Life, with Technology
According to freebsd.org, 11.0-RELEASE is still in the build stage and awaiting a release announcement this Wednesday. However, release builds have appeared on the FTP site:
ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/ISO-IMAGES/11.0/
This is obviously unofficial, and use them at your own risk.
At time of writing, the ARM and i386 versions is also available but not yet the PPC, ia64 or Sparc.
I’m currently engaged in a bit of a strange dispute with talkmobile. They’re over-charging me, but for some reason I can’t log in to my account. No problem – they have on-line chat with customer services – how hard can it be to sort out?
Well, it’s proving impossible. They can’t even look at my broken account because I don’t know my date-of-birth. I don’t know my date-of-birth because, for obvious reasons, I don’t give the correct one out willy nilly to any company that asks for it – only government agencies and my bank. It’s easy enough to find someone’s DOB and it should never be used as a password.
So, there are a number of other dates I use for non-critical purposes. We’ve been through these; it wasn’t one of them.
Stop press – one of the more obscure ones worked. and I’m back in, thanks to the persistence of their help team.
But this is hardly the point; no one should use a piece of information that’s a matter of public record (i.e. on a birth certificate) as proof if identity. Birthdays are commonly found on social networking sites, your employers’ records and quite likely around the office. It’s mad to use it as a password.
So how did this come about? Well, until it’s purchase by Vodafone in 2015, TalkMobile was a virtual network run by Carphone Warehouse; the same group that that owned TalkTalk (see security blogs passim). TalkTalk was split off in 2010, but their culture of security has been questioned in the past; unfairly in my view as they’re no worse than most. What was lacking from inception was any common sense approach to security issues.
Unfortunately, you can no longer visit one of the remaining Carphone Warehouse shops to get these things sorted, which means if you’re locked out of your account there appears to be no way back in. I did threaten to cancel their direct debit rights with my bank; I bet they’d recognise me then!
To add insult to injury, TalkMobile’s representative tried to blame this policy on “The Data Protection Act”. It makes a change from blaming it on migrants, I suppose.
Okay, I’m being a bit unfair on singling out Sophos here, but they’re a current source of irritation. Like all security vendors they’re selling products that don’t work. Actually, Sophos is one of the few larger players that will talk about this honestly, which is why they have been my first choice recommendation for a long time.
The problem is that if you have companies selling “total security” products, which are nothing of the sort, the public are likely to believe such a thing is possible. If you describe your product realistically the idiots will look elsewhere, purchasing based on the most outrageous claims. A look at the Sophos customer base suggests they’re not selling to idiots.
So what’s my problem with Sophos at the moment. Well I’m falling foul of their UTM Web Defender at an educational establishments. Some of my information sites are unclassified on their list of web sites, and so they’re blocked. They contain educational material that I use when teaching. Not helpful.
Okay, this isn’t default behaviour and the establishments in question have made a decision to block anything that Sophos hasn’t classified yet. Some of these sites have been there since 1992, so presumably there’s a long backlog. And this illustrates the problem very nicely; there are over 300,000,000 domain names registered, with 1,000,000 being added every month. Web filtering companies have to look at all these web sites, and sub domain web sites, and classify them all. It’s an impossible task. I know Sophos does this manually, heroic but doom to failure.
The World Wide Web was created to allow the sharing of knowledge; particularly academic and research information. Unfortunately this is just the kind of web site that’s likely to remain unclassified by content filters; obscure links to non-commercial servers giving the information needed for research.
There is a solution. A few years ago I decided to write my own web search engine for a laugh. I then modified it to try and figure out what the web sites were about. Google has built an empire on doing this extremely well, but my quick heuristic solution did a pretty good job.
So here’s what Sophos et all should do. When their web defender appliance hits an unclassified site it should automatically submit it to them for evaluation. An automated system using heuristics can then figure out the likely classification, with a probability threshold for human checking.
