How Strong is your Password?

Many web services, such as an online notes services, use a username or password combination to allow or deny you access to certain parts of the website. Usually the web site only encrypts the username or password leaving the data you submitted the to the web site with little protection. A hacker will usually attack the backdoor of the web site which is its database to gain access to your personal information.

In contrast, mSecure encrypts all of the data stored in its database using strong 256bit Blowfish encryption, which has not been knowingly cracked, so there is no back door to your data.

Brute Force Attack
Even though your data is strongly encrypted, it may still vulnerable to a brute force attack if the hacker has access to your database. A brute force attack is where a hacker uses software to try a series of common passwords or all possible passwords in an attempt to guess your password and gain access to your data. The best protection against this type of attack is a strong password because, as you will see, it will take too long for the hacker to figure out your password. Using strong encryption and a strong password will provide a very high level of security for your data.

How Long is Strong
A strong password is not just a long string, but is also determined by the number of different characters that are used in forming each character of the password. For example, it takes less than a second for a fast computer to run all the permutations of 4 digit PIN containing only digits (i.e., 2578). Now lets allow the password to be any lowercase, uppercase letters, numbers and symbols (i.e., Bc1@). Now it takes 25 seconds generate all permutations of a 4 character password, a big improvement!

Time to create generate all permutations of 4 character password
Digits Only (0…9): 1 second
All ASCII Characters: 25 seconds

Now lets see what effect password length has on password strength.

In 2010 a top password recovery service in the US says that their state-of-the-art computing systems can try about 20 million passwords a second. This means that only hackers with *GOOD* resources should be able to obtain this same level, the average hacker is going to probably take twice as long as these numbers.

Password Length: Time to Crack*
6 characters: 11 hours
7 characters: 6 weeks
8 characters: 5 months
9 characters: 10 years

*assumes each character can be any ASCII character.

So with a password as small as 9 characters we can make it very hard for a hacker to crack our database.

Choose Wisely

So given a 9 character password can be a strong password, many people will take any easy to remember 9 character word and use that as a password – this can be a big mistake! Hackers know this also, so they create and share dictionaries of common passwords and will even mine your personal data for keywords they can use to reduce the crack time to mere hours. For example, lets say you use you the word “mountain” as your password, since the word is in the dictionary, a hacker using the dictionary as a set of passwords will crack your data rather quickly.

The trick is to create a password that is memorable and yet long enough and uses a wide array of characters. Here are some ideas on how to create strong passwords.

Making the Weak into the Strong

So let’s pick a 8 character word that is easy to remember and make it strong. So for our example we will use the word “mountain”. You will note that this word is all lowercase characters, which is not very secure. So first we change it to have at least one uppercase letter. You don’t want to pick the first letter, as that would be more common and easy to guess. So now our password would be: “mounTain”

Next we will add at least one number to it. Now the letter “o” and the number “0” are very similar so we can use this to our advantage. This can produce this password: “m0unTain” And finally we need to also include a symbol in the password. The letter “a” and the symbol “@” are very similar. So our password now can be: “m0unT@in”

So let’s compare the passwords now: “mountain” verses “m0unT@in”

Frosting on the Cake

So we have capitalized a letter, swapped out a letter for a number and a letter for a symbol. This is now a strong eight-character password using a combination of uppercase, lowercase, numbers and symbols. An eight-character password is a good length but as you will see from the chart above that we need a nine-character minimum password. Lets make it more secure by adding another character. “m0unT@in” could become “m0unT@ins”, or even better “m0unT@in$”, where we have swapped the “s” for a “$”. Many people just put an “!” at the end of any password or a “+” at the beginning and end of all their passwords.

The general idea is to choose a password or passphrase that you will be able to remember and a simple algorthm for converting it to a string password.

NOTE: Keep in mind, if you forget your password, we have no way of getting your data back. This is because your password is actually the decryption key used to unscramble your data. Once you close mSecure, it scrambles (encrypts) your data and the only way to get it unscrambled is to remember and enter in the correct decryption key (password) into mSecure. So make sure to pick something you can remember and set a good hint on your password screen.

Conclusion

Even the best encryption systems in the world are not going to protect your data if you are using weak passwords and a hacker, with means and motivation, gains physical access to your mobile device. To keep your data safe, it is important to understand what makes a strong password and create a password that is easy for you to remember and type into the login screen of your password manager. Passwords that include lowercase letters, uppercase letters, numbers and symbols are considered the best defense to the hacker’s brute force attack.