Services that test a password strength can help users in evaluating their passwords. Will it take days, years or even longer to crack a selected password? That’s what How Secure Is My Password will tell you.

Just head over to the service’s website and enter a password in the form. You do not necessarily have to enter a password that you use actively. You can alternatively enter a comparable password to find out how long it would take to hack your password with a brute force, or maybe a combined dictionary and brute force attack.

Experienced computer users know that they need to pick passwords that contain upper and lower case letters, digits as well as special characters to make it secure. Length suggestions vary from 12 to 16 in most cases. The How Secure Is My Password service suggests to use passwords with a length of at least 16 characters.

The password checker can be an eye opener for users who are using weak passwords. You can try out the service here or check our How Secure Is A Password guide for suitable alternatives.

But the service is not only displaying the time it would approximately take to hack your password, it also displays information and tips that can help you select a more secure password. In addition, it compares the selected password against the list of the top 10k passwords used on the Internet.

The estimated time to hack a password is based on the processing power of a modern desktop PC. Depending on the infrastructure used, it may take considerable less time to hack a password.

Now SplashData have compiled the list of the top 25 most common passwords.  They have compiled the list by examining the password dumps that have been posted online by hackers.

The list, which unsurprisingly comes with the password “password” as the most common doesn’t come with any great surprises.  The most common threads running through these are that they are all very short and most are common dictionary words or proper names.  These are all things to be avoided when creating a new password.

You will notice though that the password “qazwsx” is in the list and why shouldn’t this be secure.  If you look at your keyboard you will see why, as password cracking software looks at common patterns that can be typed on your keyboard.

The list of the top 25 most common passwords is…

1. password

2. 123456

3. 12345678

4. qwerty

5. abc123

6. monkey

7. 1234567

8. letmein

9. trustno1

10. dragon

11. baseball

12. 111111

13. iloveyou

14. master

15. sunshine

16. ashley

17. bailey

18. passw0rd

19. shadow

20. 123123

21. 654321

22. superman

23. qazwsx

24. michael

25. football

It’s not actually difficult to create a strong password and I have put a posted I created below (click to view it full size) that you can print out and put on your wall in your home office or workplace.

A strong password should be absolute minimum of 8 characters in length, preferably a minimum of 10 characters and contain a mixture of numbers, symbols and upper and lower case letters.  You can use numbers and symbols to replace letters they are similar to, for example using an “&” instead of the letter “a” and using the number “1″ instead of an “i” or an “l”.

You can also mix things in a way that makes sense when remembering the code you have used to create the password.  For example, you could have a password made up of two words of different lengths, where the third letter of each word is capitalised and the fifth character in each word is replaced by a symbol.

Finally you can also, for added security, append to the end of the password, or preferably mix into it the first three letters (or a three or four letter identifier) for the website or service the password is for.  For example Amazon could mean the letters AMZ are mixed into your password.

By following these rules it’s very easy to create long, super-secure and above all memorable passwords that will help your data and financial information stay safe online.

There are also other things you can do keep your passwords safe.  One way is to use randomly generated passwords and password storage software on your PC (with it’s own secure password) to auto-fill these in on the websites you use.

Having a super-strong password is so important so I really urge you to tweet, blog and share this post and the poster as far and wide as possible so your friends, family and colleagues can see if their own passwords are in the list.

This is not a widely advertised feature though and there’s no information before, during or after you update your phone to even let you know it exists.  I thought, with my new found ability to get screenshots on my own Windows Phone, that I’d write a short tutorial here for you on how to use this very useful, if not essential, new feature.

1)     Firstly you want to open Settings from the main apps menu

2)     When in the main settings panel, open Lock + Wallpaper

3)     You should now turn on the Password feature for the operating system

4)     Windows Phone will now ask you to enter a passcode, this will always be a numeric value.

5)     When you’re returned to the main Lock + Wallpaper screen, scroll to the very bottom of the screen and tab Require a Password After

6)     You can now select how long a period of time will pass, of up to 30 minutes, before Windows Phone activates the passcode.  Personally I prefer 30 minutes as the others are perhaps a bit short.  With this set you can check your phone regularly without having to worry it will lock you out and require the passcode to be entered every time.  However you will know that if you lose your phone it is very likely that the passcode will automatically turn on to protect your contacts, emails and files.