This doesn’t have to be instant to be a hell of a lot better than their current system. To get past a Sophos filter (for example) you have to manually submit every site to them by filling in a form, and then they’ll go and classify it within a week. Possibly. And in reality, who’s going to submit such a request to access a web site they can’t actually view because it’s blocked as “unclassified”. There’s a hole in their bucket!
In spite of the Washington Post being chosen by Snowdon to publish his “revelations” (a circulation-grabbing but arguably cyclical move), and in spite of accepting a Pulitzer prize for this irresponsible journalism, the paper is now calling for him to be prosecuted. Unlike the liberal Guardian in the UK, the US paper, which profited by his betrayal are now seeing the situation for what it is.
The latest nutty ruling from the European Court of Justice is yet another example of judges and politicians failing to get the advice of anyone who knows how stuff works before opening their mouths and putting their foot in it.
This concerns a case where some digital rights lawyers tried to sue the owner of a lighting shop in Germany because some of his punters were downloading naughty stuff over his free WiFi. Article 12 of the EU E-commerce Directive says that an ISP isn’t usually responsible for the activity of its users, in the same way the local council isn’t responsible if a thief uses one of their footpaths to make a getaway. But thanks to some deep pocketed sharks lawyers and a defence mounted by some gonzo for the Pirate Party, the ECJ ruled otherwise:
The Court holds that an injunction ordering the internet connection to be secured by means of a password is capable of ensuring a balance between, on the one hand, the intellectual property rights of rightholders and, on the other hand, the freedom to conduct a business of access providers and the freedom of information of the network users. The Court notes, in particular, that such a measure is capable of deterring network users from infringing intellectual property rights.
Basically, until they roll the dice again, offering free WiFi is off the menu at your local coffee shop; customers have to register and get a password, so Sony etc know where to go knocking when their crooners are pirated.
This is going to cause great inconvenience to the majority of normal users, but not much to the pirates. In order to implement this, having a simple open WAP for your customers to use isn’t going to be possible. They’ll all need to be changed to stop and ask for a password before proceeding. You’ll have to give your name and address to the café owner, have an account created and be issued with a unique user-ID and password. The ruling doesn’t go in to any detail about how vociferate the ID check should be, but that’s a whole new boîte de Pandore.
However, if you’re a pirate, you just give false credentials. No problem. Or even easier, capture the unencrypted traffic and pinch someone else’s password, then sit back and snigger as the fuzz kick down their door instead.
You could, of course, insist that such networks are also encrypted using WPA. Not all endpoints support this, but lets leave that aside. Unlike WEP which can be broken in 30 seconds on a laptop, WPA2 takes a couple of hours on some fairly hefty dedicated kit (or 24 hours on a standard AWS compute server). So that’s alright then.
Once a fake account has been obtained, of course, you can provide lists of WPA2 keys, IDs and passwords on the pirate web. I predict there’ll be a huge list of fake credentials within a couple of days of it being implemented. Well I would predict it the ECJ ruleing could be implemented without major infrastructure changes and the enormous manpower needed to enforce it. But that’s not going to happen, is it?
But hang on a minute – doesn’t this all sound familiar? Well yes, there’s the UK’s Data Retention Regulations of 2009. This already requires service providers to keep a log of the name and address of users, and what IP address they were using at any given time. If you’ve noticed WiFi hotspots provided by some large companies asking for your name, address and password when you first log in, now you know why.
Is this effective? Of course not. Who’s going to give their real name and address? If you’re a legitimate user, you’re going to be wary of junk mail; if you’re a pirate you’d have to be crazy.
So once again, we have some complete idiots in the EU (in this case) flying in the face of technological reality, where the only practical response to their utterances is to ignore them. What a waste of time and money. It’d be cheaper to stick to our own idiot politicians.
When Yahoo ran BT Internet’s customer email for them, it wasn’t great. We all know they had problems coping with spammers hammering away trying to deliver scams and marketing messages to BT’s punters, putting the whole system in to paranoid anti-spam mode on occasions. But it could have been worse, and now it is.
