Cracking Passwords? That's Child's Play

Jan Valcke, March 12, 2014

A while ago, Ars Technica, a US magazine, had a rather eye-opening experience. A list of 16,000 encrypted passwords was given to Nate Anderson, the publication's Editor-in-Chief, then to three cracking experts.

After a few hours' work, Nate Anderson, though a newcomer to the field, managed to decipher nearly half of the 16,000 passwords. The three seasoned crackers between them hacked 82% of the passwords on the list in under an hour, while another was able to break through 90% of them in just under 24 hours.  With a little more time, the whole list could have been deciphered.

The moral of the story is clear: all passwords can be cracked, and with relative ease.

From this we can ask: are passwords ultimately an acceptable solution that measures up to the demands of identity and data protection?

I believe they can be, providing they are strong enough.

When it comes to digital security, the most sensitive professional sectors (namely banking) have implemented strong authentication and dynamic passwords. These are passwords generated by an authentication device or an app that can only be used once for a limited period of time.

The one-time principle is an efficient tool against leaks and file theft and thus ideally suited for data protection and security. If one of your passwords falls into a hacker's hands, it hardly matters at all because the password will be rendered useless.

One-time is the key.

Jan Valcke’s resume reads like the history of strong user authentication itself. Mr Valcke was co-founder and member of the board of director of Digiline, the company that developed and marketed the first Digipass strong authentication tokens, back in 1991. From the early start on, Jan Valcke has