Search AccuSolve

Privacy

Copyright © 2002-2008
AccuSolve, Inc.
All Rights Reserved

Comments, questions about this web site? Send email to webmaster.
accusolve.biz


Tips for Foiling Password Crackers

An article entitled "Password Crackers" was recently published by PC Magazine which rightly states, "Your password-protected PCs and data files aren't nearly as secure as you might think." We highly recommend reading this article, but want to add some tips of our own which, if followed, will help you feel much more secure about your password-protected files.

The PC Magazine article states, "Passwords on Zip files aren't worth much. For example, if there are five or more files in a Zip archive, Passware's Zip Key program can probably decrypt the contents in less than an hour." This is true, however, there are ways to protect your password-protected zip files from being cracked or decrypted by anyone without knowledge of the password. We actually believe that protecting sensitive files in zip archives is an excellent choice, given the vulnerabilities of many other popular applications' security schemes, since most people have their own copy of a zip program.

How to Protect Zip Files

There are two things you must do to protect your zip files from being cracked by programs such as Zip Key.

  • Pick a strong password. It must be over 8 characters long and made up of nonsense characters and symbols. Zip Key's brute force attacks won't even try to crack a password over 8 characters long. And it's other cracking methods are based on searching for variations and mutations of words found in the English dictionary.
  • If your zip archive has more than four files, zip them all up into a non-protected archive, then add that archive to a strong-password-protected archive. The cracker won't be able to guess the password or decrypt the contents. It's a little more work, but even more capable cracking systems won't have much of a chance against this kind of protection.

We purchased our own copy of Zip Key so that we could test the effectiveness of various security tactics. You should be aware that the makers of this product have several other effective tools for recovering passwords from other applications, or replacing the existing password with one you know. Unfortunately this is, in many cases, a very simple process. If you are really concerned about this, we recommend zipping up your sensitive application files using the above tactic when storing or moving them in an unsecure environment.

How to Create Strong Passwords

With Masking Password Generator, making very strong passwords is a breeze! Use a mask such as 'N*15' or 'K*12' and no brute force attack will succeed in cracking your password this millenium, with existing technology. If you are limited to shorter passwords, use a random length and position mask such as '~(7.10){#,?}[A]'. This will produce a password between 7 and 10 characters long and have a number and punctuation character somewhere within the result. You can tailor such masks so that they fit your organization password policy, ensuring that any password created with it meets the requirements, and is therefore highly impervious to cracking.

If you need to generate easy-to-remember passwords, use Masking Password Generator with a pronounceable password mask such as '<WVWVVWV', which will generate a password like 'rahaozu', which can be remembered but will foil any dictionary attack.

Protecting Your Passwords

All tactics for preventing crackers from discovering your password are totally unnecessary if someone can get hold of your password. Your password is a key, and if someone can get the key they can unlock any door it is keyed for. Protecting your passwords is crucial. The problem with choosing very strong passwords is that they are usually very hard to remember. If you lose and forget it, you will be stuck with information you have little hope of ever being able to recover. A 20-character password made up of mixed case, symbols, numbers and other nonsense could take years (thousands) to guess, even with a supercomputer. Don't allow yourself to be put in the position of regretting having chosen such strong security.

The method you choose to store your passwords should depend on the nature of any threat. For example, if you are protecting files that are being transferred over the internet, either transfer them over a secure (https) connection or zip them up using the method described above. As long as anyone intercepting the file along the way can't get access to your computer you can safely store the password there.

If you use Windows 2000 or XP, keep your passwords in a file that is encrypted by the file system. You will then have easy access to them, but if someone breaks into your computer by changing the Administrator password, they will not have access to any files encrypted using your original password. We know this is true from our own experience, much to our dismay at the time! Please note from the "Password Crackers" article, operating systems are only vulnerable to password-change attacks.

If you don't have an encrypting file system, use one of the file-protection programs available to protect your passwords file. You will probably need to protect this file with a password you can remember. Just don't make it one that can be easily guessed!

For important passwords that don't need to be used often, you can store them in a bank safe deposit box or somewhere else that is separate from the location of the data.

If you must use passwords that aren't really secure, change them often! With luck, if anyone tries a brute force on your password, by the time they succeed you will have changed it. If they suspect or know that this is your policy they may not even consider it worthwhile to try. If you belong to an organization, make sure you have a password policy that requires passwords made up of letters, numbers and symbols of sufficient length. If the attacker knows you have such a policy, they probably won't bother trying to attack your passwords. Their only hope in that case is to steal them, so make sure you're protected that way as well.

The extent to which you have to take precautions depends on the value of the data you're protecting and the likelihood of someone else wanting to get hold of it. The more valuable it is, the more likely it is that someone out there would try to get it from you.

Recommended Software

I would like to introduce you to one of my favorite applications ever, which will not only store all your passwords in a secure way, but easily make them available for logging into all those web sites you have accounts with. Not only does it remember passwords, but any kind of information that you need to fill in on all kinds of web sites. Imagine being able to login to any of your web accounts with just one click! This application is a great time-saver and convenience for me - I can't imagine getting by without it! Let me introduce you to Roboform, a wonderful Internet browsing helper. Unlike other form-filling applications, this one doesn't fill your hard drive up with spyware and bombard you with ads - you'll find none of that here. I simply can't find anything negative to say about this program - you've got to try it if you haven't already! Just click on the image below to download your free trial. For more information visit the RoboForm web site.

RoboForm form filling software - download free trial

Download Free RoboForm Trial

RoboForm integrates with Internet Explorer versions 4 to 6, any browser based on IE (AOL, MSN, NetCaptor, NeoPlanet, etc), and with Netscape 7 / Mozilla.

 

Home   Products   Support  Downloads   Store  About   Privacy   Links  Site Map