Since Critical Path (now owned by Openwave Messaging) took over running the shambles in May 2013, they appear to have hit on the bright idea of not accepting more than 49 emails a day from any one server. What? Yes, you read that correctly. If the server tries to send message fifty it gets a delayed email response:
Deferred: 421 Too many messages (1.5.6.1) from xxx.xxx.xxx.xxx
Sendmail (or other normal MTA) will simply continue trying to send it for a week, but if you have more than fifty messages a day on average to BT punters the queue is never going to empty. And fifty messages isn’t a lot. Suppose you’re a company and someone wants their work emailed forward to BT Internet? That could easily be fifty for one luser. And if you’re an web host, one of your customers is probably going to want all the email for a domain to go to a @btinternet.com address, and they’ll likely set it up without you even knowing about it.
This has being going on for over a year now, with a possible reduction in the limit last autumn. There was a theory going around that it would reject domains if the SPF record was inconclusive. Although SPF sounded like a good idea for the first five minutes, it’s rubbish when used as a naive check on mail that’s been forwarded.
I’ve been able to get some unsatisfactory information out of BT on this issue. Basically their policy is to “throttle” mail from an IP address if they think more than a certain proportion of it is spam, based on SPF records and suchlike. In the case of a user having all their mail forwarded to a BT Internet box, a high proportion of it is going to be spam; it’s inevitable. And a check of the SPF record is obviously going to fail (doah!)
BT luser forums are full of complaints about this, although the cause is misunderstood. Users get bounce messages, but it’s the server log that tells the whole picture, and as it’s often delayed they believe that a hokey “fix” has actually worked and others follow.
So what can be done about it? The obvious answer is to stop using BT Internet mail. They’ve shown a complete unwillingness to address this issue, and will doubtless make some excuse that most users are unaffected – that’s to say the other large ISPs and freemail services; direct business-to-BT Internet Luser is a small fraction. If that doesn’t work for you, the minimum you should do is ban anyone forwarding mail to @btinternet.com through your servers. Then make sure that domains you host have the correct SPF records. If you don’t, and one exceeds the limit, the IP address will be blocked and prevent your other customers from using it too.
No one who knows anything about spam control will rely on SPF, of course. But if there is someone who knows what they’re doing at Openwave, their voices are clearly being ignored.
If you’re a BT customer and you use email, based on the fact this problem has gone unresolved for a year now, the only advice I can give is to move away. Which is inrtersting, because this April BT announced plans to charge their ex-punters 60 to keep their (broken) @btinternet.com domain names – the same price as BT Internet’s broadband offering anyway. Done, you will be.
Following my discussion of password lengths, it appears that NIST are concerned about naughty people brute-forcing hashes in stolen password lists. In order to make it more difficult, they’re recommending long passwords, like me. But unlike me, they’re suggesting that they should be made up of randomly chosen words to make them easier to remember because the users could connect them in their mind.
NCSC have their own version, which is basically the same. Originally it was suggested four words would be enough, but it’s often reported as just three.
Leaving aside the chances of someone actually picking random words that are genuinely random, I was curious as to how difficult this would be to crack.
Instead of having the 26 letters of the alphabet to play with, using words gives you a lot more symbols. I wondered how many, so I looked in the obvious place – the BSD spell-check dictionary. That’s a lot of words, but realistically you’d want them to be between three and nine characters long. If you make them too long it’ll take more time to type than people will be willing to spend. Also, looking at longer words, they tend to be made up of smaller ones, or common letter combinations (“anti”, “un”, “ly”, “able”).
So, with a bit of awk, I extracted all the words between three and nine characters. There are a LOT. But on closer inspection, they’re not words I’d have ever picked at random, mainly because I’ve never heard of them. They’re the kind of combinations that cause arguments among scrabble players.
To get some idea how many realistic words there were I extracted 200 at random, and went through to pick the ones I knew. I let proper names count, and it turns out that I knew about 20% of them overall. Whether I’d pick many of them if asked to think of a word at random is another matter; and one worthy of study. However, best-case this extrapolates to about 18,000 unique words in the symbol set. So for a three-word combination the best you’re going to get are 18,000^3 or 6E+12. That’s as good as an nine-character a-z password. A nine-character password can be broken in 14 seconds maximum.
