Get Out Your Strong Passwords
November 24, 2007 · by Scott Fradkin
I found an interesting article from Slashdot about using Google as a password cracker (http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/). Ask Google to search for a hashed password, and if it’s common enough to be included in one of the many indexed documents that contain password/hash pairs, you’ll know that password. The comments to the article are just as interesting. A discussion of securely storing passwords runs through them.
The general points to consider when creating passwords are:
- Longer passwords are better
- Passwords that aren’t real words are better
However, since most people have a really hard time with passwords like that, they need to be stored securely.
- Use a salt
- Create the salt in a cryptographically secure fashion with a reputable library
- Make sure the salt is lengthy
- Use a different salt for each user
Short passwords are notoriously easy to crack if they’re hashed with MD5. There are numerous utilities available to brute force crack MD5 hashed passwords. There are even some interesting dictionary methods to crack MD5 hashes, as well as rainbow tables (overview here: http://en.wikipedia.org/wiki/Rainbow_tables).
I guess the moral to the story is that one shouldn’t assume that their password is infallible. If you are using word-based passwords they will probably be cracked at some point. When creating a system that needs to store passwords for user login either use an off the shelf utility that will encrypt or hash the passwords securely or do your homework so that the site doesn’t get owned. Don’t ignore warnings about MD5. Use SHA-1 or SHA-256 instead.
Remembering all those strong passwords is an entirely different issue…
Filed in: Team Member Blog Comments (0)
Comments
There are no comments for this entry.
Commenting is not available in this section entry.