My password reminder recently popped up for one of my email accounts, urging me to change my password, and I started to think about what I should enter as a new password. This in turn reminded me of a recent Ars Technica article on weaknesses of current passwords and the ease with which they can be cracked.
Because so many passwords have been divulged and analyzed over the past few years (e.g., RockYou, LinkedIn, Yahoo!, and Gawker exposures of tens of millions of passwords), hackers are now better educated on most-used passwords or patterns within passwords, thus making the cracking of passwords from stolen hashed files a lot easier and faster by incorporating the new disclosed passwords and patterns into their programs.
Why is it so hard to come up with strong passwords?
Passwords are a “one-factor” authentication mechanism that, when combined with a username, confirms the identity of the user based on something the user “knows.” And what the user knows is represented by text-based characters that need to be kept hush-hush and hard to guess – so no writing it down!
The thing is, password characteristics differ from system to system, with key attributes being the length (number of characters in the password) and the complexity (which serves to increase the number of character choices). Complexity settings enforce such things as minimum number of capitalized letters, lower-case letters, digits, and symbols (i.e., the top shift-row of a QWERTY keyboard plus punctuation characters). Clearly, we are discovering that it is hard to create unique, memorable passwords that meet the different system complexity rules.
To make them easier to remember, it turns out that the majority of us use names and/or dates as passwords; and—to further exacerbate things—because we have numerous accounts (e.g., email, social networks, online purchases), we often use the same “good” password in many places. In fact, a Microsoft study found that people re-use an average of 6.5 passwords at approximately four different accounts each.
Based on analyses of the millions of uncovered passwords, researchers and hackers alike have discovered our bad password habits:
- Most use lower-case letters
- 70% use only eight characters
- A good percentage use simple sequential or patterned numbers of the “123456” variety
- Many use first names and append a four-digit year to the end
- A lot use keyboard or keypad patterns of the “qwerty” and “2580” variety
- Numerous substitute symbols or digits for similar-looking letters (e.g., “$” for “s”, “0” for “o”, “4” for “A”, “3” for “E”)
- Nearly all capital letters are used at the beginning
- Almost all digits or symbols are tagged on at the end
- Some use mirror words (appending the same word typed backwards after the initial word).
These techniques have all been incorporated into new password-cracking rule-sets that are then applied to large, supposedly protected computer password files. Once the bad guys discover a password-to-hash match they can then perform a regular log-in to that account (and others if we re-use passwords) employing the cracked passwords associated with usernames.
What makes a good password?
We must occasionally revisit what comprises a strong password. Your password should be:
- Unique for each account (along with a different username)
- Complex (using the full set of upper/lower-case letters, digits, and symbols)
- Long (the longer the better but at least 14 characters)
- Non-dictionary words or phrases (to appear pseudo random)
- Changed periodically (at least three or four times a year).
Some methods to achieve this would be to use passphrases that contain several unrelated words or deriving passwords from the first letter of words in longer memorable sentences from, say, a song or poem. You would also want to apply the earlier rules (use upper and lower case, add some numbers and symbols, etc.) to ensure even more complexity. (Also bear in mind that some accounts, even in this day and age, may not allow you to use long passwords or “top row” symbols.)
Another method would be to use programs that both randomly generate and manage passwords, thus eliminating the hardship of having to remember a complicated password for every account you use. These programs can be commercial (e.g., 1Password), free-ware (e.g., KeePass), or ones built into the operating system. Password generator/manager applications can often run on USB flash drives or synchronize with websites or cloud storage for use when your computer is inaccessible; and some offer virtual keyboards to counter malicious keystroke loggers.
The next time your old password needs to be changed (like mine did today), you should think about changing some old password habits as well.
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.