Sorry NCSC, but I don’t like these odds. Let’s go up to the four-word version: That has 1E+17 combinations, which could take a couple of months to crack. But this is still being very optimistic about the choice of words being random.
The rationale behind using a passphrase is that it’s easier for users to remember, and this is a good point. People can create a mind map; a short story or scene using the four chosen words. It is certainly easier than remembering a sequence of random symbols. You can also create a mind map using symbols by giving them meaning (1 = flagpole, 2=swan) etc. But this misses an important point – the sheer number of passwords people have in the modern world. I suggest most people would struggle remembering more than half a dozen mind maps, yet probably have well over 100 unique passwords. The only way to manage so many unique passwords is to store them somewhere, encrypted with one master password.
In short, a passphrase instead of a password only makes sense if its pretty darn long. If you’re going for entropy, a random character password – if you can remember it – will be much, much quicker to type.
Bark.com launched in 2014 as a web based service matching service providers with customers. Basically, you register as a client, say what you need done and it sends job leads to suitable businesses. A bit like computer dating.
And like any business relying on data matching, it will live or die by the accuracy of its data. It got off to an interesting start by purchasing the data from Dublin-based SkillsPages – 20M contacts of dubious pedigree. I know about this, because in the interests of research, someone registered as a supplier of a highly unlikely service in the name of a very well known science fiction character. No checks were made, but as no one needed the dilithium crystals realigned in the warp drive in a Constitution-Class Federation starship, no offers of employment were ever received by Chief Engineer Scotty. Until, that is, Bark bought the dodgy data and decided Scotty was an electrician in south London and then the leads started rolling in.
Okay, so we all had a good laugh at their expense before the account is cancelled once the joke had worn thin, but it should be an object lesson in data validation if you’re trying to give potential customers confidence in your “Professionals”.
And then this morning, in the space of 90 minutes, I received a load of emails to a made-up address on one of the domains I look after, but using my name. The emails contained quotes for a job that I had apparently posted. How could this be? I scrolled back down the email and found a “Welcome to Bark” message, giving “my” username and password, and implying I’d just created an account and posted a job request. Obviously someone had, but it wasn’t me.
My first reaction was to read the email carefully, looking for the “I didn’t register this account” link, but there was nothing of the kind. Of course, what they should really do is verify any email address; i.e. check that it actually belongs to the person claiming to set up the account.
Out of respect to the people who’d bothered to quote for the job, I emailed them all back saying “Sorry – someone seems to have done this as a joke”. However, Bark bounced these all back, because I’d sent them from my real email address; one that obviously didn’t match the fake one. So Bark can check email addresses when they want to!
Bark.com is leaving itself open to all kinds of trouble by operating like this. The killer is that the professionals putting in the quotes have paid bark.com to do so, but could claim that bark.com hasn’t taken enough care to ensure the job leads are genuine. By not even verifying the email address, they could be said to be making absolutely no effort at all.
When I spoke to Bark.com and raised this very specific issue, the claim was this rarely, if ever, happens. I provided the details and they promised to refund the people who’d been charged for a false lead, and said “This is not how we operate, this should never happen”, and that “when it’s brought to their attention they close down the bogus account and refund the money.”
I like Chinese mobile phone maker Doogee. Their kit is great. Their marketing sucks more than a Hoover.
Today’s global launch was for the T5 “business” handset, which looks very like my trusty T2 (aka Titan 2, aka DG700). Except it’s supplied with two different backs so you can switch it for a silicone-looking one instead of the crocodile skin effect. Actually, the T2 was supposed to have interchangeable backs. But if you’re worried about what it looks like you now have a choice. I don’t care for the leather look, but then mine is kept in a case anyway.
Over the last few weeks it’s body has variously described as plastic (I don’t think so) or titanium, as opposed to the chromed steel of the T2. I suspect it’s really made of unobtanium, and I won’t believe otherwise until I see one for myself.
