Weak vs Strong Passwords…
While moving from one web hosting provider to another, I came across a server log that showed a list of failed login attempts, detailing seven days of attempted break-ins near the end of this last September. Fortunately, my password is fairly strong, but it could be a lot better. (the number contained in parentheses is the number of attempts made from the identified computer).
- 77.216.220.233 [d77-216-220-233.cust.tele2.fr] (9)
- 213.250.26.129 [ipsnt.ips.si] (10)
- 80.154.42.134 [bali052.myserver.t-online.de] (15)
- host11-69-static.30-87-b.business.telecomitalia.it (19)
- 62.23.9.114 (20)
- 58.223.251.3 (20)
- 64.27.7.189 (25)
- 68.142.97.90 (36)
- 202.115.22.249 (101)
- 222.66.65.54 (103)
- 61.152.157.166 (157)
- 222.237.79.139 (351)
- 61.129.77.60 (954)
- vivio.treda.com.tr (1,925)
- 193.0.81.42 [fizyk2.fuw.edu.pl] (11,239)
- 221.215.127.171 (12,155)
Yes, those last three offenders generated more than 25,000 attacks, combined! Most of the rapid-firing attacks lasted only a few minutes.
Fortunately, I’m using a significantly better password than the commonly known weak ones, such as admin, 1234, password, abc123, p@$$w0rd, asdf, qwerty, aaaa, and other easily guessed passwords. According to a recent study, 8% of all passwords in use today are a common word found in the dictionary followed by a “1″. With an abundance of word lists available online, dictionary attacks are often very successful. And fast.
I wasn’t too worried about the break-in attempts, because my login password for that website was seven digits long — reasonably secure, considering that it is not a word contained in any dictionary and had both letters and numbers. But if someone where to obtain a hash of that password, modern computers capable of generating 3 million passwords a second could easily hunt through the 78.3 billion combinations (26 letters, 10 numbers, 7 digits = 36^7) in less than eight hours.
How do you foil the attackers? Use the entire keyboard, not just the most common characters, and each character that you add to your password will increase the protection it provides. Your password must be at least 8 characters long (it should be at least 10, and longer is even better) and should contain a mix of upper and lower case letters, numerals, special characters, and punctuation. Even passwords with fewer than 15 digits have their own vulnerabilities. Don’t base the password on any personal information (dates, pets, addresses, cities, jobs, schools, ex-girlfriends, cars, etc.) or on any word in any dictionary in any language. Develop a mnemonic for remembering complex passwords. Lastly, don’t write the password down. Ever.
Check the strength of your password with Microsoft’s JavaScript Password Checker. Don’t worry too much; your password doesn’t get transmitted over the Internet, only your JavaScript-enabled browser sees it.
In the meantime, I’ve taken my own advice. My password to access my web server is now between 15 and 20 digits long, and it’s something I can easily derive from a simple three-digit reminder such as “pQ9″ — completely unrelated to the actual password, but an easy system to help me remember it (and, no, that’s not my actual three-digit reminder code!) That should continue to keep the bad guys out for the next sixty-four quintillion years.
Now off to update my online banking passwords, my eBay passwords, my PayPal passwords, …
UPDATE: In the last two and a half hours, a computer identified as zz-12-7-a8.bta.net.cn [202.108.12.7] has made 14,437 attempts to login, trying various random user names such as “paul”, “steve”, and “dave”.