I mentored a kid for his eighth grade mentoring project (most of the schools here in Eugene do this) and we spent six weeks, twice a week, working through some hardware and software projects. He soaked it all up and I had a great time teaching him what I know. I am pretty sure I taught him everything I know, now he can do my job.
He sent me an e-mail a few weeks later and shared what he thought was this great site that he found for making sure your passwords are secure. Below is my calm and measured response to him. What I really wanted to say was how freakin’ shocked I was that this site is making the claims that it does.
This site (http://howsecureismypassword.net) tells you how long it would take to crack a password based on what you type in. It is so wrong, so VERY VERY VERY VERY VERY wrong. A good password cracker library, a free password cracking tool and a nice video card can shorten the time claims on this site considerably.
My response to my eighth grader.
Thanks for the web site link. This was a fun one to try out, however I would not rest on my laurels just because you ran your password through this site. I would love to believe that a 12 character password would take 4 thousand years to crack, but unfortunately I know that it can take about _a_ (1) _day_ to crack when using a high-end graphics card to do the processing. Although howsecureismypassword.net is useful for informing you about password vulnerability and good password creation techniques, it is very naive in its time estimates.
Most of the work in cracking passwords is in calculating what a word or phrase looks like after it is encrypted. Encryption is a high-tech method of scrambling a password. The encrypted word or phrase is then compared to the encrypted password that you are trying to crack. If the phrase that you just encrypted matches the encrypted password then you have cracked the password (because you already know what word or phrase you fed into the encryption machine). If the encrypted phrase and the encrypted password do not match then the password cracker has to try again; pick a word or phrase, encrypt it, compare it to the encrypted password. The encryption process takes time, the comparison process
takes very little time.
Password crackers save time by pre-encrypting LOTS of words and phrases ahead of time so that the encryption part is already done. The cracker then simply compares the already-encrypted phrases to the encrypted password which takes practically no time at all. Does this one match? No? Compare the next one, and so on. You can save yourself even more time, as a password cracker, by buying a set of pre-encrypted words and phrases from someone else. Cheap sets cost $10-$20, more comprehensive sets cost a few hundred.
Here’s the nugget – Make your password long, at least 16 characters long (I recommend 22 characters). Yes, use a mix of UPPERCASE and lowercase and numbers and punctuation, but the longer the better. Longer passwords take longer to crack (a cracker has to compare more encrypted words and phrases) and if your password is long enough the cracker will hopefully stop and move on to someone else.
I hope this helps and please let me know if you have any questions.