Posts Tagged ‘strong password’

How long would it take to recover your password?

Friday, January 21st, 2011

If you've used USBCrypt to encrypt your drives, you have probably wondered, how difficult would it be for someone to discover the correct password by just trying all possible character combinations until one of them unlocks the encrypted drive?

It's easy to find an answer to such a question, using the built-in Recover Password command of USBCrypt software. It's easy to find it: just try starting an encrypted drive, as usual, but instead of entering the password, click on the Tools button and select the Recover Password item on the menu:

The Recover Password command of USBCrypt

If you select the Recover Password command from the menu, the next screen will ask you to choose the character set to use for trying the passwords:

The settings for the Recover Password command of USBCrypt

You can select the minimum and maximum length of the passwords to try, and also choose between the lower-case or upper-case characters, digits, special characters, or any combination of them. When you press the Start button, USBCrypt starts trying the passwords from the character set you've selected, in turn, until it finds one that unlocks the encrypted drive. While it's doing that, you can see the progress in a separate window, that also shows the estimated time to complete the enumeration of all possible passwords from the character set you selected:

The progress of the Recover Password command of USBCrypt

If your password is short and simple, it can be discovered rather quickly:

The successful result of the Recover Password command of USBCrypt

What about the more complex passwords? The time to go through them all increases rapidly with the length of the passwords and their complexity. Here are a few numbers, obtained on computer with a mid-range (as of the time of this writing) Intel i5-650 CPU:

Characters/Maximum lengthUp to 3Up to 5Up to 7
Lowercase30 minutes15 days28 years
Lowercase + Uppercase4 hours1 year35 hundred years
Lowercase + Uppercase + digits7 hours3 years12 thousand years
Lowercase + Uppercase + digits + all special characters1 day 26 years240 thousand years

(Your numbers may be different if your computer has a different processor.)

The table above should give you a pretty good idea about the length and complexity of the password to use to keep your password safe from brute forcing. On the other hand, it can also serve as a strong reminder to take care to remember your password, because if you forget it, it may be practically impossible to recover it (unless you have created a spare key file with USBCrypt, of course.

Choosing a good encryption password

Sunday, April 18th, 2010

Selecting a good encryption password is hard. On the one hand, it should be complex and non-obvious enough for others not to easily guess it. Yet, it should be sufficiently simple for you to remember and avoid the temptation to write it down. Besides, there are quite a few misconceptions around that make choosing a good password rather confusing.

For example, whenever you are prompted to set up a password, the system usually informs you about the minimum length of the password that you should select. Such a requirement may create the impression that the longer the password, the more secure it is. This is not always true! It would be true if you were choosing a random combination of characters for the password, such as “dkoirnfyut”, or “alokifjnwl”, or whatever other combination you could produce by typing random keys on the keyboard. The problem is, however, that more likely than not, you are selecting an existing word (or, a word from a dictionary), like “apple” or “orange” for the password. In such a case, if someone would try the dictionary attack on your encrypted data, it would make virtually no difference whether the word is short or long. It takes the same amount of computer time (give or take a few nanoseconds) to try “tea” or “antidisestablishmentarianism” as the password.

By the way, what is the strength of a dictionary word as the password, you might be wondering? Let’s assume that you’ve selected a random word from a dictionary that has a million words. Considering that 1 million is roughly the same as 220, it means that the strength of such a password is only about 20 bits! It does not matter if the software uses 128- or 256-bit encryption key, because if your password can be recovered in 220 attempts, the effective security of your encryption gets reduced to 20 bits, simply by the fact that you’ve chosen the password from the dictionary.

That’s why most systems insist that your password should contain a mixture of uppercase and lowercase letters, numbers, and special characters: such additions make the dictionary attacks much harder. However, they make remembering the passwords harder, too. What should you do?

There are several methods available for creating complex passwords that are easier to remember. One of them is by creating artificial passphrases (rather than passwords), by combining random words from a dictionary. Take a dictionary book, open it on a random page, and write down a random word you like on that page. Open the dictionary on another page, write down another word. Repeat several times, then move the words around to create a phrase. (The phrase does not have to make sense!). For example, I just tried it and came up with: “Antisocial Pomegranate holds back Blue Herring” (Sounds fun, doesn’t it?) If you can remember such a phrase (including the capitalization of the words), you’ve got yourself a rather strong passphrase.

Another method that’s often recommended is the “first letters of a phrase” technique. Think of a phrase that contains several words, that you could remember. For example, it could be a line from your favorite Beatles song, like “Desmond has a barrow in the market place, Molly is the singer in a band.” Take the first letter of each word, and combine them together: Dhabitmp,Mitsiab. Note that we’ve preserved the capitalization of the letters, and also kept the comma in the middle. The resultant password is almost as strong as a random combination of 17 characters, yet you should be able to remember it easily, as long as you remember the original phrase.

Yet another approach is to create complex and long passwords for each situation, and use some password management software to keep track of them, such as KeePass. When using a software password manager, you only have to remember the master password. Of course, the inconvenience of this method is that you always have to use the password manager to recall the passwords for you, but if you need to have many strong passwords, that’s a small price to pay for the security. And, of course, don’t forget to backup your password database, because if you lose it, you lose them all!