A password is simply a method of verifying who you are. When a good password is selected it is both easy to remember but not easy to guess. It should contain both upper and lower case letters, numbers and if possible a couple of symbols and should be suitably long.
Yet, even a well chosen password won’t help you if the system you are connecting to is, well, stupidly written. I suspect that there are a lot of methods to prevent a brute force attack – that is to test every possible character combination in an attempt to guess the correct password.
If no special precautions are taken, how quickly could we force a hypothetical password. If our password is six characters long and is uppercase letters, lowercase letters and numbers how many combinations can we have?
26 upper case
26 lower case
10 digits
62 * 62 * 62 * 62 * 62 * 62 = 56,800,235,584
If we can try ten thousand passwords a second, it would take 94,667 minutes or approximately sixty six days to crack the password. This would make it impractical to attempt to sneak into the boss’s office and hack his computer, but if the system doesn’t have any safeguards it is within the realm of possibility, especially if the system you are attempting to connect to is on the Internet.
| combinations | 56800235584 | 56800235584 |
| guesses per second | 1 | 10000 |
| seconds | 56800235584 | 5680024 |
| min | 946670593 | 94667 |
| hours | 15777843 | 1578 |
| days | 657410 | 66 |
| years | 1801 | 0 |
| centuries | 18 | 0 |
If we can try ten thousand passwords a second, it would take 94,667 minutes or approximately sixty six days to crack the password. This would make it impractical to attempt to sneak into the boss’s office and hack his computer, but if the system doesn’t have any safeguards it is within the realm of possibility, especially if the system you are attempting to connect to is on the Internet.
Two months is a long time but perhaps the naughty person gets lucky or uses a more clever method for guessing the passwords this could be shorted considerably.
This could be defeated by adding any one of a few different methods to defeat this.
- only accept one password per second
- have a second password
- lock the account after a limited amount of time
- temporarily suspend account after a number of incorrect attempts
- increase the delay between password login with each incorrect attempt
If the first choice were implemented the amount of time to go through the entire list of passwords would increase from sixty six days to 1800 years. Yet, it is possible that the user would pick a poor password that is easy to guess.
Adding a strong second password, would help to secure the system but we cannot guarantee that the user will select a strong password. It is actually just as likely that the second password they select is identical to the first.
A better solution is to give the user a strong second password, and to ensure that this password is changed often we should generate it ourselves. This both easy and possible by using a security token.
A token is a small hard ware device to generate a random six digit password. This device is registered with the company server and the random password is only valid for two minutes.
This type of security is pretty commonly used by companies to their employees to provide secure access to their networks over insecure networks such as the Internet. Private companies and their employees are not the only ones to use such devices. These devices can be used as a part of creating secure vpn connections or to provide solid proof of the identity of the user.
Quite a few companies make these types of arrangements with their customers, especially where either money or identity is at stake. A few organizations that provide two factor authentication are as follows.
Amazon
Paypal
Facebook
Dropbox
Twitter
Yet, with the magic that is the smart phone it is possible to actually replace this security device with a small application that runs on the phone. Thus the phone itself can be used to create the six digit security code for the two factor authentication.
Generating the code using either a security token or on your phone is one method for two factor authentication but there is another slight variant. This second method involves also entering a six digit code but rather than generating the code, it is received via sms to the cell phone.
You cannot guarantee what level of quality the security for all the systems that you connect to but if you do have a chance to increase your personal level of security you should take it.
I hope to write up more information about two factor authentication in the near future.
