Sonatype’s writing more and more about security as a part of our launch of the Sonatype Insight service, and while not directly related to our product, I wanted to let people know about a tool I’ve found that could be useful when you are evaluating password security. Passwords are an unavoidable reality these days, not everything can be based on SSH and GPG keys, and systems like Nexus and Insight often require users to select a password.
I tend to favor passphrases over passwords for this reason (being much harder to crack). There's nothing more annoying than a site/app that forces me to make up a 'strong' password that is 8+ characters, digits, special characters, and spaces, rather than letting me use a passphrase (and don't get me started on the ones where they limit the password length to 12 or less characters!). Diceware (www.diceware.com watch out for 1989 html style) was one of the first sites I used to point people to for some education. And this site can sometimes generate amusing passphrases: http://www.fourmilab.ch/javascrypt/pass_phrase.html.
As a part of our development effort for Sonatype Insight, we’ve had to come up with an application token for Application scans (a feature you should expect to see in future releases). When you are selecting a password, the question you should be asking yourself is...
How big is your haystack?
One question that we evaluated was the security of these tokens. What computing power would be required to reverse engineer one of our Insight application keys? To find this answer, I used a free tool called “How big is your haystack” or “GRC’s Interactive Brute Force Password “Search Space” Calculator”. This tool takes the complexity of the password (or, in this case, the key) and it calculates how much time it would take to crack a password.
If you are evaluating your own password security take a look at this free interactive calculator at: https://www.grc.com/haystack.htm
How secure are our Insight application keys?
In the case of our Insight keys, the amount of time required, assuming 1000 guesses per second, is 20.72 trillion trillion trillion centuries. That’s with modest computing power, even under the “Massive Cracking Array Scenario” that assumes 100 trillion guesses per second, we’re still talking about a span of time that far exceeds the currently accepted age of the known Universe (13.75 billion years).