How Hackable is Your Password?
Over the past few decades, password rules have become more complicated and burdensome upon users. Users have coped with arbitrary, complex password rules by creating the most easily remembered passwords that comply with the rules, changing them when required in minor, predictable ways, and reusing compliant passwords on multiple online accounts. The results include lots of frustration and LESS security. Here's how to do it right...
Everything You Know About Passwords is Wrong
A typical website now requires you to create a password at least 8 characters long that includes at least three or four types of characters: upper-case, lower-case, numeral, and special characters such as !, @, #, etc. In most cases, the resulting password is *exactly* 8 characters long, begins with an upper-case character, and ends with an exclamation point or the numeral “1.” Often it’s a recognizable name associated with the user, such as a child’s or pet’s name. If a password needs to be changed, it’s often only the last character that’s changed, and in a predictable fashion, i. e., “1” becomes “2,” “!” becomes “@,” etc.
Hackers know these official rules, and the de facto rules that users have created to comply with the least effort. Thanks to a regular parade of data breaches, they have billions of stolen passwords from which to figure out the rules, and they incorporate the rules in password-cracking software to make it more efficient. They also have massive computing power that can try billions of possible passwords per hour. The upshot is that most passwords actually in use can be cracked in a matter of hours.
You might be wondering how these password cracking tools can work so quickly. They don't operate by repeatedly trying to login to your favorite website. That would get them locked out in short order. Instead, they focus their attention on password databases stolen from compromised web servers. Here's an eye-opening article on how password crackers work.
Interestingly, I just found an article describing how the 40-year-old passwords of some Internet pioneers were cracked. It wasn't just that their circa-1980 passwords were weak, but rather that the methods used to protect them turned out to be ineffective, given the march of time and technology. The hashed (weakly encrypted) passwords of some of the creators of the Unix operating system were included in publicly available source code. At the time, there wasn't sufficient computing power to decrypt those hashes in their lifetime. But in 2019, a password-cracking appliance fitted with 10 GPUs can do it in a few hours.
One solution to human predictability is password-generating software that produces longer, more random passwords, and password-management software that remembers what site a password goes with. These functions may be combined in one software package, such as Roboform, Dashlane or LastPass.
Another solution to remembering strong passwords is mnemonic - a sentence that’s easily remembered because it makes grammatical sense, and which contains the characters of a password that can be extracted by applying a simple rule. For instance, a password might be the first letters of the sentence, “My horse knows how to use 2 pink staple guns.” In fact, that whole sentence would make a virtually impenetrable password, if the official rules allowed spaces.
This geeky cartoon from XKCD.com illustrates the difference between passwords as they are and as they could be, if sysadmins allowed it. Following the official rules results in a password that’s easily cracked in 3 days, while the phrase, “correct horse battery staple” takes 550 years, far longer than any hacker cares to spend.
What About Those Password Strength Meters?
Research has found that users will create stronger passwords if they receive feedback about password strength as they create a password. But so-called “strength meters” often measure only compliance with rules instead of statistical strength, according to researchers at Carnegie-Mellon University. The CMU geeks have created a strength meter that uses a powerful neural network to calculate the true strength of a hypothetical password on the spot, and even explains what’s wrong with your password creation strategy. The rules they recommend are:
- At least 12 characters per password
- Capitalized and special characters in the middle of the password, not at ends
- No names associated with pets or sports teams
- No song lyrics
- Avoid the word “love” in any language
- Avoid patterns such as “123,” including keyboard patterns (“qwertyasdfg”)
I advise using a password generator/manager wherever possible. They’re getting better at circumventing the security-limiting roadblocks that some website owners think are important. And because they generate long, strong passwords that don't need to be remembered, you are better protected in the event that one of your favorite websites will be hacked, and the encrypted password database subjected to torture by one of those high-tech password-cracking appliances. They'll go for the low-hanging fruit long before your randomized 42-character password is squeezed out.
If you prefer not to use password software, a memorable phrase is the next best thing. In the past, I've used the first sentence from the first paragraph of a certain page in an old book. For example, on page 67 of "The Autobiography of Benjamin Franklin," I found the phrase "There are Croakers in every country." It's memorable, and it makes for a super-strong password. Or as mentioned above, you can apply a formula of your choosing to such a phrase.
What's your password strategy? Do you use a password manager, a sticky note, or keep it in your head? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 22 Nov 2019
|For Fun: Buy Bob a Snickers.|
Geekly Update - 21 November 2019
The Top Twenty
Sockets, Caches and Cores, Oh My!
There's more reader feedback... See all 23 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- How Hackable is Your Password? (Posted: 22 Nov 2019)
Copyright © 2005 - Bob Rankin - All Rights Reserved