Pass the Word

posted by on 17th January 2009, at 7:55pm | 3 Comments

How many of you have read the news post Jagex posted on January 9th? Only that many of you? I thought more would’ve since it’s about a subject which most people take very (if not extremely) seriously.


This news post centered mostly about passwords.

“Ohhh no! You can’t talk about pa-“

Yes, I can. Now where was I? Oh yes, password security.

Jagex said that they’ve found that many accounts are using extremely common alphanumerical sequences (usually words) which could be guessed quite easily by almost anyone. These kinds of passwords make accounts extremely insecure and easy to hack.

Just because trading has been halted (mostly, at least) and you have a bank PIN doesn’t mean your items are safe. There are many reasons why someone might hack an account:

To get revenge (either by dropping all items or by getting the character banned)
To be purely mean (either by dropping items, breaking rules in an attempt to get the account banned, or otherwise ruining the account)
Petty theft (usually by ‘smuggling’ or ‘trickling’ cash through trade over time)

Though bank PINs do add a fair bit of security to your bank, they don’t protect your account. Passwords are the only way to ensure your account’s safety. Unfortunately, the only way to keep prevent anyone from hacking your RuneScape account is to not have one. However, since many of us have been seduced by the Dark Side into playing the horrible addiction known as RuneScape we must find a way to keep our precious valuables safe.

Here’s a quote from Wikipedia:

“Despite the name, there is no need for passwords to be actual words; indeed passwords which are not actual words may be harder to guess, a desirable property.”

Indeed, this is quite true. Some of the safest passwords use alphanumerical (letters and numbers) sequences. Some such as 19john90 would be safer than john or 1990. However the reason this password would be insecure is because it uses a name and a birth date, both of which are usually known by many people. It’s not uncommon for someone to give off there first name over the internet. This builds an acquaintanceship into a friendship. A birth date might be given off when someone throws a birth day party. The day and month would be known however the precise year is usually not said. Though the lack of year of birth is good, if the age they’re turning is known then somebody can easily figure out the precise day, month, and year of birth.

Ideally you want a password to be both memorable and hard to guess. Memorability usually isn’t much of a problem since once you’ve been typing a password for a week or so you’ll have memorized it and also memorized the key sequence which your hands have been doing.

The hard part about a password is constructing it. Many people feel that number sequences are sufficient for passwords. The only good part about number passwords is that they can be typed very fast with the use of one hand and up to ten keys. Alphabetical passwords are probably the most common as they consist of the twenty-six letters in the alphabet. Hundreds of thousands (if not millions) of sequences can be made from them, however they are still not the best.

The reason an alphabet only or number only password is not good is because it only uses one type character. When you combine the two (creating alphanumerical) to create a password you get a pretty strong password. If the site your using allows it, the use of special characters is also good. Special characters are the characters above the numbers (!@#$%^&*()) and the characters `~ and the characters to the right of the alphabetical characters. Combining these characters with alphabetical and numerical characters creates some of the strongest passwords.

Another important aspect of passwords is their length. For every character in a password the amount of possibilities is squared. That is, the amount of possibilities that it would take to brute force a password is squared. A two character password which only used alphanumerical characters would have about 1,296 possibilities. This means that a brute force program would have to try about 648 two character sequences before it would get the right one.

If the password was lengthened to four alphanumerical characters and capital alphabetical characters were allowed then the possibilities would be 14,776,336 (14.7 million). This would require a brute force program to try about 7,388,168 (7.3 million) character sequences before it found the right one.

If the password was eight characters long and allowed the use of all the special symbols, Alphanumerical, and capital letters than the possibilities would be 6,095,689,385,410,816 (6 quadrillion). The average amount of character sequences a brute force program would have to try before finding the correct sequence is 3,047,844,692,705,408 (3 quadrillion).

According to Wikipedia, there was a program in 2006 called Password Recovery Toolkit which was capable of testing 200,000 passwords per second.

In order to hack the above, eight character long, special and alphanumerical, with capital letters password this program could take up to:

30,478,446,927,054.08 seconds (30.4 trillion)
507,974,115,450.9013 minutes (507.9 billion)
8,466,235,257.52 hours (8.4 billion)
352,759,802.40 days (352.7 million)
50,394,257.49 weeks (50.3 million)
12,598,564.37 months (12.5 million)
969,120.34 years (969.1 thousand)
96,912.03 decades (96.9 thousand)
9,691.20 centuries (9.6 thousand)
969.12 millennium (969 hundred)

Fairly long time, eh? The average time it would take is half of what I listed (about 484,560 years). This is based off of 94 possible characters per character quantity. 26 lowercase and 26 uppercase letters, 10 numbers (1,2,3,4,5,6,7,8,9,0), and 32 other special characters. Some of the special characters I’m using are not allowed in every password field so the possibilities would usually be lower.

When special characters are allowed they are usually only the 10 above the number line (!@#$%^&*()). Becareful when using special characters. One time I reset a yahoo password to a 20 (or longer, I don’t remember) password which consisted of upper and lower case alphabetical letters, numbers, and all types of special characters (including ) and spaces. Lesson learned, I could never get into that account again (thankfully I had made it fairly recently so I didn’t have anything being mailed to it).

So, let’s review what a good password should have:

Eight or longer; It should contain at least eight characters, though more is better. Too many could make it hard to remember, so becareful.
Contain upper and lower case alphabetical letters; These would be the following 52 letters: Aa, Bb, Cc, Dd, Ee, Ff, Gg, Hh, Ii, Jj, Kk, Ll, Mm, Nn, Oo, Pp, Qq, Rr, Ss, Tt, Uu, Vv, Ww, Xx, Yy, Zz.
Contain numbers; That would be: 1, 2, 3, 4, 5, 6, 7, 8, 9, 0.
Contain special characters; If the place you’re using the password for allows it, you should use some of the following: !, @, #, $, %, ^, &, *, (, ). Some places also recognize the following: `, ~, _, -, =, +, [, {, ], }, ;, :, ‘, “, , /, ?, |, \.
No Dictionary words; Dictionary words severely weaken a password because they’re publicly known.
No names; Especially don’t use your name, your best friend’s or your girl/boy friend’s names as chances are alot of people who know about the account this password belongs will also known about them.
No Prominent dates; Such as your birthday, Anniversary, or other dates which may be known to many people. Some such as when you got your first pet or when they died might be suitable, but make sure to have more than just numbers with it.

Most of all you want a password to be memorable by you. It does you a whole lot of good (sarcasm) when your password is so strong that it keeps you out!

If you do choose to use a word or date such as peter8587annie then you should replace some characters with capital versions such as PeTeR8587aNnIe. It takes a bit more time to type but is safer. If the place your using this password for allows special characters then it would be wise to supplement them instead of normal characters, such as P3t3R8587@nN!e. If people who knew your birth date and (in this case) your girlfriend’s then you’d want to switch them around, like this 87P3t3R@nN!e85 or this 5P3t3R88@nN!e7.

Some sites offer a gauge which says what strength they think your password is. I’ve had some sites say a password was very strong and some said the same password was extremely weak. Or either right or wrong? Maybe. Nothing can say whether or not your password will keep your account safe, it can only state the chances of it staying safe.

Do you think your account is safe? Just because you have a password doesn’t mean your safe. On the other hand, someone with a 20 character long password which uses all the types of characters that I’ve mentioned isn’t necessarily ‘safe’ either.

An easy, proven security measure is to not make enemies. The fewer people who have reason to hurt you the lower the chances of being hacked. A good virus and firewall program can also help prevent keyloggers.

Be safe, be courteous, and most of all, think first (sounds like driving instructions, doesn’t it?).