The recent Mat Honan hack got me thinking about password strength. It turns out he was hacked not due to having a poor password, but because of a security flaws in Amazon and Apples’ systems. Nevertheless it serves as a good reminder to keep yourself safe.
One thing you can do is use very long passwords for important things. Increasing the length of your password can make it seriously more difficult for anyone to brute force attack your password.
To get an idea of the impact a long password, have a look at this site: How Big is your Haystack. It lets you type in a password and it gives you an idea of how long it would withstand a brute force attack for. Obviously don’t type your real password in, but type in something that uses the same number of letters, numbers, capitals and punctuation and see how it looks.
8 lower case letter passwords? 2.17 seconds in an offline attack scenario. It’s not until you get up to 17 lower case letters that it pushes the offline attack scenario into the the virtually impossible range.
So how do you go about picking a strong password?
Diceware. Essentially you roll a dice 25 times to form 5 groups of 5 numbers. Then you look each number up in the list of words to generate a 5 word password. Being 5 words makes it relatively easy to remember but also very long.
If you don’t feel like rolling dice, you could consider using random.org to generate a list of numbers for you. If you choose this approach, make sure to visit the site using https and get a nice long list and choose a set of numbers from the list. Write it down on a piece of paper and put it in a safe place. Note this is not as secure as using the offline dice rolling approach.
As a final note, consider using multi factor authentication if you can. Google have made it available for gmail and I recommend you sign up for it.