Here's Why Your Password is Hackable

Category: Security

Over the past two decades, password rules have become more complicated and burdensome upon users. Users have coped with arbitrary, byzantine password rules by creating the most easily remembered passwords that comply with the rules, changing them when required in minor, predictable ways, and reusing compliant passwords on multiple online accounts. The results include lots of frustration and LESS security. Here's how to do it right...

Everything You Know About Passwords is Wrong

A typical site now requires you to create a password at least 8 characters long that includes at least three or four types of characters: upper-case, lower-case, numeral, and special characters such as !, @, #, etc. In most cases, the resulting password is exactly 8 characters long, begins with an upper-case character, and ends with an exclamation point or the numeral “1.” Often it’s a recognizable name associated with the user, such as a child’s or pet’s name. If a password needs to be changed, it’s often only the last character that’s changed, and in a predictable fashion, i. e., “1” becomes “2,” “!” becomes “@,” etc.

Hackers know these official rules, and the de facto rules that users have created to comply with the least effort. They have hundred of billions of stolen passwords from which to figure out the rules, and they incorporate the rules in password-cracking software to make it more efficient. They also have massive computing power that can try billions of possible passwords per hour. The upshot is that most passwords actually in use can be cracked in a matter of hours.

One solution to human predictability is password-generating software that produces longer, more random passwords, and password-management software that remembers what site a password goes with. These functions may be combined in one software package, such as Roboform, Dashlane or LastPass.

battery stapler

But many sites deliberately thwart the use of password managers, either by forcing users to enter usernames and passwords on two separate screens or by adding code that blocks auto-filling of passwords. Apparently, the admins of such sites think a password encrypted and stored on a hard drive is as insecure as one written on a Post-It Note.

Another solution to remembering strong passwords is mnemonic - a sentence that’s easily remembered because it makes grammatical sense, and which contains the characters of a password that can be extracted by applying a simple rule. For instance, a password might be the first letters of the sentence, “My horse knows how to use 2 pink staple guns.” In fact, that whole sentence would make a virtually impenetrable password, if the official rules allowed spaces.

This geeky cartoon from XKCD.com illustrates the difference between passwords as they are and as they could be, if sysadmins allowed it. Following the official rules results in a password that’s easily cracked in 3 days, while the phrase, “correct horse battery staple” takes 550 years, far longer than any hacker cares to spend.

What About Those Password Strength Meters?

Research has found that users will create stronger passwords if they receive feedback about password strength as they create a password. But so-called “strength meters” often measure only compliance with rules instead of statistical strength, according to researchers at Carnegie-Mellon University. The CMU geeks have created a strength meter that uses a powerful neural network to calculate the true strength of a hypothetical password on the spot, and even explains what’s wrong with your password creation strategy. The rules they recommend are:

  • At least 12 characters per password
  • Capitalized and special characters in the middle of the password, not at ends
  • No names associated with pets or sports teams
  • No song lyrics
  • Avoid the word “love” in any language
  • Avoid patterns such as “123,” including keyboard patterns (“qwertyasdfg”)

I advise using a password generator/manager wherever possible. They’re getting better at circumventing the security-limiting roadblocks that some website owners think are important. If you prefer not to use password software, a memorable phrase is the next best thing. In the past, I've used the first sentence from the first paragraph of a certain page in an old book. For example, on page 67 of "The Autobiography of Benjamin Franklin," I found the phrase "There are Croakers in every country." It's memorable, and it makes for a strong password. Or as mentioned above, you can apply a formula of your choosing to such a phrase.

What's your password strategy? Do you use a password manager, a sticky note, or keep it in your head? Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 12 Sep 2017


For Fun: Buy Bob a Snickers.

Prev Article:
Equifax Takes The Data Breach Cake

The Top Twenty
Next Article:
Geekly Update - 13 Sep 2017

Most recent comments on "Here's Why Your Password is Hackable"

(See all 54 comments for this article.)

Posted by:

Melanie
12 Sep 2017

I have been using Roboform Everywhere for several years - it works on our iPhones, Macs and PC products and syncs across platforms. On occasion I have to manually enter a username or password (especially with 2 step authentication), but I love that I can generate random passwords and not have to try to remember anything (except the password to Roboform, of course!). I love that I can access my password list on my phone. Just use Bob's advice when you create your master password, and hope Roboform is never hacked!


Posted by:

Edwin
12 Sep 2017

Most passwords are unnecessary for security purposes as they access websites that nobody else would have the slightest interest in. The fellow who invented the current crazy password creation has since said that he was wrong and that its complexity is unnecessary. Apart from my financial records anybody is welcome to my passwords.


