Mac Doc News – Winter ’23
Wow, I can’t believe it’s been almost a year since I last posted. I’ll just say that I’ve not been sitting around eating bonbons! 😂
The big news for the new year is that I’ve decided I need to raise my hourly rate for the first time since 2010. I chose $40/hr when I started out more than 20 years ago, partly because I didn’t go to school to learn how to do what I do (so it’s not like I had student debt), and though I knew that most computer techs charge something closer to $100/hr (or more), I wanted to be more affordable for the average person. A few years later I went to $50/hr, then settled on $60/hr in 2010. Now, particularly given how much more time I have to spend trying to keep up on all aspects of the tech world, combined with inflation’s impact on everything, I’ve decided to go to $80/hr. I hope you all can understand.
As for a tech tip for you all, I’ve been spending a lot of time researching the latest research on password protocols, and it’s pretty eye-opening. I’m not sure if you’ve heard, but LastPass suffered another huge breach earlier this year, and as they’ve been digging into what happened, it sounds like it’s even worse than they first though. You can read more here.
I get a lot of great information from a tech forum called TidBITS Talk, and recently there’s been a long thread discussing the latest recommendations for password generation. Much of the following is from a post there by user David C. (edited for clarity and brevity):
For many years we’ve been told to use a minimum of 8-characters for our passwords. But check out these facts about passwords of that length, created from some combo of the ‘big four’ character sets (lower case letters, upper case letters, numbers and symbols):
- A numbers-only password can be found in 108 (100 million) attempts. If an attacker’s computer can try 1 million per second, it will be cracked in at most 100 seconds (about 1.5 minutes) and on average, half that (50 seconds). If the attacker can try 1 billion per second, it will be cracked in a tenth of a second.
- A single-case letters-only password can be found in 268 (208 billion) attempts. At 1 million per second, this means it can be cracked in at most about 58 hours (about 2.5 days) and on average, half that (29 hours). An attacker that can try a billion per second will find it in at most 209 seconds (3.5 minutes)
- A letters-only password with both cases can be found in 528 (53 trillion) attempts. At 1 million per second, this means it can be cracked in at most 618 days (1.7 years) and on average half that (310 days) but an attacker that can try a billion per second will find it in at most 15 hours.
- A password using all four categories can be found in 958 (6.6 quadrillion) attempts. At 1 million per second, this means it can be cracked in at most 210 years, but an attacker that can try a billion per seond will find it in at most 77 days.
Which is why you want to use passwords from all four categories – because it forces a brute-force search into the maximum-size search space.
In actuality, it will take even longer, because the hacking software probably won’t start out using the full character set and an 8-character length. It will probably (based on my own attempts to crack a Windows password with an open source tool) start out trying a minimum-length password with digits-only, then with upper-case-only, then lower-case-only, then mixed-case, then mixed-case-with-digits, then the full character set. Then repeat all of the above for one character longer, etc.
So, if you should increase the length from 8 to 9 characters, a brute force attack is going to require the maximum time to search all lengths from the minimum up to 8, plus…
- Numbers-only is now 109 (1 billion) combinations. Our billion-per-second attack now takes 1s. Still trivial, but 10x longer than before.
- Single-case letters are now 269 (5.4 trillion) combinations. Our billion-per-second attack now takes 26x longer (90 minutes)
- Multi-case letters now has 529 (2.7 quadrillion) combinations. Our billion-per-second attack now takes 52x longer (32 days)
- Four-category passwords now have 959 (6.3 x 1017 = 630 quintillion) combinations. Our billion-per-second attack takes 95x longer (20 years).
And for each character you add, you multiply the above times by 10, 26, 52 and 95, respectively.
So, if you were to go to 20 characters, the time required will be the maximum time to try all lengths from the minimum up to 19 characters, plus:
- Numbers-only will have 1020 combinations, making a billion-per-second attack take over 3000 years, even that simple 10-character search space.
- Single-case letters will now have 2620 (about 2 x 1028) combinations. A billion-per-second attack will take up to 630 billion years.
