Imagine a system like this:
Joe’s BBS, type your password to login: taco
Can you imagine? A system where you type in your password and then it compares what you type with everyone’s password and logs you in based on what you type? This actually used to be an option on the TBBS bulletin board system in the 80’s. I logged into people’s accounts using passwords like “taco” and “sooners” (I lived in Oklahoma). I was a kid and therefore 23% evil — I couldn’t resist.
On this system, you could find passwords without even trying to break in: When you attempted to change your own password, it would make sure that it didn’t match anyone else’s. If you typed a new password which was in use, it would display, “Password is in use, pick another one.” Bingo! Time to send some messages to Bob’s friends telling them how pretty Bob feels today.
The smart thing for people to do in a system like this would be to pick a very strong password, like “T4k77yah” but most people, if left to their own devices, will pick a short password, based on a dictionary word or proper name, and in lower case.
Some very secure systems (like banks) require a special, host assigned login id which is not your name and not your account number and a strong password including some upper case, some lower case, and some letters and/or punctuation. These are very hard to break and practically impossible if the system only allows a certain number of failed login attempts before locking out the account.
On most Internet websites, your user identifier can easily be figured out. If they require your email address then someone only has to know you or cross reference your public username with your public postings on other sites to determine your email address. Search engines like Google are great for this. Some Internet websites, like Twitter, will accept your public username, anyway.
Then it’s down to your password.
If your password is based only on a lower case, common dictionary word, then your password could be found in fewer than 10,000 attempts.
If your password is a random string of lower case letters, then your password could be found pretty quickly, depending on how many characters in your password.
If your password is 1 letter: 26 attempts.
If your password is 2 letters: 26 x 26 = 676 attempts.
If 3 letters: 26 x 26 x 26 = 17,576 attempts.
If 4: 456,976 attempts.
If 5: 11,881,376 attempts.
You get the idea. Of course, online someone shouldn’t have this number of opportunities in a short timeframe, but you never know. The system might not be limited. If they can try 1000 per second, then 11,881,376 attempts only takes 3.3 hours. And it’s most likely that your password isn’t “zzzzz” so they will find it without going through all the combinations.
So what if you add upper case letters? That’s 52 possible characters, so a five character password is 52 X 52 X 52 X 52 X 52 or 380,204,032 combinations.
So what if you add a number? Then there’s 62 possible characters and 916,132,832 combinations.
So what if you add punctuation? That adds 14 characters from English and 14 other special symbols from the ASCII chart, 90 total possibilities. A five character sequence is a maximum of 5,904,900,000 combinations.
If you choose an eight character password with some upper case, some lower case, some numbers, and some punctuation, then it would require up to 4,304,672,100,000,000 attempts to get your password.
If you are prone to picking a simple English word, plus a number, then you’re not very safe. Some unscrupulous web master could be logging your password changes and notice this and guess a pattern. For instance, perhaps in the last two years you’ve used these passwords: “hound8” “setter3” “beagle1” or these: “2tacos” “4burritos” “9margaritas”. Wait, those last three aren’t English! They are now — we have assimilated them.
If you’re going to incorporate easy to remember words, then pick unrelated words for every password change and mangle them up with some upper and lower case and add punctuation and numbers, somewhere, but don’t use a pattern. Here are two: “t0M$Cru1ze” “iS@.psYk0”
How does this relate to encrypting a file, like a spreadsheet document? A document is encrypted using a key phrase, like a password, but the phrase is turned into a long number and then the number is used to encrypt your stuff. The strength in this case depends both on your choice of a strong key phrase and the strength of the underlying mathematical system used to calculate the long number.
In cases where the cracker may have access to your file, extremely long numbers are needed to thwart access because the cracker can put your file on lots of computers and run millions of attempts per second, perhaps.
You’ve heard things like, “We use 64-bit encryption!” OK, let’s assume you picked a key phrase that cannot be guessed… Maybe it’s random and long and includes lots of possible characters.
