![\"askleo\"](\"https:\/\/www.pcmatic.com\/blog\/wp-content\/uploads\/20090929leonotenboomwp.jpg\")
<\/p>\n<\/p>\n
By Leo Notenboom<\/p>\n
For a long time, the common thinking was that the best, most practical passwords
\nconsisted of a random combination of upper and lower-case letters, numbers, and a
\nspecial character or two; if so composed, a password needed to be only eight characters in
\nlength.<\/p>\n
Randomness remains important, but as it turns out, size matters more.<\/p>\n
A password today should have a minimum of ten characters, and ideally, twelve.<\/p>\n
When you hear about large numbers of accounts being stolen by a hack at In fact, most services will store an encrypted (technically, a “hashed”) form What that means is that hackers do not<\/em> get a list of user names and And what’s great about hashes is that you can calculate a hash from a As a result, one would think that by being hashed it’d be pretty unhackable, Sadly, not so much.<\/p>\n The most common type of password attack is simply a high-speed guessing These attacks involve starting with an exhaustive list of possible words As we’ll see in a moment, it’s easy for hackers to make an amazing number of That’s why you’re not using that kind of password, right?<\/p>\n That’s why a password created from a totally random combination of characters is best; it forces hackers to move on to a true brute force attack to gain access.<\/p>\n Article continued here<\/a><\/p>\n This post is excerpted with Leo’s permission from his blog.<\/p>\n FaceBook URL: Leo’s Facebook<\/a><\/p>\n
\nsome service provider, you are naturally concerned that the hacker might now
\nhave access to your account names and passwords. If the service was storing your actual<\/em> passwords, that could indeed be the case.
\n(As I’ve said before, if a service is storing your actual<\/em> passwords,
\nthen they simply don’t understand security or they have made some horrifically bad
\ndecisions.)<\/p>\n
\nof your password. For example, if my password were “password” (and that’s a very poor
\npassword, of course), then a service might store
\n“5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8” which is the
\nhash value that corresponds to that password. 1<\/a><\/span><\/p>\n“Even the best eight-character passwords should no longer be
\nconsidered secure.”<\/div>\n
\npasswords. What they get is a list of usernames and password hashes.<\/p>\n
\npassword, but you cannot do the reverse – you cannot calculate the password
\nfrom the hash.<\/p>\n
\nright?<\/p>\nDictionary attacks<\/h3>\n
\ngame.<\/p>\n
\n(including names, profanities, acronyms, and more) and perhaps a few rules to
\ntry interesting and common ways that people try to obfuscate words. They
\ncalculate the hash of each guess and if it matches what was found in the
\ncompromised database of account information that they’re working against,
\nthey’ve figured out the password for that account.<\/p>\n
\nguesses is a short amount of time.<\/p>\n
![\"askleo\"](\"http:\/\/techtalk.pcpitstop.com\/wp-content\/uploads\/20090929leonotenboomwp.jpg\")
<\/p>\n