Confusingly, Doogee has been announcing lots of successors to the fantastic T2, but the cheaper plastic X5 has really taken off in a big way so perhaps they’re busy flogging those instead. As the T2 is pretty much indestructible (shock proof, waterproof and being used as a hammer-proof), I don’t think I’m going to have to replace it any time soon.
So it turns out T5 has a similar specification – IP67 waterproof and a sturdy metal case. I know, because I’ve dropped the thing from height on to concrete several times, that the floating screen is very hard to crack. There videos of YouTube of lorries running over it. But unlike all the toughened phones I’ve had, it doesn’t look out of place in a boardroom.
The T2 has a 4Ah battery, which keeps me going for a couple of days – or even a week if I’m careful how I use it. My kind of specification. And the T5 looks to be identical, but the battery holds slight more. Okay, it’s got a faster processor too (8-core, ARM Corex A53, if you please), 3G of RAM instead of 1G, and 32Gb of internal storage instead of 8Gb. And of course the cameras have a lot more megapixels, but it’s still a phone camera. The 5″ screen is also full HD this time, if you’re using an magnifying glass.
Enough to tempt me away from the T2? Well not really. The T2 is damn good, and the only criticism I have of it is that the chrome has worn out on the corner I hold it by. That, and the silly case. The greatest practical difference will probably be the use of Android 6.0; the T2 was stuck on 5.0. Depending on your point of view, Android 5 may be A Good Thing.
But what the new phone appears to lack is the NFC chip needed for Android Pay. And a finger printer reader. These were the only thing missing from the T2. Come on guys!
But Doogee has communication problems with the English speaking world. They announce a lot of things, not all of them turn up and some are better than described. There is also supposed to be a T3, which has a small screen on the top edge (where you’d expect to plug stuff in!) and a smaller battery. But not waterproof or hardened in any way. The internal hardware spec seems similar, but I have no idea if/when it will every be available. There’s also a T6, again not waterproof but with similar hardware specification to the T5, other than less megapixels on the cameras. It’s noteworthy for having a 6.5Ah battery – nice! But it’s Android 5.1. On the other hand, you can at least buy it for around £90.
(Footnote – mobile phone cameras are all bad in my eyes, but then I use lenses that cost twenty times the price of a smartphone).
Don’t worry. I’m not getting into cryptography in any detail, and I’m going to try very hard not to mention entropy at all. There is so much confusion about passwords already, thanks to Hollywood movies and IT professionals parroting technobabble. I’m going to explain this in English.
If you’ve seen a cracker breaking into a computer on a TV programme, you’ll be familiar with the setup. Faced with a “login:” prompt, and imminent discovery by the guards walking down the corridor, they frantically type a few desperate things and suddenly the screen changes to “Downloading data, 15 seconds remaining”.
This is, of course, complete fiction. But how do crackers really steal passwords? Let’s assume they can’t guess it, because you haven’t used your kid’s name, “password” or “letmein” (the most common genius ideas from the 2000s). Weak passwords are still a problem, as is leaving a default password on something after installation. But assuming you’re not crazy enough to have one, there are still ways discover hard-to-guess passwords.
The first method is obvious. If you type in your password with someone looking over your shoulder, it’s no longer secret. This may seem too simple to worry about, but it happens. And watch out for cameras. But it can also be done remotely, and this is what a keyboard logger Trojan does. This simple piece of malware intercepts everything you type on your keyboard, passwords and all.
Most malware you’re likely to be infected with includes a key logger, or may download one once the criminals have control of your device. Why wouldn’t malware spy on you while it’s at it? They’re also found on PCs in Internet cafes around the world. It’s amazing how many people lose control of the Hotmail accounts after accessing their email on holiday.
If your password is grabbed by a key logger, it’s complexity, or lack of it, really doesn’t matter. It’s compromised. The traditional defense is to ensure you use different passwords for each system and change your passwords frequently. The first is vital, the second wishful thinking. Changing your Gmail password before the criminals do is unlikely.
