The clock is ticking on encryption
It seems that the past few years you never stop hearing about stories of passwords, social security numbers, and other confidential information being stolen readily from laptops or other network breakins. In fact, a recent episode with Gawker Media, in which hackers stole a large list of usernames and passwords highlights some of the issues.
In the Gawker case, the list of stolen passwords were hashed – meaning they were modified so as not to be readable in plain text. However, the hash being used was known as a bit of a weak hash, and only the first 8 characters of the user password were actually used. This means that it was fairly easy and trivial for someone to brute force guess the user’s password, and attempt to match it against the one in the list. It doesn’t take very long, with today’s powerful computers, to get the original password back.
This highlights a more serious issue: that encryption algorithms are becoming easier to crack. There are a number of commonly used encryption routines and algorithms, each suited for different applications. But, the underlying issue is that as today’s computers are able to do operations exponentially faster than just a few years ago, they are also becoming easier to use and setup for simply brute force guessing against an encrypted password.
Of course, on the user side people have always been saying things like don’t use the same password in multiple places and don’t write down your password. But the overall strength of the password is still reliant on the machine on the other end storing it in a secure way. As a user, though, you really don’t know how your password is being stored on the other end – it could be right there in plain text for all you know. And, if a vendor’s machine is compromised, then all bets are off.
Our recommendation: use a separate, randomized password for each website you visit or log-in to. There are a number of great tools out there that will help you with this: 1password, LastPass, Keepass. You can easily autologin via extension to Firefox or Chrome or IE, you can keep your passwords stored and synchronized in your mobile device. It’s really easy to use and work with, it just requires some diligence and change to your current methodology.
Want to know the strength of your password? Check out this site, which will rank how long it would take someone to brute force guess it using today’s computing infrastructure.