Posted by:

Therrito
13 Sep 2017

I created an easy to remember complex base password of lower case letters mixed with numbers to use with all of my online accounts then I added a prefix or suffix specific for each account consisting of upper case letters and/or special characters so that the end result is a very complex password that is unique for each account and is very easy to remember each one.


Posted by:

Walter
13 Sep 2017

Just to clear up one point.

When a hacker breaches a system and "gets the passwords" they don't actually get the passwords, at least in modern times and with anything that is remotely secure. They get a list of account hashes. So your password could be Love123 and the hash might be klj#c98q34 (just made up). When you log on and enter Love123 the server runs a hash program on what you entered that will put out klj#c98q34 which is then compared to the hash table. I think it's even mathematically possible that another different password could produce the same hash.

This is why modern Systems Administrators don't know what your password is. They might be able to see the hash, but can't really do anything with it. Many years ago on UNIX systems the hash was readable by anyone on the system as nobody could decode it. But now we have decoder programs that can.

So say you've got a hash and you run cracker software on it on your modern i7 with many GPUs. It's going to use a list of known words and simple rules to try and guess the password. So it tries Love122 and fails and then Love123 and succeeds. It's get passwords like that pretty fast, but passwords like uzKmkJdB are not going to be cracked with the word lists. It then has to go into brute force mode, which takes some time. Might sit there for a week before it gets it and that's just one password. What if the system has a hundred thousand accounts?

You can see that running a brute force attack even with the hash file is going to take forever. I don't think they'd bother unless they knew some key accounts that were more worthwhile hacking, perhaps BillGates or a similar account. So they're probably only going to run dictionary attacks at the huge list for a day or two and see if they can get into accounts with stupid passwords.

So, don't use a stupid password on anything important, but you don't need to go too crazy.


Posted by:

david sparkman
13 Sep 2017

My bank disables my account after 3 incorrect tries so cracking that will take a very long time. On the other hand, I use a wireless keyboard so an external keylogger is a threat. I prefer not to access by bamk account while on the road. I am using Avasts EasyPass but I am bugged that it keeps trying to save my bank password which is the one password I prefer to only keep in my memory and my home safe.


Posted by:

BobD
13 Sep 2017

@Paul Re:"Keepass can fill in online forms just fine"
Thanks! I just started using KeePass a couple of days ago, so I have some research to do.


Posted by:

Donald Potts
13 Sep 2017

I would love to go back to the Microsoft fingerprint reader I had that you could use in lieu of passwords !
Is there anything like that available now??


Posted by:

Jay Bingham
13 Sep 2017

I have used the password manager KeePass for years. It is free and is available for multiple operating environments. Since I have used it I have been generally using 20 character randomly generated passwords, but recently began moving to 24 character passwords where possible. The thing that frustrates me, because I want to use long passwords, is when I set up a new password on a sight and find that I am limited to a password of 12 or fewer alphanumeric only characters. Fortunately most sites that I have encountered allow longer passwords than I care to generate with at least some symbol characters included, but I have been surprised by some of the sites that do not, organizations that I thought would know better. I understand that it takes more storage space to accommodate longer passwords and storage space is not free, but with the low cost of storage these days I think that when comparing the cost of storage to the cost of a break in, it is very shortsighted to restrict passwords to 12 or fewer characters.


Posted by:

TomsDT
13 Sep 2017

My spouse and I know each others' passwords and use them for making airline reservations, etc. Do programs like Roboform and Keepass allow passwords to be accessed by two people using different computers?


Posted by:

Sharon Hutchinson
13 Sep 2017

I must confess--I am guilty of making up passwords based on everything said in the first paragraph of "Everything you know about passwords is wrong". Shame on me. Yet I would have continued to do so were it not for this great article pointing this out and supplying excellent ways to generate passwords in such a way that someone could take 1000 years to figure it out. Many thanks, Bob!

BTW,I went to XKCD and found hilarious stuff that probably would stump the average Joe. Bookmarked for future laughs!


Posted by:

Mikey
13 Sep 2017

If a person has several (or even more than 2) accounts that require a password, they would be foolish NOT to be using a password manager program like those mentioned - LastPass, KeePass, or Roboform.

Not only are the generated passwords strong, access to the password vault is secure, the program connects to the necessary web site for you, and the program is accessible by more than one person or computer IF you share your master access.