There is another solution – two factor authentication (2FA). When you get down to it, there are two ways to prove you are you. One is something you know (e.g. a password), and the other is something you have (e.g. a key, as in lock and key). It helps, think about the them as being a combination lock and a physical keyed lock in the real world. And a door lock that uses both is A Good Thing.
You may think that having a physical key is a perfectly good option, as the key is (effectively) unique. No one else has the key. But supposing you lost it? With 2FA, no one can use you key without also knowing the combination. And if your combination became known, it’s useless without the physical key.
Another good example is chip-and-pin bank cards.
Incidentally, you may hear people going on about MFA (Multi-factor authentication). What the third or subsequent factors may be is hard say, but for marketing purposes “multi” sounds better than “two”. (Bio-metrics are often cited as a third factor, but it’s effectively using your body as a key. In other words it’s still something you have).
But I’ve digressed. I was supposed to be talking about the second way of having your password stolen, and it’s also pretty simple: An attacker gets access to a computer containing a list of passwords, including yours.
Although it has been known to happen, there should never actually be such a list of readable passwords. That’d be crazy. If you don’t have a list of user-IDs and corresponding passwords, no one can steal it. If you do have such a list, expect it to be nicked.
But if there’s no list of passwords, how does a computer know if you’ve entered your password correctly? What is it checking your password against to see if it matches? That’s the cleaver bit.
What you do is keep a list of users, together with their hashed passwords. A hash is a code derived from your password, but which isn’t your password. When you log in, the computer derives the hash code from whatever you’ve entered and compares it with the stored hash – if they match then you entered the right password.
So how is a hash derived? How about an example. In our system a password is going to be a number, for simplicity. And I’ll call this number ‘p’ (for password). The resulting hash I will call ‘h’. Our hashing function (number 1) is going to be:
h = p x 7
Applying this to various passwords gives:
| User (stored) | Password (not stored) | Hash (stored) |
| Tom | 123 | 0861 |
| Dick | 200 | 1400 |
| Alice | 321 | 2247 |
| Jane | 567 | 3969 |
Table showing passwords hashed using trivial method
So, if Alice comes along and types her password as “321”, the computer hashes it and gets 2247. It then compares this with the stored hash, and open sesame.
If the user list is stolen, the thief won’t know Alice’s password is 321. Unless, of course, they divide the hash value by seven. Hash method 1 is pretty rubbish, as you can work it backwards.
But if instead of multiplying, you divided by seven then you wouldn’t be able to work backwards to Alice’s password if you only stored the integer part. Or the modulus. But unfortunately, one in seven passwords entered would also match. Unless you pick a suitably complex number – how about Pi, and ignore the integer part. If we do this, we end up with the following:
| User (stored) | Password (not stored) | Hash (stored) |
| Tom | 123 | 1521 |
| Dick | 200 | 6619 |
| Alice | 321 | 1774 |
| Jane | 567 | 4817 |
| Harry | ??? | 9915 |
Table showing passwords hashed using the improved algorithm
This is a much better hash, as you can’t reverse the method and retrieve the password. You can’t take Harry’s hash of 9915 and calculate what his password was. But, unfortunately, you can still work it out. If our passwords are all three digit numbers, there are only 1000 possible choices, and a computer could try them all in turn until if found a match. And this is why password complexity matters. If there are enough possible combinations it could take an unrealistic amount of time to try them all.
The next question to ask is “How many combinations are there?” I said at the start I’d keep the maths very simple, so you may want to skip this bit. But it’s not hard.
