Closing the Backdoor
Many web services, such as online notes services, use a username/password combination to allow or deny you access to certain parts of the website. Usually the web site only encrypts the username/password leaving the data you submitted to the web site with very little protection.
A hacker will usually attack the “backdoor” of the web site, which is its database to gain access to your personal information. In contrast, mSecure encrypts all of the data stored in its database using strong 256bit Blowfish encryption, which has not been knowingly cracked, so there is no back door to your data.
Brute Force Attack
Even though your data is strongly encrypted, it may still be vulnerable to a brute force attack if the hacker has access to your database. A brute force attack is where a hacker uses software to try a series of common passwords or all possible passwords in an attempt to guess your password and gain access to your data.
The best protection against this type of attack is a strong password because, as you will see, it will take too long for the hacker to figure out your password. Using strong encryption and a strong password will provide a very high level of security for your data.
How Long is Strong
A strong password is not just a long string, but is also determined by the number of different characters that are used in forming each character of the password. For example, it takes less than a second for a fast computer to run all the permutations of 4 digit PIN containing only digits (i.e., 2578). By simply making the 4-digit password out of any lowercase, uppercase letters, numbers and symbols (i.e., Bc1@), it now takes 25 seconds to generate all permutations — a major improvement! Now let’s see what impact password length has on password strength.
Time to create generate all permutations of 4 character password
Digits Only (0…9)
All ASCII Characters
In 2010, a top password recovery service in the US reported that their state-of-the-art computing systems can try about 20 million passwords a second. This means that only hackers with *GOOD* resources should be able to obtain this same level, while the average hacker is going to probably take twice as long as these numbers.
|Time to Crack*|
|Password Length||6 characters||7 characters||8 characters||9 characters|
|11 hours||6 weeks||5 months||10 years|
*assumes each character can be any ASCII character.
As you can see, with a password as small as 9 characters you can make it very hard for a hacker to crack your database.
Many will hear that a 9-character password can be strong and then select any easy-to-remember 9-character word and use that as a password. This can be a big mistake! Hackers know people will do this, and they will create and share dictionaries of common passwords and will even mine your personal data for keywords they can use to reduce the crack time to mere hours. For example, let’s say you use you the word “mountain” as your password. Since the word is in the dictionary, a hacker using the dictionary as a set of passwords will crack your data rather quickly.
The trick is to create a password that is memorable and yet long enough while using a wide array of characters.
Making the Weak into the Strong
Here are some ideas on how to create strong passwords. Pick an 8-character word that is easy to remember and make it strong. For our example we will use the word “mountain.” You will note that this word is all lowercase characters, which is not very secure. Let’s toughen it up!
- Change at least one letter to uppercase (you don’t want to pick the first letter, as that would be more common and easy to guess). The revised password is now “mounTain.”
- Add at least one number to it. Let’s replace the “o” with an “0”, making the revised password “m0unTain.”
- Finally, include a symbol. Let’s replace the “a” with the symbol “@” making our new password “m0unT@in.”
We now have a much stronger password using a combination of uppercase, lowercase, numbers and symbols. While an 8-character password is a good length, you will recall from the chart above that we need a 9-character minimum password. Let’s make it more secure by adding another character. “m0unT@in” could become “m0unT@ins”, or even better “m0unT@in$”, where we have swapped the “s” for a “$”. Many people just put an “!” at the end of any password or a “+” at the beginning and end of all their passwords. The general idea is to choose a word or phrase that you will be able to remember and a simple algorithm for converting it to a strong password.
NOTE: Keep in mind, if you forget your password, we have no way of getting your data back. So make sure to pick something you can remember and enter a good hint on the set password screen.
Even the best encryption systems in the world are not going to protect your data if you are using weak passwords and a hacker gains physical access to your mobile device. To keep your data safe, it is important to understand what makes a strong password and create a password that is easy for you to remember and type into the login screen of your password manager. Passwords that include lowercase letters, uppercase letters, numbers and symbols are considered the best defense to the hacker’s brute force attack.
Tim Hemenway [Support Manager at mSeven Software]