7)     It’s always a good idea to check the settings have been accepted afterwards.  Here you can see it’s accepted my 30 minute delay on the lock.

I can’t recommend enough that you turn on a passcode for your Windows Phone (or iPhone or Android Phone or Symbian Phone etc.) as we’re all now carrying around increasingly large volumes of data with us.

For example, Windows Phone 7.5 now allows you to easily access any files and documents you may have stored in Microsoft’s SkyDrive cloud storage service.  On mine I have all manner of word processor and spreadsheet documents, some of which contain personal and sensitive information.  It’s extremely useful being able to access these files on the move, but critical to know they’re also secure all of the time.  Even if this feature had been in the previous version of Windows Phone, I never would have used it without a good, strong password on the handset.

It can be royally annoying though when a phone asks you to enter your password every single time you pick it up, especially when you’re only doing something simple such as checking your email or updating Facebook.  With this new feature activated you can rest assured that your phone and data will always be safe… well, after 30 minutes anyway.

That was a problem back then as you had to remember a new password several times a year. It happened more than once that a user who had changed the password the day before simply could not remember it. You had to walk to the IT department to get a temporary password which you then had to use to log in and change the account password once more.

While it is not possible to use password resetters in a corporate environment, you probably do not have the same restrictions on your home computer or in a small business network.

Windows users who are cautious may have created a Windows password reset disk in advanced which they can then use to reset the account password.

If you have not, you have still plenty of options to reset the pass. Before I look at tools for the job, I’d like to point out a few options that may or may not be available to you.

One of those options is to log in with an administrator account, or ask someone to do that, to reset the password. The admin needs to run the following command on a command line prompt:

Local Password Reset

net user user_name new_password

Replace user_name with the name of the user and new_password with the new user password for the account.

Remote Password Reset

net user user_name * /domain

This command can be used to change the account password of a remote user. Replace user_name with the name of the user and /domain with the domain. You are then prompted to enter the new password for that user.

Sometimes though you may not have another administrator account to log in and change the user password. Your best bet in this case is to use a so called password resetter to reset or restore the account password. Depending on the program, you will either be able to see your old Windows password or get a new password to log in with.

We did cover a few applications in the past for that job, including Trinity Rescue Kit which you can burn to disc, write to USB or run over a computer network. You can check out our review here: Reset Windows Passwords if you cannot login anymore

Another program is Ophcrack, which comes as an ISO image which you have to burn to CD. You then boot from the CD and use the program to recover the passwords. This happens more or less automatically, and very fast. Depending on your system and password length, it could take less than a minute to reveal the password.

Offline NT Password supports resetting the password on all versions of Windows from Windows NT all the way up to Windows 7. It is likely that the program will work with future versions of Windows as well as the developer continues to improve it regularly. The program is offered as a Password reset CD or USB bootdisk. Please note that the password resetter is not using a fancy interface, all is handled on the command line.

You basically need to mount the partition or hard drive your Windows operating system is stored on. You then need to supply the path to the Windows Registry directory and have then all options available to reset some or even all user account passwords on that machine. You can download the application from the official site. New users should check out the instructions which guide through the password resetting process.

A second option is the free program PC Login Now which can be used to remove the password from an account. This basically sets the password to empty so that Windows won’t ask for a password when the user logs in on the system the next time.

You can download the software from the developer website.

Have you used different methods to reset a Windows account password? Lets hear them in the comment section below.

Microsoft has added two additional password options for Windows users to make the log on more comfortably. The two options are picture password and pin logon.

Both options are available under Control Panel > Users from the Metro UI. This opens a Control Panel applet where the currently logged in user can switch to a picture or pin password.

Either selection there will prompt for the current account password before the configuration options become available.

Picture Password

A picture password basically consists of three gestures on an image that make up the password.

The size, position and directions of the gestures, as well as their order become part of the picture password.

Setting up a picture password makes sense on touch based devices, as it is usually a lot faster to use gestures than to use a digital keyboard to enter the password.

Windows 8 asks you to configure three gestures and repeat them afterwards before the gesture based password will be set. While it is possible to use the mouse for that, it is not the most convenient thing to do. The verdict here is that a picture password can be a solid alternative on touch based devices, but not on desktop PCs or mobile devices without touch capabilities.

