Free AI web copilot to create summaries, insights and extended knowledge, download it at here

Abstract

hey have unlimited funds to bring to the problem set.Secondly, make it such that if they want to hack you it takes them a (very) long time to do so. This, fortunately, is very easy, simple, and inexpensive.<h1 id="67f3">Just make your passwords long.</h1>What is long? Well, that is subjective. Anything less than 8 characters is too short. Eight is ok, 10 is good, 12 is likely sufficient for almost anyone targeting you (unless you are a very desirable target — don’t be, as that is really the best defense). Anything more than 12 characters is gravy. If you are paranoid, or doing critical (or risky) things and want the insurance go for more. For example, anything you do with financial implications (bank accounts, investments, credit cards) you could make those account passwords greater than 12 characters.If you have a 24 character password it doesn’t matter what that password is made up of. The brute force search on “seeifyoucancrackthisline” would literally take forever, and no one is going to guess that either. Heck, they are not going to guess “mypasswordismypetdogspot”<blockquote id="35fd">Disclaimer — I am not recommending the above passwords, they are provided for example to demonstrate the math emphasis of password control. If I were to recommend an actual password, it would be more like, “greylobstercardsidewalkTree”, i.e a passphrase that makes not sense but is easy for the creator to remember.</blockquote>Here is an exercise to demonstrate the effectiveness of password length. Using a common google search on testing passwords, the following are the times needed to crack a very simple text password.<blockquote id="1630">“see” (3 characters) = 8 milliseconds</blockquote><blockquote id="ed1e">“seeif” (5 characters) = 1 sec</blockquote><blockquote id="b44b">“seeifyou” (8 characters) = 3 hours 24 minutes</blockquote><blockquote id="977e">“seeifyouca” (10 characters) = 3 months 5 days</blockquote><blockquote id="4a98">“seeifyoucan” (11) = 6 years 10 months</blockquote><blockquote id="5b05">“seeifyoucanc” (12) = 1 century 7 decades</blockquote><blockquote id="2276">“seeifyoucancrack” (16)= 81,086 millenia</blockquote><blockquote id="e9c0">“seeifyoucancrackthis” (20)= infinity</blockquote>Password security is an exponential math p

Options

roblem, not a matter of hardware, software, or clever alphabet/keyboard use.Lastly, <a href="https://pages.nist.gov/800-63-3/sp800-63b.html">NIST</a> (National Institute of Standards and Technology) recently released recommendations for password security updating their recommendations and fundamentally changing common past misconceptions:<blockquote id="8058">1. Stop enforcing time-based periodic password resets.</blockquote><blockquote id="6c0a">2. End forced random complexity (no longer require the use of special characters).</blockquote><blockquote id="4d51">3. Start mandatory screening (filtering out) for common names (Ex: password1, !@qwASzx).</blockquote><h2 id="8cb3">What NIST found was the old ways ( your company requiring you to change your password every 30 days, requiring lowercase/uppercase/numbers/characters) made one more vulnerable because people did workarounds that were counterproductive (such as writing them down or using patterns).</h2>One should be able to use whatever they want to use such that they can relatively easily remember it. Pass-phrases of combined non-related words serve this purpose well.They also recommend that in addition to the length of the password being the best determinant, combining length with two-factor authentication (2FA) is a best practice (biometrics is NOT recommended for this).<blockquote id="f947">Story — I had a case in one of my jobs where the Security Manager called me on their day off and needed me to look up something on their computer. I went into their office, as asked, to power up the computer. At the prompt I asked the Security Manager on the phone, “I need your username and password”, they replied “it’s on a note under my keyboard” — this was the Security Manager.</blockquote><figure id="98a6"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*zjp2z9HUEirhWg3v"><figcaption>Photo by <a href="https://unsplash.com/@timmossholder?utm_source=medium&utm_medium=referral">Tim Mossholder</a> on <a href="https://unsplash.com?utm_source=medium&utm_medium=referral">Unsplash</a></figcaption></figure>Be smart.Keep it simple.Just keep it long!orbesmartkeepitsimplebelongPS — use a Password Manager.</article></body>

Passwords are a Math Problem…

…it’s a easy fix.

There are a lot of recommendations about password security out there. Much of it is outdated. Recently I read an article about password security that mentioned the standard tips and tricks. It missed, however, the best solution.

