Archive for Tigerspike Innovation Lab
There have been many articles recently about passwords and how they are weak and are being compromised. And if your password isn’t safe then you could lose more than you think. Your identity, money in your bank accounts, etc etc. And no matter how strong the security is, if someone can guess your password, the front gate is open.
Hackers are getting access to a long list of passwords and guessing a large percentage of them. If you can guess the password you can reverse engineer the encryption that is protecting them.
If the password is 1 character long, then you have 101 guesses for a standard keyboard to guess every possible password (24 characters upper and lower case, the numbers 0 to 9 and all the symbols not including the F1, F2 etc.). “Guessing every possible password” is called a “brute force” attack.
You can see that brute force attacks get harder and harder as you add characters to your password. In fact only 3 characters in your password would increase the number of guesses from 101 to 999,900 (almost one million!). Six characters is 912,484,742,400 (almost one trillion!), and eight characters is 8,148,488,749,632,000 (over 8 quadrillion!). So the theory behind password strength is just make them longer and longer and it gets so hard to guess all possible combinations that hackers can’t do it because that would take too long. The problem is it isn’t that simple.
Hackers can crack them. This is because the passwords that you select are not as strong as a string of random characters, numbers and symbols. You are not a genius because you have thought of changing all the ‘O’ with the number ’0′ or the letter ‘a’ with the symbol ‘@’ or the letter ‘E’ with the number ’3′. So picking P@tri0ts is one of the common hacker guesses. There are many others like LukeIsAmazing123, P@55w0rd, 123456, qwerty, etc. You could choose a really long password like “Whereforeartthouromeo”. But even though thats 21 characters long its an english sentence that exists in the world so it is on the hackers guess list.
You would be surprised how many passwords you thought were strong are not.
I could go on, but the truth is that almost all passwords that humans pick are not strong. They are all picked based on some criteria that that criteria can be used to crack them. Have a look here for more information on this. Kaspersky’s solution is:
- Don’t use the same password for multiple sites. [Agree but then you have so many you forget them]
- Use long and strong passwords [but what is long and strong? - the answer is if you picked it, it is probably weak]
- Use a special password manager to store all your passwords in an encrypted form and don’t waste your time trying to memorize all of them. This way you can have unique, extremely complicated and strong passwords for each site without the risk of forgetting any of them. [yes as long as they really are long and strong in the first place - and actually the hassle of referring to and typing in the passwords will becoming annoying, so strong passwords you remember solve that issue as over time you will remember them]
So unfortunately there isn’t an easy answer to this. Long passwords of truly random numbers, characters, and symbols are impossible to remember. And anything easy to remember is weak. We haven’t got the perfect solution but we are one step closer. We have built a way for people to easily remember strong passwords.
The guys in our Future Technologies Division (part of the Tigerspike’s Innovation Lab) have used mathematics to know for sure what the bit strength is of words combined with other words. Our algorithms use the entire english language and know not just how rare a word is, but also how rare combinations of words are. And it knows the strength of those passwords.
This means we can have a password like NiceAuthorityElectronicBusiness and know (with mathematical certainty) it is as strong as six random characters, numbers, and symbols. So we have created an app that can create these passwords for you. Version 2 will have somewhere to save them just in case you forget.
There are many other pieces of the puzzle but the password piece, the front gate, is hopefully now more secure. Our app is called kPass and its free to download so if you want stronger passwords go check it out.
I was reading this article, and gained new respect for Sheryl who I rate pretty highly and the new guy at Yahoo. Spending almost $1bn on patents though, is just idiotic, but probably necessary given the way these things work.
I find these patent wars just ridiculous, and I find most of the patents just ridiculous too. Patenting a tap or a swipe? that is not innovation and doesn’t deserve a patent. One of Motorola’s was recently upheld and their innovation was to break up a message that was longer than 160 characters, sending it as two text messages and then re-assembling it at the other end. Sorry but that is not innovative. In my opinion you can’t patent things that are so obvious that any 10 year old can come up with them, but sadly that is what is happening.
Then the lawyers get involved and its easier and cheaper to settle the case rather than fight it. So even if you don’t infringe a patent you settle because its cheaper than proving that it isn’t infringed. This is what the so called “patent trolls” rely on. This is just wrong, and the problem is that in the USA you just can’t get anything done because trying to change something that everyone knows is wrong is like wading through mud.
We have recently filed a patent around a new way of doing encryption. Our thinking is genuinely unique and original, and it addresses a real need now that many encryption algorithms are being successfully hacked. And we will now share what we are doing so that other people can use it, and we may charge some licensing. That is what patents are for; to promote innovation by allowing genuine original ideas to be shared and those who come up with them to derive some benefit in exchange for sharing them.
What is happening now is Facebook etc. are buying patents so that they can bargain with Yahoo who sues them in order to put pressure on to do a deal. Hat off to Sheryl and Ross for sorting it out, but what they should have done is just do a business deal without the lawyer show or the $1bn price tag for the patents.
The worst is companies who buy patents and all they do is call lawyers and sue other companies who settle even if they are not infringing because it costs more to defend. This is so wrong and anyone who works for one of these patent troll companies should be ashamed of themselves.
I hear that congress is trying to change things and there are a few judges who rightly throw these things out, which is a start, but until then its still just the wrong thing to be doing. Why can’t companies just do the right thing?