Pin Logon

The second password alternative is a pin password. This is basically a four digit number that you need to enter whenever you log on to the system.

This is again an authorization system designed for touch based devices or devices without full physical keyboard. The limitation to four digits makes it less secure than the other password options.

The majority of Windows users will likely still with the default account password on their system. Users who work with touch capable devices on the other hand have two solid alternatives at their disposal to log in faster and more comfortable.

Users always have the option to log on with their standard password instead of the newly configured alternative password.

Have you tried the two password alternatives? If so, what’s your verdict so far?

If you have thought that then you have been wrong, and that for some time now. Emil Protalinski over at ZDNet found out by accident that Facebook appears to accept different password combinations during login. He noticed the issue after finding out that he was able to log into Facebook with Caps Lock on while entering the password.

One would expect that the login attempt would be turned down, but that is apparently not the case.

Facebook later confirmed that they accept three different forms of a user password:

• The original password, obviously.
• The original password with the first letter capitalized. This is apparently only working for mobile devices.
• The original password with the letter case reversed.

If your password is ghacksIsGreat, Facebook would also accept GHACKSiSgREAT and GhacksIsGreat when connecting from a mobile device.

The reasoning behind that is to avoid to many caps lock conflicts for users logging in to the site. Numbers on the other hand are always displayed as numbers in the Facebook login prompt, which is why only letters are accepted with case changes. Facebook assumes that the caps lock key has been active if the password is send over with reverse case.

The question is this: Is the acceptance of password variations on Facebook a security issue? While brute force attacks could in theory benefit from the additional password forms that are accepted on Facebook, their impact seems to be neglectful, especially if secure passwords are selected by the site’s users.

It is still a security issue, and some users might prefer warnings that the caps lock key is active to the way Facebook is handling the issue right now.

Facebook is not the only company that was criticized for their password security. Amazon was recently in the news as well: Amazon Login May Accept Password Variants

What’s your take on this?

To get to the password page, you need to enter the phrase “password of xx characters” where xx is the length of the password that you want to generate.

Wolfram Alpha then displays a random password, its phonetic form and additional passwords in its interface. The password uses alpha-numeric characters by default. You can regenerate the passwords if you like with a click on new password.

Probably the most interesting information on the page is the time it would take to crack the password. It would for instance take up to 165 quadrillion years at 100,000 passwords per second to crack a 16 character password.

You can click on the specific password rules link at the top of the screen to allow or disallow specific password rules. Allowed by default are upper and lower case letters, numbers and similar characters. Disallowed are special characters. If you add special characters to the mix you increase the time it would take to brute force the password by a lot.

It is obviously possible to change the character count, which is handy as some applications limit the password length to six, eight or twelve digits.

The password generator at the Wolfram Alpha site can be handy in situations where you need to come up with a secure password but do not have access to a software based password generator. This can be the case on your computer at work where you are not allowed to install third party software.

Have you used Wolfram Alpha in the past? If so, what did you like, did not you like about it?

Hotmail today has announced that the company has started to block common passwords to prevent users from using them. This provides better protection against brute force attacks. Dick Craddock, Hotmail group product manager notes that common passwords are not just password or 123456”, but also words or phrases like ilovecats or gogiants.

The feature will be rolling out soon. It will not affect users who use a weak password, at least not for now, but Microsoft hints at the possibility that this might change in the future. For now, only users who register a new Hotmail account or change their password are benefiting from the new ruling.

Microsoft furthermore suggests to add alternate account ownership “proofs” to the Hotmail account, like a secondary email address, question and secret answer or a mobile phone number to aid in the recovery of accounts.

The second security related change is the new “my friend’s been hacked!” feature which is available under the Mark As menu on Hotmail.

Friends are supposed to use the new reporting option when they know that their friend’s account has been hacked. This is for instance the case when they receive spam emails from the friend’s email address or when the friends notifies them about it.

Selecting the option gives Hotmail’s compromise detection engine another factor or signal to identify a user account as hijacked, compromised or hacked.

When the detection engine comes to that conclusion it blocks account access so that it cannot be longer accessed by the spammer. It furthermore opens up account recovery options for the account owner. It is likely that the attacker’s IP gets blocked in the process to prevent access to those recovery options.