If you have a single character password that has to be a letter a-z, there are 26 possible combinations. That should be obvious. If you have two letters, the possible combinations are 26×26=676. Three letters is 26x26x26 (or 26^3)=17576 choices, and so on. In other words, if you take the number of possible characters and raise it to the power of the length you’ll have the total number of possible passwords. The following table gives the possible combinations for different lengths of password and sets of symbols.
| length | a-z | a-z,0-9 | a-z,A-Z,0-9 | a-z, A-Z, 0-9, ~!@#$%^&*_-+=` |(){}[]:;”‘<>,.?/ |
| 1 | 26 | 36 | 52 | 96 |
| 2 | 676 | 1296 | 2704 | 9216 |
| 3 | 17576 | 46656 | 140608 | 884736 |
| 4 | 456976 | 1679616 | 7311616 | 84934656 |
| 5 | 1E+07 | 6E+07 | 4E+08 | 8E+09 |
| 6 | 3E+08 | 2E+09 | 2E+10 | 8E+11 |
| 7 | 8E+09 | 8E+10 | 1E+12 | 8E+13 |
| 8 | 2E+11 | 3E+12 | 5E+13 | 7E+15 |
| 9 | 5E+12 | 1E+14 | 3E+15 | 7E+17 |
| 10 | 1E+14 | 4E+15 | 1E+17 | 7E+19 |
| 11 | 4E+15 | 1E+17 | 8E+18 | 6E+21 |
| 12 | 1E+17 | 5E+18 | 4E+20 | 6E+23 |
| 13 | 2E+18 | 2E+20 | 2E+22 | 6E+25 |
| 14 | 6E+19 | 6E+21 | 1E+24 | 6E+27 |
| 15 | 2E+21 | 2E+23 | 5E+25 | 5E+29 |
| 16 | 4E+22 | 8E+24 | 3E+27 | 5E+31 |
Table of possible permutations based on password complexity and length
If you’re not familiar with the number format 2E+09, it simply means 2 followed by nine zeros. When we’re talking about big numbers, the number of digits is going to be more useful.
On the face of it, the last column, including all the punctuation characters, is considerably better than a simple choice from a-z. But look more closely and you’ll notice that adding a few more simple characters quickly brings the number of combinations up. For example, an eight-character really complex password has a similar number of permutations to a simple ten-character one. Or a nine-character password if you add 0-9 to a-z.
I don’t know about you, but I’d rather type simple characters rather than messing about with shift, capital letters and punctuation. This puts pay to Myth Number 1: using punctuation and suchlike is necessarily better. The extra keystrokes hitting the Shift key are greater than if you stuck to lower-case.
Actually, it’s a lot worse than that. Everyone knows that people capitalize the first letter, use a $ instead of S and stick a ! on the end – or something similar. If they’re forced to change the password regularly they add 01, 02, 03… and so on to the end, which means an attacker can try such likely variations first.
So the characteristics of a good password are, simply, something that’s complex enough that it would take an unrealistic amount of time to brute-force, AND which is easy to type. Forget easy to remember; it’s got to be random. Passwords containing words to bulk out the length are much easier to crack, as words can be checked for early on.
So how complex does a password need to be? Well that depends on how fast an attacker can cycle through all the possible combinations. Using a computer, does 1000 guesses a second sound reasonable? How about a million? In Your Dreams. The fastest password guesser I know of in private hands can test 400,000,000,000 every second. That’s 4E+11. If you used the full symbol set, at random, a six-character password would take less than a second. If you simply have a rule saying “must contain two out of digits, upper-case letters or symbols”, and people have just one of each to satisfy the requirement, it’ll be substantially faster.
Put another way, a fully secure Microsoft-standard random password with no mistakes will take about five hours, maximum. You can bet nation states and serious cyber-criminals are going to be faster still; I wouldn’t be surprised if it was minutes or even seconds.
So how long should your password be? Well I’d like one that can’t be cracked in 1000 years as a minimum. That’s 3E+10 seconds. The cracker runs at 4E+11 a second, so multiply them together and you get around 1E+22 combinations needed.
From the table above, 16 random a-z characters is enough, or 15 characters if you add 0-9. If you want to include punctuation and so on, and you really, really, don’t mind mixing them in at complete random, then 12 will be enough. But this is a minimum, and you’ll probably have to add a character every year.
The smart answer is to abandon passwords and use certificates instead.