That’s means they need to guess a 64-bit binary number. Each digit is only 0 or 1, that’s two possibilities per digit, 64 long, or 2 to the power of 64, which is 18,446,744,073,709,551,616.
Breaking a system this tough is difficult, but not impossible. In 2002, Distributed.net broke a 64-bit encryption by RSA called RC5-64 by going through 15,769,938,165,961,326,592 keys in 1,757 days, with the help of more than 330,000 people and their computers. Here’s the story.
A 128-bit key is 340,282,366,920,938,463,463,374,607,431,768,211,456 possibilities.
But, as I warned, the actual strength of the encryption depends on the method the underlying system uses to come up with the long number. See, it’s turning your known key phrase into a number, but it may not be able to use all of the possible numbers because of the mathematical method used to turn letters, numbers, and punctuation into a number. There will be unused runs in the list of possible numbers and any serious cracker person will exploit that and not try numbers in those dead zones.
How would they know what kind of encryption was used? Well, if you use a separate encryption program which doesn’t mark the file in any way and you don’t use some hint in your filename or extension, then they would have a hard time. But, if you use the encryption built into a known program, like a spreadsheet program, or like a .zip program, then the cracker will know what to try.
What does this mean to you?
If you’re encrypting your financial records using a 64-bit key derived from a key phrase, it might be like using a really simple 30-bit number or only 1,073,741,824 combinations — breakable in just a few minutes on an average computer.
If you’re using the built-in encryption on a program, just check it out on the Internet to find out if it’s secure and how you configure it. Here’s an article about Excel’s encryption.
Have you heard about asymmetrical public key cryptography? It was invented by an American company called RSA and is the standard for use on the initial handshakes on the web’s secure socket layer connections (when you see https://).
The brilliant guys at RSA are math wizards. They know the methods they use to turn strings of text and numbers into binary keys have these dead spots and reduce the security of the encryption. So they use LOTS of bits for these public and private keys: 1024, 2048, 3072. They say 1024-bits is as good as 80 random bits, 2048-bits is as good as 112-bits, and 3072-bits as good as 128-bits. Source: Wikipedia
But, it takes a long time to encrypt data with a long key, like 2048-bits. You can’t really send dynamic data from a web server over the Internet with that level of encryption because it takes too many CPU cycles to do that math. So, the SSL/https web protocol uses the long public key cryptography method to exchange a random number between your computer and the web server and then uses those random numbers to encrypt the data for the rest of the connection.
When you’re on a secure web connection, click on the lock icon (or whatever icon your browser displays to indicate a secure connection) and check out the information. It will probably say you’re using 128-bit encryption. It should also say somewhere the key strength of the public key in the certificate, at least 1024-bits. These days, it should be 2048-bits or higher.
That 128-bit number is chosen at random for every single transaction with the server. Your computer picks it. Then it encrypts the number using the web server’s public 2048-bit key. The only number which will decrypt it is the web server’s private 2048-key, so the web server decrypts it and starts using your random key to encrypt everything else. This is over simplified, but you can get a complete explanation here.
So what’s the point?
Pick harder passwords for online systems. Use at least eight characters including upper and lower case letters, some numbers, and some punctuation.
If you’re getting an SSL certificate for your web server, get at least 2048-bit keys.
If the SSL stack on your web server won’t do at least 128-bit encryption, get a new one.
If you’re encrypting important files on your computer using a key phrase, then be sure to use a system boasting lots of bits. Heck, always go for lots of bits.
Don’t forget your key phrase. Lock it away somewhere. If you lose it, your data is gone.
Don’t write your password at work on a note and stick it to the underside of your desk drawer or under the keyboard.
Do not write your PIN number on your ATM card.
Do not write your PIN number on the back of your spouse’s picture in your wallet.
Do not use your birthday as your PIN number.
Do not use 6969 as your PIN number, that’s mine.
Doh!
Leave a Reply