Is your password secure? Be careful with the hidden traps

To crack the passwords of terrorist organizations and defeat their conspiracy, the National Security Agency (NSA) has invested heavily in building a machine capable of cracking all passwords: a universal decryption machine. This is a fictional plot of Dan Brown in his book digital Castle. Building such an indestructible "artifact" with the power of today's science and technology is just a distant dream, but how to protect your personal privacy in the Internet society has always been a real problem. Over the past 20 years, modern people have mastered the "digital Castle"-the construction method of passwords. They think they can rest assured, but this is far from the case.

Is the more complex the password, the more secure it is?

Unfortunately, the answer is no. People usually think that the more complex the password is, the more difficult it is to guess, but this will undoubtedly increase the difficulty of memory. For those who attempt to snoop on your secret, they just cannot think of it, rather than "cannot guess ". Now, how many other people rely on their brains to "Guess" their passwords?

As XKCD said: after 20 years of hard work, we have successfully fallen into a misunderstanding that it is increasingly difficult to remember passwords, however, it was easily cracked by computers.

What is the key to ensuring password strength?

What is the key to ensuring password strength? In fact, the cartoon above has provided the answer: password length.

Information Entropy in informatics is introduced here (we often hear people say that this information is too much, that information is less, and the quantification of the "amount" of information is information entropy). It is used as the evaluation standard for the password strength. The formula for calculating the information entropy is H = L * log 2 N, where L represents the length of the password. The value of N is shown in the following table:

From the above formula and table, we can see that the password strength (H) is related to the password length (L) and the type of Characters in the password (N. However, their effect on the password strength is exponential.

For example, assume that the unit of the password length is bits, and the 8 bits are one byte (that is, one character when the password is entered, and one byte can represent 256 different characters ), if a supercomputer can perform a combination of 2 to 56 operations per second, it only takes 4 minutes 16 seconds to crack the password consisting of 8 characters. It takes 149,745,258,842,898 years for a password to be brute-force cracked to contain 16 characters! You must know that the life of the sun is only about 10,000,000,000 years. At present, the world's fastest Computer K Computer can only complete about two or 53 operations per second. Of course, this is just an extreme example. In fact, we can use a password with only 95 characters (26 lower-case letters, 26 upper-case letters, 10 digits, and 33 punctuation marks ).

The greater risk lies in the omnipotent key

In real life, we all choose "one key and one door ". No one wants a key that can be used to open a house or drive a door, a company door, or a dormitory door, because once the "omnipotent key" is lost, the loss will be heavy. With the development of the network society, most people now have more than 10 website accounts. You are continuing to choose the "One key and one door" strategy, or should we switch to the "omnipotent key" strategy? If it is the former, it will undoubtedly increase your memory load. If it is the latter, the security risks are obvious.

▲Image Source: XKCD

To avoid this, many people have realized this. To avoid this situation, a considerable number of people choose to divide the password into two parts, one of which is the main part (for example, 123456 ), the other part depends on the account: the QQ password is set to qq123456, while the gmail password is gmail123456. However, such a straightforward setting is quite a bit of a false alarm. Once an account is stolen, it is only a second to see this rule.

Game with hackers

To avoid the above risks, we began to set many long and complex passwords. However, complex long passwords are not easy to remember. What's more, remember several such passwords (who have never forgotten them ). After having forgotten passwords for many times, people began to choose information that is easy to remember as their passwords. For example, the name, birthday, phone number, and so on of yourself or your loved ones. However, this leaves security risks to hackers hiding in the dark.

Some people make statistics on users' passwords, study their preferences when setting passwords, and plot the statistical results. 61% of users prefer to use personal names, place names, dictionary words, and pure numbers to set their passwords. Even 2.6% of users directly use their usernames as passwords (for example, set the password of guokr123 @... directly to guokr123 ). These are password setting policies with security risks! After understanding the user's password setting habits, hackers can compile the "password dictionary". With this dictionary, they can greatly improve the accuracy of brute force cracking. For exampleHereYou can download 10,000 common password dictionaries (the authors of this dictionary say that 99.8% of users use the passwords in this dictionary ). Some people have also done research on Sony's user passwords, and the results are also worrying.

User Password setting habits

Some websites, such as 1 PASSWORD, provide a new policy. It is equivalent to providing you with a notepad with a lock. You can keep all your passwords in this notebook. You only need to keep the unlocked key/password. Regardless of the degree of reliability of the Website, you have to pay $40 for such a notebook. At the same time, don't forget that it only solves the problem of memorizing the password for you, but still does not escape the problem of setting the password.

Excellent password setting policies

How to Set a reliable password?

I have mentioned some suggestions for setting passwords. It is a good choice to remember multiple passwords with unified rules. After all, it is easier to remember a rule than to remember a messy string of characters. You can also implement the "One key opens one door" strategy. Here is an example of a simple password setting rule (using email box as an example ):

 

Code highlighting produced by Actipro CodeHighlighter (freeware)
Http://www.CodeHighlighter.com/

--> [Password] = 2 * ([username identifier (lower case/upper case)] + [username length] + [.] + [website identifier (upper case/lower case)])
Example: guokr123@gmail.com, password: gk8.GM GK8.gm
Songshuhui@hotmail.com password: ssh10.HTSSH10. ht

 

 

But is it really safe?

▲Image Source: XKCD

Therefore, the reader should remember that a good password can reduce the risk as much as possible, but it cannot reduce the risk to zero.