Even better, Hotmail will report compromised email accounts to Yahoo Mail and Google Mail as well, so that these providers can use the information on their system.

Hotmail introduced the feature a few weeks ago to selected accounts.

Two security features, one to improve overall account security, the other to reduce the damage caused by hacked accounts. More information about Hotmail’s new Security features are available at the official Windows Team Blog.

Please note, if you ever get an e-mail requesting your username and password, it is phishing for it. See our phishing protection tips for some tips on how to protect yourself. There is also a phishing flowchart to help you identify phishing. In addition to this, Gmail has a lab that will verify PayPal and eBay e-mails.

Websites Already Have it

While one would hope passwords are encrypted and kept out of harm’s reach, that is not always the case. In many systems security is an after thought. Sometimes security policies and programs are not seen as necessary until after a breach. Important customer information is not always protected the way that it should be.

In a system like this your password my not be encrypted. It may be stored in plain text (sometimes called “clear text”). There may not be proper access controls in place either.

With the usernames and passwords so easily accessed, no one from the company needs to ask you for them. The company, or a number of employees within it, has access to them. This is a part of why it is important to use different passwords on different sites.

Top Level Staff May Have Access

A system with good security will encrypt your passwords. Even if someone who was not supposed to have access to the file containing passwords gained it, it would look like gibberish. There are ways get around this under certain circumstances, but over all the encryption keeps people from being able to read customer information.

That said, there will be people higher up who have access to the key which can decipher passwords. If a legitimate need for the information arose, such as a court order, then a ranking company official would be involved, not you.

While not directly relating to passwords, Dropbox works in a similar fashion. All data that Dropbox stores is encrypted, protected from staff and general misuse. The higher-ups are able to access the data, but only under special circumstances. They can give access to authorities, but it must be by court order. It is an example of how an encrypted system is still controlled by someone in the company.

Your Password May Not Be Stored Verbatim

Some sites and systems may use a cleaver trick to log you in. You would think, when you login, a server compares the username and password that you send with a username and password on record. That is not always the case.

Some systems will use your password and a random number, put them into a formula, and get a crazy looking code of letters, numbers, and symbols. This code is virtually perfectly unique to your password. The site stores this code and the random number.

virtually perfectly unique
http://blogs.msdn.com/b/tomarcher/archive/2006/05/10/are-hash-codes-unique.aspx

Unlike encryption, where the password can be retrieved if a key is used, the created code cannot be unlocked to reveal your password. It is a one-way process designed to make your password unreadable. It is difficult to figure out the password based on the code. The point to a system like this is that they do not want to know your password.

When you login again, you send your username and password. The system takes the password you send, puts it and the random number back in the formula, and forms the crazy code again. It then compares that code to the code on file. If they match, you are allowed in; if they do not match, you get an error. Voila, login without a stored password.

The crazy code has a special name: a hash value. Sony disclosed their use of hash values after the Play Station Network was brought down by hackers.

The System May Force Resets

Some systems will give limited tools to IT personnel (by policy, access, or design). In these cases, the only tool they may have available is a password reset. This is done to remedy the frequent problem of lost passwords. Passwords can be safely encrypted or hashed, yet access can be easily restored.

Facebook uses this system. You have to tell the website something about yourself first, but it will reset your password after you have. This automates the process so you do not have to wait for tech support.

Many Functions Do Not Require Your Password

In most systems, the employee logs in, is verified by the system, and has the appropriate access for the role they play in the company. The software they use may be able to modify your contact information, account balances, length of service, view your history with the company, etc. Heck, sometimes they can outright delete you. Think about how a bank teller can deduct money from your account when you ask for cash. By far, their username and password trumps your username and password. There is nothing legitimate that a bank could need your password for.

In Summary

As it has been stated by every reputable company, there is never a reason to give someone your password. The company will never ask for your username or password. These occurrences prey on ignorance. If you know someone who you think might fall for a ploy like this, educate them. They should be less likely to give the information out if they know why it is never needed.

Not all Amazon accounts are affected by the security issue. According to Heise, only passwords that have not been changed for a long time are affected.

The only information available at this point in time is a test that Heise Online conducted. It revealed that a password that was changed last year was immune while older passwords were not. Some commenters in the forum were able to use password variants on accounts were passwords had not been changed since 2007.

