Friday, August 2, 2013

How To Make Your Passwords NSA-Proof

Silent Circle has a password test – you don’t need to sign up to test a password in the upper right. Note that longer passphrases, even if they are only lower case characters, are tougher to crack than shorter passwords with all sorts of numbers and non-characters.

8 Character Randomized Password: T0u%p@s5 Time to crack: 14 minutes

17 Character Passphrase: rockwell is right Time to crack: 4 Days

26 Character Passphrase: The Country Is Not The Government!  Time to crack: centuries

Even with a passphrase take the extra security step and modify it with an algorithm you derive for every site. That way if a site is storing or transmitting passwords in cleartext (both big no-no’s but it happens), your password will not be known for all sites.

Example – starts with “a” the 1st letter in the alphabet, so my passphrase might become: 1The Country Is Not The Government!  Note that I pre-pended number 1 at the start of the passphrase. I’d recommend adding at least 2 characters via your algorithm.

Several readers of my blog post wrote to ask if the NSA doesn’t just have an end run around harder passwords for email. In short, they do, but mostly for US-based companies. The largest free email providers, Google, Yahoo!, and Microsoft are known to collaborate with the NSA and/or FBI, which means Hotmail, Yahoo! Mail, and Gmail are insecure despite your best passphrase. Hushmail, once considered a secure alternative, caved to the Feds over alleged drug running taking place via Hushmail accounts. If your 35 character passphrase is the moat to keep the NSA out, Gmail has the key to the backdoor and lets the NSA right in to directly read your email.

The solution is to get an email account hosted outside the US. Here are several paid alternatives: NeoMailBox (Swiss Based), CounterMail (Swedish) MailVault (Norway), and an excellent article discussing the pros and cons of each. If this is too much hassle, at least adopt passphrases to avoid the non-government criminals from taking over your email and other accounts. Imagine the damage a hacker could do with access to monitor, send forged email, then lock you out of your email account. It wouldn’t take much effort to get your SSN, address and birthday – from there it’s off to the races. “Oh, you need those retirement funds wired where?” If you think this is far fetched, count the number of times a year you get a frantic message from a friend not to open an email because their account was taken over.

Bottom Line: Consider an offshore email, but definitely make your passwords longer by using a passphrase rather than a shorter but “harder” password. Most sites will allow you to enter very long passphrases. Think of the minor investment in time versus the risk of identity theft, account takeover, and the extra time and resources for the government to snoop on you.
Please share this.

No comments: