HNS MAIN FEED
Tuesday, 18:37 EST
- OpenDNSSEC 1.0.0 released
- Microsoft releases giant patch collection
- 81% percent of e-mail links to malware
- Unaware of the dangers, most teens share personal info online
- Data harvested from Facebook used in boiler room scams
- A closer look at USB Secure 1.3.0
- Safety tips for online dating
- Researcher hacks security encryption chip found on millions of PCs
- Is authenticated XSS a problem?
- Online shopping safety: Consumers hold retailers responsible
- Seagate ships the Savvio 10K.4 hard drive
- Political hacktivism and the exploitation of tragedies is on the rise
Q&A: Passwords
Dmitry Sklyarov is an IT security analyst at Elcomsoft. In this interview he discusses strong and insecure passwords, the compromise between usability and security as well as software you can use to make sure your credentials are safe.
What are the biggest mistakes users make when it comes to choosing passwords?
The biggest mistake is choosing a convenient password, a short and easy-to-remember one. Most everyone think the same way, and if someone has thought of a “convenient” password, it is possible that an adversary can think of and try the same password.
Can there ever be a compromise between ease-of-use and strong security when it comes to passwords?
Convenience and security will always oppose each other. Being an IT security specialist I am used to sacrifice convenience, as I see no other way to ensure security. Many people either do not understand why simple passwords are bad, or do not wish to spend too much time to complete security measurements thinking that it is more useful to spend this time on the main task.
You can find a compromise based on information value. You should try to estimate what damage can be incurred in case someone gets your password and compare it to expenses wasted on security measures (e.g. time for remembering and entering a password).
What makes a strong password?
In 1948 an American mathematician and engineer Claude Shannon entered information entropy term (measurement of uncertainty) in his work "A Mathematical Theory of Communication". If we take, for example, English text, it takes 8 bit (one byte) to represent one symbol. Eight bit allow encoding 256 different symbols. However, there are only 26 characters in English alphabet and they can be easily represented by five bit (32 possible combinations). Consequently, uncertainty of one symbol of an English text makes not 8, but less than 5 bit.
In addition, some symbols and combinations are considerably more frequently used than others. A letter “E” is encountered hundred times more frequently than “Z”, and “U” always follows “Q”. Such peculiarities allow reducing uncertainty even more. According to mathematicians’ evaluation it makes around 1.5 bit per symbol for texts in English.
This means that if information is protected by encryption with 128-bit encryption key, and a password will be an English phrase (without space characters, punctuation marks, and in one register), a really strong password should be no shorter than 128/1.5 = 86 symbols.
1 | 2 | Next page >>
- A closer look at USB Secure 1.3.0
- Is authenticated XSS a problem?
- A closer look at File Encryption XP 1.5
- Corporations should follow the goverment's lead on attribution of cyberattacks
- IDS legacy is institutionalized failure
