Jason Pearce

For about a month, someone has been regularly attempting to hack my personal Google account. I can’t do anything to prevent them from trying to hack my Google account. My only defense is to have a good password.

To help me select a strong password, I found a handy website that estimates how long it would take for an average desktop computer to crack a password. It’s called www.howsecureismypassword.net.

How secure is my password?

I’m a system administrator and have a habit of maintaining strong passwords. Checking the strength of my Google password, I found it would take 238 quadrillion years for the average desktop computer to crack. Take that you nefarious Google-account hacker!

How secure are most user passwords?

Curious, I decided to running some tests on other passwords using this tool. These tests slowly increased complexity and length.

• 0.0456976 seconds to crack “easy” (4 characters)
• 10 seconds to crack “12340987” (8 numeric characters)
• 13 minutes to crack “abcdefg” (8 lowercase characters)
• 61 days to crack “AbcdEfgh” (8 mixed-case characters)
• 252 days to crack “Abcd1234” (8 mixed-case alphanumeric characters)
• 3 years to crack “Abc123!@” (8 C0mp!ex characters)
• 17 thousand years to crack “Abcd1234!@” (10 C0mp!ex characters)
• 100 million years to crack “Abcd1234!@#$” (12 C0mp!ex characters)
• 42 trillion years to crack “Abcde12345!@#$%” (15 C0mp!ex characters)

Length Matters (at little cost)

Although complex characters help, password length provides the most value at very little cost (the time it takes for me to type a few more characters).

Let’s say that my password is 15 characters long, that I type 240 characters a minute (4 characters per second), and that I type my password 10 times a day. Knowing this, I can calculate that …

• An 8 character C0mp!ex password would require 20 seconds of my time per day and would take 3 years to crack
• A 12 character C0mp!ex password would require 30 seconds of my time per day and would take 100 million years to crack
• A 16 character C0mp!ex password would require 40 seconds of my time per day and would take 3 quadrillion years to crack

Increasing a 15-character password to 16 characters would require 2.99800 × 10¹⁵ more years to crack.

How easy is it to crack most user passwords?

It’s rather easy if you have physical access to their computer. Tools like Ophcrack come as a live Linux CD with prepopulated rainbow tables and can crack user passwords without even installing any software.

Lesson

Add some complexity and length to your password to greatly improve its strength and the security of the systems your password is designed to protect.

Going on two weeks now, I am regularly receiving notifications from Google regarding password assistance and account recovery. I receive these notifications every two or three days in the forms of both email and SMS text messages.

Email Message

SMS Message

I was mildly concerned when I received the first Google Password Assistance notification. It was certainly possible that someone mistakenly entered my Google username instead of their own and eventually click on the password recovery link.

As a precaution, I went ahead and changed my Google account password; making it longer and even more complex than before. Not only did I feel better, changing my account password is something I should do more regularly anyway.

Unfortunately, this wasn’t a one-time mistake. Now that I’ve received six notifications in the past two weeks, I’m concerned that someone is actively attempting to hack, guess, phish, or otherwise can control of my Google account.

I visited Google’s Help Desk on this topic, which wrote:

The Gmail Team isn’t able to provide you with information about attempted logins including, but not limited to, the IP address from which the attempted login was made, and the time and date attempted logins occurred.

Unfortunately, it appears there’s nothing more that I can do to better protect myself than to simply change my password. I feel helpless.

It’s coming home every day and seeing evidence that someone attempted to break into your house. Perhaps you’d find their lock-picking tools on your front door step one day and their fingerprints on your sliding glass door the next day. But until you find evidence that the bugler was in your living room, no crime has been committed.

I understand Google’s plight. I’m sure thousands of users forget their passwords every day. If Google didn’t have a highly engineered and automated self-help password recovery process, they wouldn’t be able to keep up with these requests in an affordable way.

But I still feel hopeless. It would be nice if Google provided a way for me to report this suspicious activity and perhaps temporarily raise the security level of my account.

Google should create a “fraud alert” feature that I user could place on their own account much the same way we can do for our credit reports.

During my Google “fraud alert” period, perhaps my account would require two levels of authentication (two passwords, password and a text message code, etc.) or access would be limited to a small range of IP addresses that historically access my account.

Just about any added measure of security would make me feel better and more secure.

When I read Google’s blog posting entitled “A new approach to China,” I thought of the famous “Tank Man” image — the 1989 photo of a single man standing up to four tanks in Beijing’s Tiananmen Square.

While Google is much larger than a single man, it still doesn’t have any tanks. I swapped out a Google map marker and came up with this image.

China has such a huge population that it seems to me that too many companies make too many concessions with the Chinese government in order to conduct business in their country. Today, Google said no more. It’s no longer going to filter and censor its search engine results — even if it means they are no longer welcome to provide services to the Chinese.

I received my Google Wave invite while I was away on my honeymoon.

While it is nice to have access to the tool, it would be more useful if I could send invitations to coworkers and friends so I could actually have a reason to try it out. I have five contacts, but none whom I work with regularly. Perhaps Google will soon permit users to invite others much the same way they did when Gmail launched.

Do you have a Google Wave account? If so, let me know and we can give it a spin.

Desperate to access your Gmail during today’s outage? Consider accessing your Gmail via the IMAP protocol. Here are instructions on how to configure IMAP for various clients. Unfortunately, you will have needed to enabled IMAP access first, which can only be done via Gmail Settings.