Amazon users can test the vulnerability of their account by logging into Amazon. They could for instance change a lower case character to upper case, or append characters at the end of the password if it exceeds eight characters.

Affected accounts can be protected by changing the account password. Passwords are changed in the Change Name, E-mail Address, or Password setting under Your Account.

Update: It needs to be noted that the flaw still exists on all Amazon properties. Amazon customers who have been with the popular shopping portal for years need to change their passwords at the Amazon website to protect their account from the flaw in design.

It appears as if Amazon has changed the password functions on their sites in past years to protect new customers and those who change their passwords from the issue.

There are at least two scenarios where the password manager becomes impracticable to use. Some websites disable password saving in the browser which means that the site profile is incomplete, and since there is no option to add the password manually afterwards Firefox cannot provide its full functionality on the site.

It may also happen that website login information change and that the browser does not pick them up automatically. It is again not possible to edit the data to correct the issue.

Saved Password Editor for Firefox adds options to edit login information in the Firefox web browser. It improves the password manager by adding options to edit all login information, create new login profiles and to clone a profile.

The options are added to the saved passwords manager. The information presented have been extended as well so that not only the website, username and password are displayed but also login related information.

The add-on supports web form, HTTP authentication and misc logins which offer different editing options. Web forms for instance record the submit prefix, username and password field name in addition to the host, username and password. These information are needed to submit the login information to the server. Firefox usually fills them out automatically when the password is saved though, and the guess from current page button can be used to retrieve the values from the page as well which is helpful when new login profiles are created.

All parameters can be edited in the password editor which means that it is possible to add a password if it was blocked by the website during creation.

Saved Password Editor is a handy tool for Firefox – and Thunderbird users by the way – who do not use a third party password manager like Last Pass for their password management.

According to information posted on Mediaite nearly 1.25 million user accounts were dumped from the databases by a group called Gnosis. The group is currently cracking the database and managed to retrieve 273k passwords so far, some of which are linked to government sites.

The group promised to release the full site source code and full database dump in the next days. They did release a partial dump already. A total of 2650 users of the database have been using the password “password” or “qwerty”, two of the most insecure passwords ever. Of those users one had a gov, three a mil and 52 an edu email address.

Now, what do users need to do that had an account over at Lifehacker. They need to assume that their account was hacked along with the others, and that attackers were able to crack the password.

First step is to change the password over at the Gawker media site. That’s all if the username / password combination was only used on that one site. Problems arise for users who use the same username and password combination on all of their web accounts. These users need to change the password on all of their accounts.

Our tip: Install a password manager like Last Pass that can help in the generation of secure passwords and the storage of them. It is imperative to use a username / password combination only once on the web.

More information about the hack are available at Download Squad and Lifehacker.

But how do passwords have to look like to be considered secure? And who determines that? There is no authority with guidelines on the creation of secure passwords. Companies, organizations, software developers and end users all have their own definition of secure passwords.

While some may think it is sufficient to select a password with numbers in it, others demand a password with upper and lower case chars, numbers, special characters and a minimum length of 16 or more.

Defining the format of a secure password is however only one side of the medal. It does not do anything good if the software, website or service is not compatible with those settings. A website that restricts the password to a length of 10 characters without special characters would be incompatible with a secure passwords policy that requires at least 14 chars and one special character.

Generally speaking, a password becomes more secure with the length of characters it contains, and the different types of characters used.

Several companies have created online tools that give the user feedback on the complexity of the password. Is that password secure is a common search term for those services. Lets take a closer look at some of them, but before that, lets define some typical passwords that we will feed them.

password 1: password
password 2: 4wOe409r
password 3: !S8I5U39YDnt8f
password 4: E&4!74mneGrTmOJ!HIr0
password 5: DP12c*0J!dM5mfdq2r!&WmMi!#g3

Microsoft password checker: Offers a simple form field which accepts a password. The ratings go from weak to best.

check your password

password 1: weak
password 2: weak
password 3: strong
password 4: strong
password 5: best

How Secure Is My Password: Does not display a rating, but tries to estimate the time it would take to crack the password.

