While cryptographic algorithms are today uncrackable thanks to the multitude of possible keys, the passwords employed are the weak links in current encryption systems. For one thing a human generally has to be able to remember the password; for another it has to be entered and other people or programs can eavesdrop as this takes place.
There are various ways of identifying a password:
Eavesdropping, spying, blackmail and trickery are all good methods to obtain direct possession of a password. Technical methods can only provide protection in isolated cases. In this context everything depends on the user being careful.
Guessing is possible as soon as the perpetrator knows the user well enough and if the password was chosen without the required care. Typical mistakes in this context are the names of partners, children and pets or also telephone numbers and birthdays as passwords.
Trial and error. The German language, for example, covers approx. 300,000-500,000 words. The Duden dictionary includes 120,000 key words. The poet Goethe used some 80,000 words. A "normal" person uses a maximum 10,000 words. German popular newspaper Bild uses 1,500. If a simple word is chosen as a password, there is a high probability that it can be identified after a few hundred thousand attempts by simply working through all of these words – no problem if using a computer.
The library integrated into Steganos Safe warns you if the password you have chosen is easily crackable by comparing it with over half a million entries. Approx. 0.3 seconds are required to check a password (P4 3GHz): in other words, three passwords a second. Thus if, for example, you use a word from Bild newspaper it can be identified in a maximum of 500 seconds, i.e. just over 9 minutes, if the perpetrator has the technical means to automate this process.
If any four characters (upper and lower case letters and numbers) are randomly combined this will result in over 14 million possibilities. A computer would need 57 days to try all of them out. This can, however, be speeded up using faster and more computers. In the case of 8 random characters a computer would need more than 2 million years. In addition to this significant computer capacity would be required to reduce this to a more manageable period of time.
When selecting a password you should first take into consideration who you want to protect yourself from. If you want to protect your personal private secrets the password quality requirements will be lower than in a corporate setting, where data may possibly have to be protected from personnel with IT skills or from industrial spies. The requirements are, obviously, even higher if government agencies or secret services have to be prevented from gaining access to data.
There are various strategies for generating good passwords. The best one is use a password generator to create a password that consists of a minimum 10 characters; these in turn should be selected from at least 62 different characters (the upper and lower case characters of the German alphabet plus numbers 0 through 9). The problem in this regard is, of course, remembering the password. Saving it or writing down is only of limited help: even if you use a password manager you still need a secure password to access it – the most secure password in the world is useless if it is written on a piece of paper lying next to the keyboard. If that is, however, not the case then a password manager can provide an easy, secure method of creating and administering an infinite number of highly secure passwords, and, if desired, even of using them automatically.
Abbreviations for sentences are a good compromise between security and being able to remember. Afsaagcbsabatr would, for example, be the result of the previous sentence. This should also produce at least 10 characters. If, in addition to this, individual characters are replaced with numbers or special characters, e.g. 'E' with "8" (eight) or "f" with ? (question mark), this will result in a good password that is simple to remember.
Secure Passwords
