Several readers have written about today’s password article, raising great points.
Gary writes: “ I don’t trust that “Silent Circle” password test. The “time to crack” field is completely bogus. It’s not actually cracking your password. It’s just a gimmick. There’s simply no way any program can crack an 8 digit password in 14 minutes (let alone a few seconds) not one which draws from the entire keyboard (uppercase/lowercase, numbers and characters). Certainly a person would want a password closer to 20 digits rather than 8, especially for banking and other precious data, but I do not buy the 14 minute claim.”
Silent Circle is not actually cracking the test password in realtime, but I did some reverse engineering and they are comparing it to both a dictionary and a character substitution dictionary of English words. For example:
English Word Password: unicorn <- correctly spelled single word
Time to Crack: instant
Misspelled Word Password: unicor <- intentionally mis-spelled, and shorter
Time to Crack: 4 minutes
Word Substitution Password: Un1c0rn <- note that the “i” and “o” are “1″ and “0″ Tricky, right? Wrong….
Time to Crack: instant
This tells us the password box is using the same cracking tools a typical hacker would – a dictionary attack. Hackers actually use precomputed tables of various cryptographic hashes for the entire dictionary, plus common substitutions, plus common repeating combinations (e.g. qwertqwert, 1234asdf). The hashes are called rainbow tables and they cut down the time to crack passwords by doing the “cracking” in advance and storing the result. Common security auditing tools used by IT professionals come with these dictionaries and rainbow tables.
John writes: “what makes you think you can trust Silent Circle…What a simple way to go phishing for passwords”
Two great points. SilentCircle is a US-based company, and therefore subject to all the pressure points, bank account freezes, and legal tie ups that the US Government can muster. I should point out that ANY company that has a .com domain name is subject to US pressure, including the three possible offshore email companies. The US government can hijack any domain ending in .com because Reston, Virginia based Verisign corporation controls the .com root domain servers, no matter that an offshore registrar and name server is hosting the domain. If it ends in .com, it can be taken down by a court order from the US Government to Verisign. This is how Kim dotcom’s Megaupload.com site was shutdown.
Still, one of Silent Circle’s main founders is one of the good guys of privacy, Computer Science hero and entrepreneur Phil Zimmerman. Mr. Zimmerman invented and distributed opensource software PGP (Pretty Good Privacy) to allow slightly technical people to encrypt their emails, then founded several companies to make it increasingly easier. He was investigated and harassed by the government for several years for potential violations of the Arms Export Controls Act. His software was considered a munition because his crypto algorithms were so good. All that said, I don’t recommend Silent Circle for most users. I think it is still a bit cumbersome and overkill for the typical home user. If you are a typical home user, improving your password by changing to a long passphrase with a site by site algorithm is the 20% effort that gives you 80% of the security. If you are a technical user, it may be right for you.
LRC reader John makes a valid point – I would not recommend that you test your entire algorithm+passphrase in the Silent Circle tester, just the base passphrase, e.g. The Country is Not the Government! is OK to test but I wouldn’t test 1The Country is Not the Government!
Now go change those insecure passwords!12:59 pm on August 2, 2013 Email John Keller