So, a friend of mine recently got a message from LiveJournal telling her that her password was weak and that she should change it. Like so many users, she's was confused, because surely there was no way that anyone could guess her password. Someone else commented that they got the same, and their password was really hard to guess, too.
The thing is, yes, 'wubbliewoo' may be very hard for a human to guess, but we're not concerned with people sitting at the login screen trying to guess your password themselves. The problem is that a computer program may be trying to crack your password, in which case 'wubbliewoo' is trivial.
Special attacks aside, a computer program can do a Brute Force attack, where it tries all possible combinations of characters based on the alphabet in use and the length of the password. It tries 'a' then 'b' then 'c' moving onto 'aa' and 'ab' and 'ac' into 'ba', 'bb', 'bc' until it's trying 'hyttj' and 'hyttk' and so on. It tries everything, and when it finds a match, it has your password.
Brute Force will find your password, guaranteed. But it's a relatively slow process, if you make your password sufficiently difficult to guess 'for a computer.' This means a long password made of characters from a large alphabet. If you have only lower case letters in your password, you have an alphabet of 26 characters. If your password is then 4 characters long, there are 26^4 possible strings it could be, from 'aaaa' through 'zzzz'. That's nearly 500,000 strings, but we're talking about a machine that can make hundreds of thousands of guesses in a second. if you add a capitol letter to your password (even one capitol is enough to make the program have to try harder) then your alphabet is 52 characters, and 52^4 is a lot bigger than 26^4. Generally speaking, a strong password is considered to be at least 8 characters in length, using three of the four types of characters (upper case, lower case, numbers, and symbols). This puts you in the range of 92^8 or so, which will take a computer 6 to 12 months to break -- and presumably you'll have changed it by then. These policies about password make-up and duration aren't made to make your life difficult -- I've personally used a program that could crack a 52^8 password in under 5 hours, max.
The math in all of this is fascinating, but I'm saving you all from most of it.
"But how will I remember it?" My friend asks. Well, if you have a weak password, it's not hard to do minor changes (as far as a human's concerned) that will make it significantly harder for a computer to guess. The password 'foobar' is not the same as 'Foob@r', and just those two changes bump it from a 26^6 password to a 92^6 password. Additionally, though they say "don't write your password down," as long as you aren't concerned about someone in your immediate vicinity cracking your account, and you take precautions to keep it mostly-hidden from visitors, there's no reason not to. it's a bad idea for a manager to write down his password at work and leave it on his desk, but an LJ password at home is a significantly different situation.
DO NOT post your password online, anywhere. Seriously. if something's online, it can be found, period. The internet is so complex, and the 'rules' can be gotten around so simply by someone who knows what they're doing, that it's just a supremely bad idea. I'd advise stenciling your password to the side of you monitor before posting it online; much, much safer.
Caveat: OK, I really don't like making people paranoid, so I thought I'd add this in here. Yes, the internet is a dangerous place. if it's on here, it can be found. And yeah, if someone wants to crack your password badly enough, they will. But that brings us to the biggest protection anyone has on the internet: you're simply not important enough. And I don't mean that personally; in general, none of us are that important. If someone got my Bank info, he might be able to get, I don't know, a couple hundred dollars. If they hijacked my LJ, they could probably make me look pretty bad socially. But with the effort needed for either, the pay off just isn't that big. Now, someone like TheFerret, who's so well known her gets a mention in blog entries totally unrelated to him by people who don't even read his stuff -- he might want to be particularly careful about his security. The point is, you aren't important enough to put a lot of effort into, but if you have a weak password, it's not a lot of effort. No one's going to run a program for three months to hijack your account (unless you're the aforementioned TheFerret, maybe), but if they just have to run it for 5.2 seconds, it's trivial. The point is to make the payoff not worth the effort.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