password 1: One of the 500 most common passwords, It would be cracked almost instantly
password 2: It would take About 252 days for a desktop PC to crack your password
password 3: It would take About 564 billion years for a desktop PC to crack your password
password 4: It would take About 100 sextillion years for a desktop PC to crack your password
password 5: It would take About 100,603,110 nonillion years for a desktop PC to crack your password

The Password Meter: Compiles a list of all characters used and rates the passwords accordingly.

password strength

password 1: Very Weak, score 7%
password 2: Very Strong, score 81%
password 3: Very Strong, score 100%
password 4: Very Strong, score 100%
password 5: Very Strong, score 100%

The three password security checkers seem to disagree on the strength of some of the passwords used. All see the first password as a weak password, but similarities end there, as the second password is considered weak by Microsoft, but very strong by Password Meter.

The question now is how you can come up with a password policy to make sure that you only use secure passwords. The answer is simple: Always use a password that comes close to the maximum length allowed. That value is highly software and site specific. Here are a few suggestions:

• Never use a password with less than 16 chars unless the site limits the maximum character length to less than that
• Always use upper and lower case characters
• Always use at least one number in the password
• Always use at least one special character in the password
• Never use dictionary words as part of the password or the password

This leads to a problem: Remembering the passwords. The easiest way is to use a password manager like Last Pass for this. Password managers can create passwords based on the user’s parameters. Last Pass users for instance only need to press Alt-G to open the password creation window in the web browser.

password creation

The password can then be copied and entered during account creation. These passwords can also be used for non-web services, and stored in the password manager for retrieval.

Password managers will automatically save passwords and accounts that have been created, so that there is no need to remember the password. Only the master password, which is the password providing access to the password manager’s database needs to be remembered.

A simpler solution is to write down the passwords locally, and either carry them with you all the time, or store them in a secure location so that third parties cannot use them to access the accounts.

Do you have a password policy? Let us know in the comments.

KeePassX is a Linux only (for now) tool that doesn’t just store passwords safely, it stores passwords, usernames, urls, attachments, and comments – all in one convenient, safe location. You can sort your entries in groups and even search KeePassX. In this article I will show you how to install and use KeePassX.

Installation

Installing KeePassX is simple. You can follow one of these methods:

1. Open up your Add/Remove Software tool
2. Search for “keepassx” (no quotes)
3. Mark KeePassX for installation
4. Click Apply to  install the tool

Or, to install via command line:

1. Open up a terminal window.
2. su to root (if you are not using a distro with sudo).
3. Issue the command yum install keepassx (or sudo apt-get install keepassx).

That’s it. The application is now installed. Now you are ready to use.

Usage

Figure 1

The first thing you have to do is open up the tool. You will find it in Applications > Accessories. When the tool opens you will find a very simple main window (see Figure 1).

In order to create a store for sensitive information you must first create a new database. To do this either click the New button (far left on the toolbar) or click File > New Database. When you do this you will be asked to set the master key for the database. You can either set a password or use a key file. If you opt for a key file you can either a GPG key file you already have, or you can use KeePassX to generate one for you.

If you want to use a gpg key file (and not a randomly generated one, you can use gpg like so, to extract a key:

gpg –export -a “USERNAME” > KEY_FILE

Where USERNAME is the name of the gpg user and KEY_FILE is the name of the file you want to generate.

Once you have your database created you can then begin to add groups and entries to it. This is quite simple. If this particular database is going to contain client information you might want to create a new group for clients. If you intend to only use one database to house all of your information you could always create two groups:

• Clients
• Personal

I would take this even further and add sub-groups to the Clients group, one sub-group for each client.

Figure 2

After you have your groups worked out you can then add entries to them. To add an entry all you need to do is click the Key icon or click Entries > Add New Entry. When the new window pops up you just need to enter the necessary information for the entry.

In the password section you can add a password (and even have it masked) or you can even have KeePassX generate a random password for you. To view the password just click the “eye” icon. The passwords generated by KeePassX are really strong (and impossible to memorize).

If you are using your own passwords, KeePassX will indicate to you how strong they are. For example, one password I use for a particular login was only 88 Bit. Maybe it’s time for me to change that password? You can also set KeePassX to expire particular passwords…reminding you to change them so you are a safer users.

Once you have completed your entry, click the OK button and the entry will be stored. Complete the entire database and click File > Save Database and, if this is the first time you’ve saved this database, KeePassX will ask you to name the database file.

