Aside from using a social engineering technique, or a piece of malware like a keylogger that records everything you type on your computer, one of the first things a cracker will try to do to gain access to your data is to break your password. You can already count on them having your account name--that is really easy to get.
Your password is stored on your computer in a known location. It is encrypted--it is hidden from easy view by using a mathematical algorithm to transform that series of letters, numbers and special characters into gibberish. But it can be guessed. And it can be broken by using software tools.
A good password that you don’t share with anyone makes guessing difficult. Using a software tool requires a powerful computer (or a group of computers working together) but it will, eventually, break even the toughest password.
But how long will it take? That’s where having a longer password helps.
Let’s say you have a fairly complex password, that is, a password that contains both upper and lower case letters, numbers and punctuation characters. If that password is 5 characters in length, a cracking program running on one average computer will take 74 minutes to crack.
Take that up to 6 characters, and the program will take 4 days. That’s still not very long.
8 characters however, will take one computer 58 years.
So you’re probably feeling pretty smug right now. That 8 character password will take you all the way through school and retirement, and then some.
But your average cracker doesn’t just use one computer. He’s been infecting machines all over the world with malware that lets him control them. He has what is known as an army of bots--several hundred, or even thousands of computers, waiting to do his bidding. So while those computer’s owners are all snug in their beds asleep at night, our nefarious cracker is using those systems to crack your 8 character password.
If he’s just getting started, and only has 500 computers available, it will take him only a month and a half to break your password. At 1000 computers, it is only 21 days.
According to a 2006 article in the Washington Post, the average size army of bots available to a cracker is 20,000 computers. Your 8 character password might last a day, if it is really complex. If you're lucky.
To beat that, you need to add length. A 15 character password would take that cracker with his 20,000 computers 35 million years to break.
The thing is, a 15 character password--or even a 20 character password--is actually easy to type and remember--if you think of it not as a single word, but as a passphrase.
I like to use nonsense phrases:
That, including spaces (which count) is 30 characters long (there’s a punctuation mark at the end in case you’re counting). I can make it even tougher to crack by adding a special character or a number in the middle of a word. It is easy to remember--and very quick to type--once you get used to it.
Try a passphrase--it is an easy way to defeat a password stealing cracker.
Another tool you can use to defeat crackers is to enable the built-in firewall on your computer. If you’re an OSU employee, it is very likely that your departmental computing administrator has already enabled this for you. You may also be behind a hardware firewall.
If you’re a student, or an employee at home, instructions on how to enable the built-in firewall on your computer can be found in our links section to the left.