Your passwords are secure?

Along with the use of open networks and WEP or unencrypted protocols, the use of weak passwords or repetition of the same passwords across multiple services is among the most serious security problems.

Traditionally, passwords with 8 characters are considered the minimum to ensure the security of a bill as though it is not inviolable, an 8-character password would take enough time to break into a brute force attack that aside from the attackers most obstinate, all other evildoers just give up and went in search of easier targets. However, developments in the processing of CPUs and GPUs has caused the passwords of 8 characters become as vulnerable as the passwords of 5 or 6 characters were in the past.

The main risk comes from the GPU, which due to the massively parallel architecture is more efficient than CPUs for cracking passwords using brute-force attacks. Using a single Radeon HD 5770 in conjunction with the IghashGPU ( http://www.golubev.com/hashgpu.htm ), it is possible to break a Windows NTLM password (using the MD5 algorithm) to 6 characters containing letters and numbers and capitalization as " C6te4Z "in just 17 ​​minutes, against nearly a week using a mid-range CPU.

8 character passwords can be cracked in just a day or two and even a password for the same nine characters, keeping the use of uppercase, lowercase and numbers (more secure than most passwords that are usually used) takes only 48 days to be broken using the Radeon HD 5770. Migrating to a pair of high-end cards in CrossFire would be possible to dramatically reduce the time, endangering even passwords with special characters and spaces.

With this kind of GPU processing power in the market, the minimum standard for secure passwords is now using passwords at least 12 characters (preferably 16) mixing letters, numbers and special characters. Anything below that can be broken in due time by a sufficiently determined attacker.

Of course, this kind of brute force attack is executable only when the attacker has possession of the password hashes, which are typically stored in a file or a database table (for web applications). The hash is obtained by processing the original password using a one-way algorithm, complex enough that it can not be reversed. A password like " dft#d3W6&8()d 'result in a hash as "$6$LAlv13Dd$nZJ2TMsL6YoKpKAX1uWk4du9SK3QnhUW79ft76kvs1ovRQojGuE6GkY8uK0SWP.3LnPiZabEVr1OubNIrMiaj0 . " When the same password is reprocessed using the algorithm, the same result is generated, which allows the system to verify the password being required to be stored anywhere: only the hash is stored.

With this, when things go wrong and an attacker gains access to the database of a large content provider (which is not so rare, see for example the attack on the PlayStation Network, 2011) is solely to ensure the privacy of hashes passwords. The same applies to cases where you have physical access to your machine, making it possible to copy the operating system passwords.

This brings us to another problem, which is the reuse of passwords. If you use the same password in the service A, B and C, means that an attacker who can get the service password in Asia, will also automatically have access to their accounts in the services B and C, especially considering that today most service uses the e-mail as login. A practical example of application of this was the attack on the PlayStation Network where the logins and passwords on the network service leaked and were quickly tested by several groups in other services, gaining access to the accounts of users who used the same passwords on several of them .

This leads us to a third problem: long passwords with letters numbers and special characters are difficult to remember and using a different one on each service, you'll quickly exhaust your memory.

The most common solution to deal with the problem is to create variations of a master password, changing some of the characters with each use.Assuming that the original password is a good password, with 12 or 16 letters, numbers and special characters and variations are sufficiently different from the initial password, this solution can be a safe enough, although not ideal.

Another option is to use a password manager. There are numerous options for Windows, Linux, Android, Symbian and iOS, which usually offer a satisfactory security, by using a master password to encrypt the file where the passwords are saved and providing some interface to view them. A good option to store passwords in KeePass is the desktop ( http://keepass.info/ ), an open-source manager, very secure and well-resourced (allows splitting passwords into categories, generate random passwords, keys create different access, export the password file in various formats, etc.).. It runs natively on Windows, but you can also use it on Linux or OSX using Mono:

Mobile managers are generally less secure (especially if you run them on a root access to Android or iPhone desengaiolado), so the ideal is not to run them on your smartphone key (which can be lost or stolen) but at some old device that you can devote to this task, keeping it stored in a safe place. A good option are versions of KeePass for Android, iPhone and other mobile platforms, also available on the download page. In addition to moderately safe, they are able to synchronize over the PC.

A third option is to use a service password management, as LastPass ( http://lastpass.com ). The advantage is that in addition to storing the passwords it provides extensions to the major browsers allow you to complete the password fields automatically transmit them securely. It is a compromise between convenience and security, since on the one hand you put your passwords in the custody of a foreign company (although the encryption key for passwords to be stored only on your own PC and not on remote servers) , but otherwise is much safer than using passwords from Firefox stored and reused indefinitely, or stay the same password.