Final thoughts

KeePassX has a lot of features you won’t find in other tools of a similar function. Install this on all the machines you use, share the database file between them, and enjoy not having to strain your memory to remember all that trusted information.

The easiest passwords to crack are those that are simple words.  If your password is your date of birth, dog’s name, child or favourite place then I’d suggest changing them for a stronger password today.  These types of password will always be the easiest to crack, with the perpetrator only needing to know minor details about the victim, things that you may already have included as public information on your Facebook or MySpace profile page.  Unwittingly, you may be publicly providing the very information that criminals need to empty your bank account, steal your identity or run up huge bills on your credit cards.

The chart below details how long it would take an average PC to crack different types and lengths of password.  Where does your fit in the chart?

So how do you create a super-strong password?  The ideal one would contain a mixture of upper and lower-case characters with some numbers and maybe even somthing like a # or % sign thrown in.  But how can you create one of these you won’t forget?

There are several easy ways to make sure your password is secure.  First is to remember that numbers can be substituted for words.  The password wo0dy with a zero in the place of the second “o” is much more secure than the name as it’s really spelt.  You can increase this security even further, perhaps by making a character upper case.  wo0Dy is a password that’s even more secure and that could provide all the protection you need, unless…

You should try and make sure that your secure password or passwords are a minimum of six characters in length.  This is because if you want to use the same password on every website they will demand that they be that long at least.  Some websites will demand eight character passwords so if you can have one of those to begin with then all the better.

You can mix things up if you are short on ideas.  If Woody was born in 1982 then you could use wo0DyIi982 or wo0DyI1982 where the 1 in the year is substituted for the letter “i” in either lower or upper case.

One final word of advice, your secret question.  Most websites will require you to have a secret question to unlock your password if you forget it.  Try and avoid choosing your mother’s maiden name, place of birth or first school if at all possible, as these are things that can be found out by criminals all too easily.  If you have to choose an option like this because a website forces you to, an answer such as amst3rdam# might be enough to remind you of your favourite place.

If you follow these rules then you will have a much happier and far more secure time online.  And a daunting password may look like that at first, but you’ll be amazed at how quickly you get used to using it.

This means that more than 30 million complete sets of emails, usernames and passwords were exposed to third parties. At least one hacker managed to get hold of all the data of which the passwords and a small sample was posted on the Internet.

RockYou users who have an account at the service should immediately change the passwords for all their services that use the password and email address to avoid that these accounts are hacked.

RockYou did not only store login information about its own service but also for third party websites like Facebook or MySpace to make it as easy as possible for the users to use the data in their social networking accounts. This means that MySpace, Bebo or Facbeook login information have also been stored on the Rockyou servers if the user has entered them before on their website (see Techcrunch for additional information)

Security company Imperva got hold of the 30+ million passwords that have been selected by RockYou users to secure their accounts. Their findings are alarming:

• About 30% of users chose passwords whose length is equal or below six characters.
• Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
• Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive
  digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com
  account owners is “123456”.

The password popularity chart is therefor dominated by easy to guess passwords just as 123456, Password, rockyou or abc123. The full report of the findings can be downloaded from the Imperva server as a pdf document.

If a hacker would have used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou. com users, it would take only one attempt (per account) to guess 0.9% of the users passwords or a rate of one success per 111 attempts. Assuming an attacker with a DSL connection of 55KBPS upload rate and that each attempt is 0.5KB in size, it means that the attacker can have 110 attempts per second. At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts. And the problem is exponential. After the frst wave of attacks, it would only take 116 attempts per account to compromise 5% of the accounts, 683 attempts to compromise 10% of accounts and about 5000 attempts to compromise 20% of accounts.

Recommendations for users

• Choose a strong password for sites you care for the privacy of the information you store. Bruce Schneir’s advice is useful: “take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary.”
• Use a different password for all sites – even for the ones where privacy isn’t an issue. To help remember the passwords, again, following Bruce Schneier’s advice is recommended: “If you can’t remember your passwords, write them down and put
  the paper in your wallet. But just write the sentence – or better yet – a hint that will help you remember your sentence.”
• Never trust a 3rd party with your important passwords (webmail, banking, medical etc.)

