Posted on Jun 30, 2010

How strong is your password?

For about a month, someone has been regularly attempting to hack my personal Google account. I can’t do anything to prevent them from trying to hack my Google account. My only defense is to have a good password.

To help me select a strong password, I found a handy website that estimates how long it would take for an average desktop computer to crack a password. It’s called www.howsecureismypassword.net.

How Secure is my Password

How secure is my password?

I’m a system administrator and have a habit of maintaining strong passwords. Checking the strength of my Google password, I found it would take 238 quadrillion years for the average desktop computer to crack. Take that you nefarious Google-account hacker!

How secure are most user passwords?

Curious, I decided to running some tests on other passwords using this tool. These tests slowly increased complexity and length.

  • 0.0456976 seconds to crack “easy” (4 characters)
  • 10 seconds to crack “12340987” (8 numeric characters)
  • 13 minutes to crack “abcdefg” (8 lowercase characters)
  • 61 days to crack “AbcdEfgh” (8 mixed-case characters)
  • 252 days to crack “Abcd1234” (8 mixed-case alphanumeric characters)
  • 3 years to crack “Abc123!@” (8 C0mp!ex characters)
  • 17 thousand years to crack “Abcd1234!@” (10 C0mp!ex characters)
  • 100 million years to crack “Abcd1234!@#$” (12 C0mp!ex characters)
  • 42 trillion years to crack “Abcde12345!@#$%” (15 C0mp!ex characters)

Length Matters (at little cost)

Although complex characters help, password length provides the most value at very little cost (the time it takes for me to type a few more characters).

Let’s say that my password is 15 characters long, that I type 240 characters a minute (4 characters per second), and that I type my password 10 times a day. Knowing this, I can calculate that …

  • An 8 character C0mp!ex password would require 20 seconds of my time per day and would take 3 years to crack
  • A 12 character C0mp!ex password would require 30 seconds of my time per day and would take 100 million years to crack
  • A 16 character C0mp!ex password would require 40 seconds of my time per day and would take 3 quadrillion years to crack

Increasing a 15-character password to 16 characters would require 2.99800 × 1015 more years to crack.

How easy is it to crack most user passwords?

It’s rather easy if you have physical access to their computer. Tools like Ophcrack come as a live Linux CD with prepopulated rainbow tables and can crack user passwords without even installing any software.

Lesson

Add some complexity and length to your password to greatly improve its strength and the security of the systems your password is designed to protect.

Posted on Jun 29, 2010

Microsoft uninstalls its Windows Installer Cleanup utility (MSICUU2.exe)

On Friday, June 25, 2010, I pleasantly used this handy tool to fully uninstall a failed Adobe Reader 9.3.2 installation. To my surprise and great disappointment, the Windows Installer Cleanup utility (MSICUU2.exe) was discontinued over the weekend and is no longer available.

http://support.microsoft.com/kb/290301

“Notice: This article previously contained a link to the Windows Installer Cleanup utility (MSICUU2.exe). If you were directed to this article to solve a problem installing a product other than Microsoft Office, please contact your software manufacturer for installation support on the product.”

Naturally, many third-party software manufacturers relied on the Windows Installer Cleanup utility to clean up their own mess. I sure wish I retained a copy of MSICUU2.exe, for it would come in handy today and likely many more times in the future.

Posted on Jun 20, 2010

Documentary on hand-painted advertisements

“Up There” is a 10 minute documentary about large hand-painted advertisements that appear on the sides of buildings.

Not only is it well shot, it illustrates how painted advertisements are a dying breed — all but replaced by printed advertisements and huge vinyl canvases.

I like this quote: “They can’t print what we paint. They print in pixels using lots of tiny dots. Yellow and blue dots look like green. We paint green.”

Posted on Jun 19, 2010

How to cook bacon in a griddle

I know someone who says that you cannot cook bacon in a griddle with the lid closed. Ahem, I think this video shows otherwise. Hmmm…bacon.

Posted on Jun 8, 2010

Repeating Google Password Assistance notifications

Going on two weeks now, I am regularly receiving notifications from Google regarding password assistance and account recovery. I receive these notifications every two or three days in the forms of both email and SMS text messages.

Email Message

from:account-recovery-noreply@google.com
to: my-email-address
date: Mon, Jun 7, 2010 at 6:36 PM
subject: Google Password Assistance
signed-by google.com

To initiate the password reset process for your my-email-address Google Account, click the link below:

https://www.google.com/accounts/RP?c=some-value&hl=en

If clicking the link above doesn’t work, please copy and paste the URL in a new browser window instead.

If you’ve received this mail in error, it’s likely that another user entered your email address by mistake while trying to reset a password. If you didn’t initiate the request, you don’t need to take any further action and can safely disregard this email.

Thank you for using Google.

For questions or concerns about your account, please visit the Google Accounts Help Center at http://www.google.com/support/accounts/

This is a post-only mailing. Replies to this message are not monitored or answered.

SMS Message

Your Google Account recovery code is: some-numeric-code. If you did not request this code, you can safely ignore this message.

I was mildly concerned when I received the first Google Password Assistance notification. It was certainly possible that someone mistakenly entered my Google username instead of their own and eventually click on the password recovery link.

As a precaution, I went ahead and changed my Google account password; making it longer and even more complex than before. Not only did I feel better, changing my account password is something I should do more regularly anyway.

Unfortunately, this wasn’t a one-time mistake. Now that I’ve received six notifications in the past two weeks, I’m concerned that someone is actively attempting to hack, guess, phish, or otherwise can control of my Google account.

I visited Google’s Help Desk on this topic, which wrote:

The Gmail Team isn’t able to provide you with information about attempted logins including, but not limited to, the IP address from which the attempted login was made, and the time and date attempted logins occurred.

Unfortunately, it appears there’s nothing more that I can do to better protect myself than to simply change my password. I feel helpless.

It’s coming home every day and seeing evidence that someone attempted to break into your house. Perhaps you’d find their lock-picking tools on your front door step one day and their fingerprints on your sliding glass door the next day. But until you find evidence that the bugler was in your living room, no crime has been committed.

I understand Google’s plight. I’m sure thousands of users forget their passwords every day. If Google didn’t have a highly engineered and automated self-help password recovery process, they wouldn’t be able to keep up with these requests in an affordable way.

But I still feel hopeless. It would be nice if Google provided a way for me to report this suspicious activity and perhaps temporarily raise the security level of my account.

Google should create a “fraud alert” feature that I user could place on their own account much the same way we can do for our credit reports.

During my Google “fraud alert” period, perhaps my account would require two levels of authentication (two passwords, password and a text message code, etc.) or access would be limited to a small range of IP addresses that historically access my account.

Just about any added measure of security would make me feel better and more secure.