WARNING: Your ULID password expires in 7 day(s)
[image courtesy: Gizmodo]
One of the most annoying ISU-related sets of words to ever penetrate through my corneas. It really shouldn’t be all that bothersome, and yet it is. Yes, everyone with an ilstu account must submit to the arduous process of changing their password every 60 days, forcing us to remember a totally new combination of 8-50 letters, numbers, and maybe some of these guys if you’re pro: ! @ # $ % &. Or more likely, you just use the exact same password each time but cycle the numbers like so: ______1, ______2, etc. I’m sure many of you are guilty of this and I’ll admit I have been as well, for reasons that pretty much boil down to two. Convenience and (false) sense of security.
It is simply too damned difficult to create and remember a unique, secure password for each and every account I have. Off the top of my head that would be at least: Ilstu, Facebook, Youtube, Grooveshark, Reddit, Gmail, my website email, my website’s FTP, my laptop, my work computer, Last.fm, Pandora, StumpleUpon, Xbox Live, eBay, my bank account, LinkedIn and this WordPress blog! I’ve always considered writing passwords down on physical paper to be out of the question for me, what with how often I misplace things like that. So for quite a while I resorted to using the same long, odd password with random uppercase and special characters mixed in; the method of thinking being that no one in their right mind could possibly guess my ridiculous password.
Simply assuming you’re secure because you think no one can ‘guess’ your password is a bad idea. Real hackers would split their sides laughing at the thought of just sitting there manually typing in password guesses to gain access to your account. In reality, a hacker can run through thousands, millions, and possibly even billions of password combinations a second with the right hardware. This try everything method is referred to as brute-force, and if you have one of those weak eight-character passwords like “peace123” it shouldn’t take longer than a few minutes for most machines to crack it. You could increase that time exponentially however with each additional character you force the machine to try to guess.
This is precisely why ISU uses a 60 day limit on account passwords. It’s by no means foolproof but does provide a significant barrier to brute-force attacks.
Against brute-forcing, my unusual and lengthy password from earlier would likely have stood up against most cracking hardware; in the ballpark of millions of years according to howsecureismypassword.net. So why bother with a unique password for each account? Because hackers have other tricks up their sleeves, namely dictionary attacks, among other techniques. Dictionary is like brute-forcing but with the number of password possibilities narrowed down significantly through other means I won’t go into in this post for the sake of brevity. Basically if a hacker were able to narrow down your password for one account say, Twitter, through a little social engineering, they could assume you have the same password possibilities for your Facebook, email, LinkedIn or whatever else they find out you have.
Password security isn’t all doom and gloom though. In fact it is a constant game of cat and mouse, with Information Security professionals coming up with new and unique ways to encrypt and protect data, and hackers inviting their challenge. It’s very much a math and numbers game, with the winners being the ones who best use probability, algorithms, and the like to their advantage. The best ways you can protect yourself are by being unpredictable and up to date in how you interact with the internet.
Feel free to leave questions and comments below and of course take the quiz on ReggieNet!
Entry filed under: technology.