Vandaele Capital


Major retailers, hotel chains, government agencies and even Facebook CEO Mark Zuckerberg gets hacked with discomforting regularity these days. In an increasingly hostile computer environment, it is essential to have a strong password for pretty much everything. Whether it’s email, a social media account or online banking, using your cat’s name as a password is a very bad idea. And if you’re afraid of not going to remember your password because it’s too long and complicated, there are alternatives on how to do it.

The key characteristics of a strong password are primarily are its length. The longer the password, the stronger it is and the longer it takes to be cracked. In second place the entropy of the generation process. If the attacker can make some statistical assumptions based on the method of generation, even a alphanumerical 8 character password can be cracked within hours. How do you generate a strong password then? You could use a password generator. Which brings us to the third characteristic of a strong password, trust. Do you trust that the password generator does not keep logs, do you trust that it doesn’t have a backdoor? Lastly, do you have a secure communication channel between the generator and the receiver? Most of the online password generators fail one or more of these guidelines, and even off the shelf software solutions have problems. The only completely secure method I’ve found to generate passwords is to use an open-source generator stored on your computer, preferably running Linux. But even one of the website generated passwords is considerably more secure than any password you can come up with.

But is there such thing as a perfect password? Steve Gibson‘s Perfect Passwords Generator deserves the highest praise of all the solutions in my view. The algorithm used ensures a high level of entropy, and although there is no source code available to corroborate tech specs with the notes on the website, I trust it. The connection between the GRC server and your computer is secured by a SSL connection and the generator produces three strings at once: 64 random hexadecimal characters (0-9 and A-F), 63 random printable ASCII characters, 63 random alpha-numeric characters (a-z, A-Z, 0-9). The most secure of all is the ASCII string which contains numbers, letters and special characters. You can use any part, the complete string or even mix them to create an unique password. Your password will look something like: “9q@{3″{y]PLd]301Gv|5=

While such a password will work for a web-based service or email account, you aren’t expected to remember it for your Windows or Apple account, it’s simply too complicated. I personally use a 12 character hexadecimal string for my user account password, which I can remember without having to write it down, like: FA4F22489116F11F  This too, can be cracked with rainbow tables, but it will deter most guys without NSA-level knowledge and processing power. If you’re asking yourself, ”How I can use 12 random ASCII characters for every password I have?” Here’s my system. I have an Apricorn Aegis Secure Key, a secure encrypted USB thumb drive that itself is protected by a 12 character hexadecimal string and it incorporates PIN access with military grade 256-bit AES hardware encryption. All the data on the drive is hardware-encrypted. It will automatically self-destruct if physically tampered or if the password is entered 10 times wrong. The Apricorn Aegis Secure Key has an integrated password manager and a hardened mobile version of Firefox 3. The passwords never pass through the computer’s keyboard or compromised applications. I would never save any passwords into the Firefox password manager. The only way this system can be compromised is by first cracking the computer user account password and hoping that the cookie session is still active.

Enjoy resetting your passwords.

Related Posts