The easiest way to ensure all this is to use a password manager that can generate strong passwords and save them for the user. We recommend Last Pass which is available for several popular web browsers.

The developer provides some plain numbers to show the effectiveness of using the GPU to recover a rar password with four characters:

• ~168 passwords per second on single core of Q6600 @ 2.4Ghz (crark’s result)
• ~325 passwords per second on 8600 GT
• ~3120 passwords per second on ATI HD4850
• ~2075 passwords per second on GTX260/192SP

The performance of the listed ATI card is almost 20 times that of a password recovery where only the cpu is used. The password recovery software is a command line utility and the developer is offering extensive information on the possible parameters that can be used to recover the password. The suggested length of the password should not exceed six characters although it is theoretically possible to start a password recovery for a password with up to 17 chars.

The basic command for the password recovery is:

igrargpu.exe [switch:param] filename.rar

The command

igrargpu.exe /a:b /c:s /min:1 /max:4 archive.rar

will for example check all four letter combinations of lower case Latin characters. Known characters of the password can be added to the command to speed up the recovery attempt.It is advised to check the readme for a detailed overview of all possible parameters. The password recovery program can also use a dictionary based attack with rules. RAR GPU Password recovery should work on most versions of the Microsoft Windows operating system. The portable software is available for download at the developer’s website.

The free program is a limited version of the commercial software from the same developer. It requires the Microsoft .net Framework 2, the Microsoft Management Console and PowerShell. The interface of the application makes it less time consuming to configure password policies for specific user groups in Windows Server 2008. It basically centers around creating, configuring and managing password policies.

The following parameters can be defined for each password policy:

A Password Settings object (PSO) has attributes for all the settings that can be defined in the Default Domain Policy (except Kerberos settings). These settings include attributes for the following password settings:

• Enforce password history
• Maximum password age
• Minimum password age
• Minimum password length
• Passwords must meet complexity requirements
• Store passwords using reversible encryption
• Account lockout duration
• Account lockout threshold
• Reset account lockout after

User groups can be added to newly created policies. It has to be noted that user groups cannot be empty as empty user groups cannot be added to password policies. The program displays an overview of all password policies on the computer system. The order can be changed which is important if users are members of multiple user groups.

Specops Password Policy Basic can be downloaded from the developer’s homepage.

Empathy is a portable application that should run fine on most Windows operating systems. The main purpose is the protection of software by password protecting the executable files. The whole process of protecting applications is configured in the program’s main interface.

It starts by selecting an executable from the computer’s hard drive. Once a file has been selected a password can be entered that will be used to protect it. A click on the Protect button will password protect the file which from that moment on can only be accessed by supplying the password first.

The same interface contains an option to unlock files again or to test them to see if everything is working as intended. The last option available is to create a backup of a file before processing it.

Empathy is postcardware. It has one severe restriction which is a bit hilarious. The unregistered version accepts only 1 char passwords. Now, this might be enough for most users as long as they do not know about the limit because the main purpose is clearly to keep casual users from accessing the application and not a IT professional. The limit can be lifted if you send the software developer a postcard to his address in Slovakia.

One possible solution are Password Safes that can store an unlimited amount of text. Lockcrypt [homepage] which I discovered at Connected Internet [link] is one solution that works extremely well. The Java application stores all relevant information in a highly encrypted container which means that those information can only be accessed if the correct pass phrase is entered at the start of the application.

Lockcrypt uses a clean interface that is highly customizable to display the information once the login was successful. The left pane contains different accounts and subgroups that contain the information. You could create an account for financial information, one for Internet Passwords and one for Contacts for instance.

Each account has a number of subgroups that contain the information. Subgroups for Internet Passwords could be for instance the site names that you have accounts at, for Contacts the names of the contacts.

If you click on a subgroup its information will be displayed in the main window. The user can add as many fields that contain information as he likes. To stay with the Internet Passwords example, lets say you have a subgroup named Ghacks there. Fields could be the url of the website, the username and password.

Several default account types are available but it is also possible to create a new account type in the Options. Lockcrypt offers a password generator as well which comes in handy when creating new accounts.

A mobile version for mobile phones that support Java is available as well which can be used to store and view the information when you are out of house. The mobile version has however no option to add new entries to the database as far as I can tell.

Lockcrypt should work in all operating systems that support Java.