Overwhelmingly, one is going to get “hacked” or compromised because of some behavioral action they took or even more likely did not take. With this too there is a lot of advice available.

Here is one such article I wrote in general about computer security recommendations. One can easily find many other articles. If you're even reading this, or any number of other articles about Cybersecurity, you are likely better off than the masses with your internet security.

By all means, be informed and act accordingly.

Inform oneself and know what you are doing on a computer (hardware and software) and with your accounts (settings and behavior). It is not enough to know about it, one needs to put that knowledge into practice.

If one were to research computer security, specifically password design or Cryptology, it is an incredibly complex and in-depth mathematical subject. Seriously intelligent people do this for a living. They are immensely smarter than me, and likely you. So are the hackers. Most of use are not going to outsmart (come up with a better design) or fool them (come up with a better idea).

What you can do is make it not worth their effort to hack you. One way to do this is to make it too expensive to spend their time on you (so they go do it to someone else). Too expensive has two basic elements.

First, make it such that the technology needed to hack you is costly to acquire and use. Frankly, this is very difficult. Today, the tools available are easy to openly acquire and not terribly difficult to use. And, certainly if that hacker is a State Actor (the worst case, a government) they have unlimited funds to bring to the problem set.

Secondly, make it such that if they want to hack you it takes them a (very) long time to do so. This, fortunately, is very easy, simple, and inexpensive.

Just make your passwords long.

What is long? Well, that is subjective. Anything less than 8 characters is too short. Eight is ok, 10 is good, 12 is likely sufficient for almost anyone targeting you (unless you are a very desirable target — don’t be, as that is really the best defense). Anything more than 12 characters is gravy. If you are paranoid, or doing critical (or risky) things and want the insurance go for more. For example, anything you do with financial implications (bank accounts, investments, credit cards) you could make those account passwords greater than 12 characters.

If you have a 24 character password it doesn’t matter what that password is made up of. The brute force search on “seeifyoucancrackthisline” would literally take forever, and no one is going to guess that either. Heck, they are not going to guess “mypasswordismypetdogspot”

Disclaimer — I am not recommending the above passwords, they are provided for example to demonstrate the math emphasis of password control. If I were to recommend an actual password, it would be more like, “greylobstercardsidewalkTree”, i.e a passphrase that makes not sense but is easy for the creator to remember.

Here is an exercise to demonstrate the effectiveness of password length. Using a common google search on testing passwords, the following are the times needed to crack a very simple text password.

“see” (3 characters) = 8 milliseconds

“seeif” (5 characters) = 1 sec

“seeifyou” (8 characters) = 3 hours 24 minutes

“seeifyouca” (10 characters) = 3 months 5 days

“seeifyoucan” (11) = 6 years 10 months

“seeifyoucanc” (12) = 1 century 7 decades

“seeifyoucancrack” (16)= 81,086 millenia

“seeifyoucancrackthis” (20)= infinity

Password security is an exponential math problem, not a matter of hardware, software, or clever alphabet/keyboard use.

Lastly, NIST (National Institute of Standards and Technology) recently released recommendations for password security updating their recommendations and fundamentally changing common past misconceptions:

1. Stop enforcing time-based periodic password resets.

2. End forced random complexity (no longer require the use of special characters).

3. Start mandatory screening (filtering out) for common names (Ex: password1, !@qwASzx).

What NIST found was the old ways ( your company requiring you to change your password every 30 days, requiring lowercase/uppercase/numbers/characters) made one more vulnerable because people did workarounds that were counterproductive (such as writing them down or using patterns).

One should be able to use whatever they want to use such that they can relatively easily remember it. Pass-phrases of combined non-related words serve this purpose well.

They also recommend that in addition to the length of the password being the best determinant, combining length with two-factor authentication (2FA) is a best practice (biometrics is NOT recommended for this).

Story — I had a case in one of my jobs where the Security Manager called me on their day off and needed me to look up something on their computer. I went into their office, as asked, to power up the computer. At the prompt I asked the Security Manager on the phone, “I need your username and password”, they replied “it’s on a note under my keyboard” — this was the Security Manager.

Be smart.

Keep it simple.

Just keep it long!

besmartkeepitsimplebelong

PS — use a Password Manager.