FAQ

What is CryptoLocker?

CryptoLocker is a ransomware program that was released around the beginning of September 2013. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 96 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.

I have a pretty complex password - say something like X6&86m Is it good enough?

Passwords are critical to protecting our access to services, our privacy, our financial accounts, business secrets, and the list goes on.  It's important to get it right.  So let's take a look at two common misconceptions about passwords:

  1. PASSWORDS NEED TO BE COMPLEX WITH LETTERS, NUMBERS AND PUNCTUATION MARKS
  2. PASSWORDS NEED TO BE HARD TO REMEMBER

The first is a misconception that is unfortunately propagated by out-dated password checking algorithms.  Ten years ago it would have taken an huge amount of computational time, and hence a very large computer, to guess the password X6&86m  The password is six characters long, includes a mixture of case and numbers.  However, this password can be successfully cracked by modern hackers in about 52 seconds.  If we added a couple more digits to increase the complexity to what is considered "safe" by most password checkers to something like X6&86m?* we have now thwarted the average hacker to 20 days if they only have access to a single desktop.  If, however, this hacker has say, a group of 100 zombie computers available - which is a small number by today's hacker standards - then the hacker would be thwarted a mere 4.8 hours.  As you can see a determined hacker can defeat this seemingly amazingly complex password - one that no one can reasonably remember and will thus write down making it even more likely that someone will discover the password.

The second misconception follows from the first.  If I create something that passes the average password checker, it's going to be by necessity hard to remember.  That is unless I figure on using something like MyName1966. which is easy to remember and will pass most password checkers... but not all.  And this is the frustrating part about lazy password checking algorithms.  Because the password contains dictionary words, it's presumed to be insecure by many password checkers.  However, it would take a hacker 7 THOUSAND years to crack this password with one desktop.  Even with 1,000 desktops it would still take several months.  This is hardly the effort.

But the simple truth is computers are better at guessing randomness than meaningful sentences.  Really?  Yes.  If my password is Roses are Red the complexity to my mind is almost nil.  I can easily remember this password - which is better denoted a pass-phrase.  But is it secure?  Well, a hacker using today's sophisticated password algorithms would need 9 MILLION years to crack that password.  It includes a mix of case and two punctuation marks - but they're obvious to me.  The spaces are punctuation marks - they're an ASCII coded key stroke - just as complex to a computer as * or ~ or ^ - but somehow Roses^are^Red doesn't work as well to my mind and actually reduces the time needed to crack to 4 MILLION years.

Pass phrases are easy to remember and they're incredibly hard for computers to crack... today.  Admittedly, one day natural speech algorithms will be applied to password cracking, but we're not there yet.  So for now, I'll choose a pass phrase of In the Beginning and take comfort that it will take the hacker 3 TRILLION years to hack it.  I'm guessing he's going to give up after a few days of letting his zombie farm of computers toil away fruitlessly.

By the way - if you want to test your own passwords a great site is https://howsecureismypassword.net/  This site lets one quickly determine how long it would take for today's hackers to crack a password.