Open sesame: the untold dark side of passwords.

• Author: Russell, Larry E.
• Position: SecurityTips

'Speak Friend and Enter' posted over a door to a mithril mine is a line out of a popular J.R.R. Tolkien novel thought to be a clue to very cryptic pass code, but in fact it was the pass code. Wonder how amused Tolkien would be, 70 years later, at our sticky note passwords? Amused, no; horrified, yes.

I have one word for those of you using common names, birthdates, passwords less than eight characters, not mixing upper and lower case letters, not including numbers or special charters or not changing passwords at least every 90 days: Stop.

Consider my recent experience. I received a QuickBooks Enterprise 2012 data life From a CPA firm regarding one clients under litigation. The CPA expected to be contacted for the password to a non-administrative user account with restricted access. Unfortunately for him--and his client-within 15 minutes alter receiving his "very secure" QB data file, the QB admin account 'vas unlocked thanks to Passware, a $49 password cracking utility available (www.losipassword.com). I logged in as administrator attached my QODBC driver and documented how this CPA and client had been cooking the books.

Who Needs Passwords?

Similar applications will crack Excel, Word, Acrobat, BestCrypt, Mac OS, Win 95 (ver. 8), SQL Server 2000 (ver. 2013 Peachtree), Quicken, PDE TrueCript and UNIX OS--along with 200 other common file formats. For less than $200 you can buy utilities to crack almost anything that protects stored data on PCs. Macs, servers or memory devices, along With passwords from routers, email accounts email accounts and websites.

Passwords stored in Outlook email files, PST and OST Windows system registries, and web browsers can be quickly compromised regardless of how complex. Tip: never store a website password in a browser under "Keep me logged in" or "Remember this password." Recovery utilities translate these encrypted passwords into clear text within seconds.

Also, do not sum. passwords in a protected Excel or other Microsoft Office documents. Microsoft has improved its Office tile security, but these ch's still can be hacked if passwords are not strong enough and are aided by similar passwords taken from your browsers, system registries and email files.

How Complex a Password?

Websites like http://howsecureismypassword.net can test the strength of your passwords. Figure 1 shows examples of time requirements to crack a range of complex passwords using a standard office PC. Any password requiring more than a year...