- Multi-case letters will now have 5220 (about 2 x 1034) combinations, making a billion-per-second attack take up to 6.6 x 1017 years.
- Four-category passwords will now have 9520 (about 3.6 x 1039) combinations, making a billion-per-second attack take up to 1.1 x 1023 years.
And this is why you want to use a long password with characters from all four categories. It forces the brute-force algorithms to try so many combinations that even a huge network of password-cracking servers will not be able to find it within a useful amount of time. Nobody is going to bother taking that much time unless the data they’re trying to get is world-alteringly sensitive.
[Many thanks to David C. for all that amazing background on the math of password cracking.]
Now I hear you all asking “how the heck am I supposed to create a 20+ character password that I can transcribe without driving myself crazy!” Well, the secret is that we don’t need to create totally random combinations of upper and lower case letters, numbers as symbols anymore! After reading the thread referenced above, I was pleased to see that what I’ve been recommending for about the last year is exactly what the experts recommend! And that is, choose three to five random words, capitalize each, and sprinkle in a couple numbers and symbols. Voilá! You’ve got a virtually uncrackable password!!
Some examples:
TacoGerbilCactusMartini75&#
Marmot4Potsticker8Stagecoach%+
CicelyFreightHaroldSidewalk@3*6 [This one demonstrating that you can use uncommon names too]
The essential thing to remember is that the word combos need to be truly random. Another poster on that thread pointed out that we tend to be very bad at choosing random words, so when you’re doing this, make an effort to have your word choices be as random as possible. For example, you might think that this one would be good:
NowIsTheTimeForAllGoodMen89$^ [you could even add spaces to make it longer]
Unfortunately, the hackers have created things called “Rainbow Tables” that include tons of common lines of poetry, song lyrics, book titles, etc, and if your password includes one of those it makes it much easier for it to be cracked.
I know, this is all really crazy, but seriously, if you make a concerted effort to use unique passwords for all your critical website accounts (ones that contain financial information or personal info that could be used to try and steal your identity), then write them down, it’s really not hard to look up your Amazon password and transcribe it when it’s “TacoGerbilCactusMartini75&#”, and not “k3^oJnbfGR5uYrE3*e09@wERpd2”, right?? [Yes, those are both 27-character passwords.]
Okay, then the next question is “how should I store my passwords?” It’s obvious that no one can remember all these passwords, especially if they’re unique for every site, as they should be. That’s why they created password managers! My favorite is 1Password, though it’s not at all simple to get set up. Apple has come a long way toward having a built-in password manager, and it’s getting better all the time. I really don’t like the supposed “strong” passwords they always suggest, but at least you’re not obligated to use them. Several of you use Keeper and seem to like it. (If you’re one of the unlucky users of LastPass, as the article I shared above says, it’s probably time to switch to something else! 😩)
So what if you’re one of those people who like to keep them all on paper? I recommend buying yourself one of those smallish address books with alphabetic tabs, and putting all your passwords in there alphabetically, so they’re easy to find. Put Amazon and Apple under A, Gmail under G, etc. The side benefit is that each entry space in those things has at least 3 or 4 lines for a complete mailing address, so there’s plenty of room to update the password as time goes by.
Lastly, another great option is to keep them in a file on your computer, in something like Notes, Pages, Word or Excel, and then put a ‘master password’ on that document. If you’re an all-Apple device person, Notes and Pages are great options, because they have a very simple technique for password protecting the entries. In Notes, it’s an icon in the toolbar of the Mac version, and on your iPhone or iPad it’s found in the Share menu. On your Mac, Pages offers a “Set Password…” command in the File menu whenever you have a document open. In general, as you can imagine, it’s easier to create one of these documents on your Mac, then share it to your phone and/or iPad via the Files app or just via the built-in syncing of the Notes app.
Whew! This is a lot, I know, but it’s such an important topic, and it seems to just get more critical as time goes on. Hopefully we’ll eventually get an alternative to passwords (perhaps retinal scanning or physical security keys) but until then, it’s definitely time to up your password game if you want to stay ahead of all those hackers out there.
Cheers to 2023; may you all have a spectacular year!