WARNING: Your ULID password expires in 7 day(s)

March 4, 2013 at 8:17 pm 2 comments

obama-password-laugh

[image courtesy: Gizmodo]

One of the most annoying ISU-related sets of words to ever penetrate through my corneas. It really shouldn’t be all that bothersome, and yet it is. Yes, everyone with an ilstu account must submit to the arduous process of changing their password every 60 days, forcing us to remember a totally new combination of 8-50 letters, numbers, and maybe some of these guys if you’re pro: ! @ # $ % &. Or more likely, you just use the exact same password each time but cycle the numbers like so: ______1, ______2, etc. I’m sure many of you are guilty of this and I’ll admit I have been as well, for reasons that pretty much boil down to two. Convenience and (false) sense of security.

It is simply too damned difficult to create and remember a unique, secure password for each and every account I have. Off the top of my head that would be at least: Ilstu, Facebook, Youtube, Grooveshark, Reddit, Gmail, my website email, my website’s FTP, my laptop, my work computer, Last.fm, Pandora, StumpleUpon, Xbox Live, eBay, my bank account, LinkedIn and this WordPress blog! I’ve always considered writing passwords down on physical paper to be out of the question for me, what with how often I misplace things like that. So for quite a while I resorted to using the same long, odd password with random uppercase and special characters mixed in; the method of thinking being that no one in their right mind could possibly guess my ridiculous password.

Simply assuming you’re secure because you think no one can ‘guess’ your password is a bad idea. Real hackers would split their sides laughing at the thought of just sitting there manually typing in password guesses to gain access to your account. In reality, a hacker can run through thousands, millions, and possibly even billions of password combinations a second with the right hardware. This try everything method is referred to as brute-force, and if you have one of those weak eight-character passwords like “peace123” it shouldn’t take longer than a few minutes for most machines to crack it. You could increase that time exponentially however with each additional character you force the machine to try to guess.

This is precisely why ISU uses a 60 day limit on account passwords. It’s by no means foolproof but does provide a significant barrier to brute-force attacks.

password

Against brute-forcing, my unusual and lengthy password from earlier would likely have stood up against most cracking hardware; in the ballpark of millions of years according to howsecureismypassword.net. So why bother with a unique password for each account? Because hackers have other tricks up their sleeves, namely dictionary attacks, among other techniques. Dictionary is like brute-forcing but with the number of password possibilities narrowed down significantly through other means I won’t go into in this post for the sake of brevity. Basically if a hacker were able to narrow down your password for one account say, Twitter, through a little social engineering, they could assume you have the same password possibilities for your Facebook, email, LinkedIn or whatever else they find out you have.

Password security isn’t all doom and gloom though. In fact it is a constant game of cat and mouse, with Information Security professionals coming up with new and unique ways to encrypt and protect data, and hackers inviting their challenge. It’s very much a math and numbers game, with the winners being the ones who best use probability, algorithms, and the like to their advantage. The best ways you can protect yourself are by being unpredictable and up to date in how you interact with the internet.

Feel free to leave questions and comments below and of course take the quiz on ReggieNet!

Advertisements

Entry filed under: technology.

Staying Connected Even Faster with Google Fiber Women in IT

2 Comments Add your own

  • 1. bobkinsloe  |  March 4, 2013 at 8:30 pm

    I forgot to add in a bit about a service called LastPass (https://lastpass.com/). It’s a very popular password manager for all your different accounts that’s supposed to be secure and help keep you organized. I have yet to give it a try but it looks to be worth the time.

    Reply
  • 2. Chris Higgins  |  March 18, 2013 at 11:00 am

    Going along with what Bob said, LastPass is well worth the time and effort to set up. I’m in love with it, and have even purchased the ability to have it on my mobile device. All of my passwords follow strict guidelines of being at least something like 12 characters, with a good combination of a-z, A-Z, numbers, and symbols.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Subscribe to the comments via RSS Feed


March 2013
S M T W T F S
« Feb   Apr »
 12
3456789
10111213141516
17181920212223
24252627282930
31  

%d bloggers like this: