to infect your computer with something like “XP Antivirus,” the fake antivirus program that pops up endless messages telling you to enter your credit card information to “fix” it.  The more people they can trick into clicking onto their website, the more infections, and the larger number of people who unwittingly give out their credit card information to be stolen. More opportunity for identity theft is good business for the bad guys (and yes, people give their credit card information to them - we’ve seen it happen multiple times).

The bad guys have some extremely clever computer programs that go around and target email accounts from the largest email domains, such as AOL, Hotmail, ATT, MSN, Comcast and Yahoo. They go one by one, using a “bot” to test commonly used passwords and even attempting some limited brute-force cracking. This sort of “farming” of email addresses ensures they have a steady revenue stream. Virus infections are no longer courtesy of your neighborhood teenager experimenting on his dad’s computer. Now, they’re big business for Eastern Bloc mafia cartels, which goes far to explain why the problem has exploded over the last few years.

Back to passwords. Who do you think the bad guys are going to victimize? Are they going to be able to take over person A’s email account who uses the password “flower,” or person B who uses the password “Plausible*Deniability”?  If you guessed person A, you win. Why? According to the password checking website http://howsecureismypassword.net, “flower” is among the 260 most common passwords, so it would be hacked almost instantly, and “Plausible*Deniability” would take 28 million years for a common desktop computer to break. Even adding an exclamation point to “flower!” would only extend your safety to twelve minutes before it could be broken, because it’s a common word and it’s far too short. 

The problem with password security is that the IT guys (yes, heavy sigh, my brethren) have made password management a royal pain in the neck, and they have burned people out. If you work for a state or federal agency, or a typical large corporation, they’ve probably fueled the law of unintended consequences with rules that make it impossible to remember your password. I never thought it was reasonable to make people change their passwords every 30 days to something completely unique and unused over the previous year. I don’t know anyone who can remember that many unique complex passwords. What happens is that normal people like you and I end up writing down that ridiculous password we had to create (or that we were given), and we put it on a Post-it note, and stick it on our monitor or under our keyboard. We’re just trying to do our job, right? Who can remember this password: “3RzH@=#xFq” ? But sticking it on a Post-It note is not very secure, thus the unintended consequence.

Password philosophies are beginning to change. Long password phrases are more powerful than outright password complexity, because every additional simple character increases the complexity 26 times. But if you add complexity such as a punctuation mark to that phrase, a 20-character phrase is virtually un-crackable by common desktop standards, because it’s added an additional 33 character set that the cracker must include in their cracking search. For example, the phrase “twentygoodcharacters!” is one trillion times more complex than “twentygoodcharacters” because the addition of the exclamation mark increases the overall search space so dramatically. THAT is why upper and lower case, numbers and special characters are so important to use. 

Most websites don’t accommodate long phrases because they’re still adapting to this new knowledge. For example, AOL wants a password of between only 6-16 characters that must include letters, numbers and punctuation characters. Others want upper AND lower case letters, punctuation and numbers. One of their examples; Harry Potter becomes “ HaRrieP0tt3r!”.

There is much more to write about this, but I’m out of room. I’ve put some great links to password testing sites on Portable CIO’s Facebook page, as well as more examples of ways to substitute numbers and punctuation into a password in a way that helps it make sense. In the meantime, if you get stuck please call the experts at Portable CIO at (925)552-7953, or email us at helpdesk@theportablecio.com.