I laugh at someone who writes their passwords down in book. I have helped many foolish people regain access to their computer but hacking their simple passwords. My record was 8 seconds by trying one person's previous dog's name.


Posted by:

Robert
13 Sep 2017

Bob, I really enjoy all Your Articles. What would be wrong with creating a "ID & Password" Folder and keeping all on Notepads. Then when You need any of them You can just copy and Paste both when You need Them. Doing it that way, You're not liable to Keyloggers. Thanks

EDITOR'S NOTE: Not necessarily. Some keyloggers can intercept keystrokes entered via copy/paste.


Posted by:

geoff
14 Sep 2017

My 50 years of computing experience has been that passwords create more problems than they solve. They are an outdated method of security that should be replaced.

I used the same password for over 40 years in multiple situations before it got hacked. I then changed it for my email only. I still use the now 50 year old one in situations where I dont care if it gets hacked. Eg facebook.

One experience I had with a site that required a password was that it did not validate the entered password so would accept anything entered.

A password that most humans never try is nothing, just press enter. Unfortunately most system do not allow null passwords.

Security is all about risk assessment. Ask an Actuary about it


Posted by:

Jay R
14 Sep 2017

Sharon, you're right. BTW, did you look at the next cartoon? That one made me laugh, too.

On a different note, I don't understand the reason I need passwords on a site where I am paying my bills. I keep hoping that someone will hack it and pay on my account.


Posted by:

Herb
14 Sep 2017

Bob - my experience is many sites limit the number of password tries to three. If you haven't gotten it right by then you are locked out and the password has to be reset. In that scenario, how can hackers have unlimited time/tries to hack the password? I imagine hackers have no success at the sites that are limited to three tries, so why don't all sites implement that rule? It seems to me that would go a long way towards solving this problem!

EDITOR'S NOTE: The "unlimited attempts" scenario comes into play when a hacker has direct access to a compromised server, and can direct his attacks against the master user/password file.


Posted by:

RandiO
14 Sep 2017

@geoff.
I would venture to guess that the password you were using 50 years ago (and to this date) has got to be only 4 characters in length. But I am also guessing that there are not that many sites which would allow a 4-digit password entry in the 21st century. Could this be the reason for wrongly stating "...create more problems than they solve"?
I have prescribed strong AND unique passwords for over a dozen years as an essential need just like making sure there is TP when you visit the bathroom, or stocking up on toothpaste for the toothbrush. It is not rocket science to create/update passwords and to remember them (along w/religious use of a password manager, such as KeePass).
The only issue I have with unique/strong password generation is when sites/programs limit the maximum character length of the password: Microsoft Outlook.com used to limit the password length to 16 and WesternDigital limits theirs to 14 characters max. That is just plain wrong! I think the Apple iPhone EXS facial recognition is a great idea for entry to FortKnox but I will opt-out maybe until DNA verification becomes a mandatory standard for smartphones... at which point, I will opt-out altogether from using them!


Posted by:

Deborah
15 Sep 2017

I have not just changed the last letter or number, but this article is an eye opener...I was hacked in yahoo. Now I have a Gmail account. I wonder how long till Gmail is hacked? I still clean out my yahoo mail.


Posted by:

GARRY PRIBBLE
15 Sep 2017

The first thing I don't understand is why companies who hold sensitive data don't encrypt their information so if the data is hacked it would be unreadable or inaccessible. Next, there should be a two step approach to security so you need a password and a special answer that only the operator would know. And finally, the company should prevent access if the user fails to enter the correct passwords in three or four tries. These approaches would safeguard any outsider from accessing the data.


Posted by:

Narada
16 Sep 2017

Password cracking software has long had the ability to immediately override the 3 tries limitation.

The 550 year example presumes 1000 tries/second. Edward Snowden has said to presume your adversary capable of 1 trillion tries/second, which for the above example would result in account access in 4 hours and 49 minutes.


Posted by:

Clairvaux
21 Sep 2017

To all of you minimising the threat, my advice would be to visit the site (and how-to blog) of forensic password-busting software publisher Elcomsoft. It goes by the cute name of Advanced Password Cracking, and it's fully legitimate, by the way (it sells to law enforcement and the like) :

https://blog.elcomsoft.com

That's what the good guys are able to do. Now imagine what the bad guys might be up to.


There's more reader feedback... See all 54 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- Here's Why Your Password is Hackable (Posted: 12 Sep 2017)
Source: https://askbobrankin.com/heres_why_your_password_is_hackable.html
Copyright © 2005 - Bob Rankin - All Rights Reserved