How Hackable is Your Password?

Category: Security

Over the past few decades, password rules have become more complicated and burdensome upon users. Users have coped with arbitrary, complex password rules by creating the most easily remembered passwords that comply with the rules, changing them when required in minor, predictable ways, and reusing compliant passwords on multiple online accounts. The results include lots of frustration and LESS security. Here's how to do it right...

Everything You Know About Passwords is Wrong

A typical website now requires you to create a password at least 8 characters long that includes at least three or four types of characters: upper-case, lower-case, numeral, and special characters such as !, @, #, etc. In most cases, the resulting password is *exactly* 8 characters long, begins with an upper-case character, and ends with an exclamation point or the numeral “1.” Often it’s a recognizable name associated with the user, such as a child’s or pet’s name. If a password needs to be changed, it’s often only the last character that’s changed, and in a predictable fashion, i. e., “1” becomes “2,” “!” becomes “@,” etc.

Hackers know these official rules, and the de facto rules that users have created to comply with the least effort. Thanks to a regular parade of data breaches, they have billions of stolen passwords from which to figure out the rules, and they incorporate the rules in password-cracking software to make it more efficient. They also have massive computing power that can try billions of possible passwords per hour. The upshot is that most passwords actually in use can be cracked in a matter of hours.

You might be wondering how these password cracking tools can work so quickly. They don't operate by repeatedly trying to login to your favorite website. That would get them locked out in short order. Instead, they focus their attention on password databases stolen from compromised web servers. Here's an eye-opening article on how password crackers work.

battery stapler

Interestingly, I just found an article describing how the 40-year-old passwords of some Internet pioneers were cracked. It wasn't just that their circa-1980 passwords were weak, but rather that the methods used to protect them turned out to be ineffective, given the march of time and technology. The hashed (weakly encrypted) passwords of some of the creators of the Unix operating system were included in publicly available source code. At the time, there wasn't sufficient computing power to decrypt those hashes in their lifetime. But in 2019, a password-cracking appliance fitted with 10 GPUs can do it in a few hours.

One solution to human predictability is password-generating software that produces longer, more random passwords, and password-management software that remembers what site a password goes with. These functions may be combined in one software package, such as Roboform, Dashlane or LastPass.

Another solution to remembering strong passwords is mnemonic - a sentence that’s easily remembered because it makes grammatical sense, and which contains the characters of a password that can be extracted by applying a simple rule. For instance, a password might be the first letters of the sentence, “My horse knows how to use 2 pink staple guns.” In fact, that whole sentence would make a virtually impenetrable password, if the official rules allowed spaces.

This geeky cartoon from XKCD.com illustrates the difference between passwords as they are and as they could be, if sysadmins allowed it. Following the official rules results in a password that’s easily cracked in 3 days, while the phrase, “correct horse battery staple” takes 550 years, far longer than any hacker cares to spend.

What About Those Password Strength Meters?

I still remember that my first password in high school, circa 1977, was "HEL-N703,MTH". And this password strength checker says it would take about 11,000 years to crack using today's technology. Of course, that old mainframe, and the Model 33 Teletype that I used to cause a bit of trouble are now ancient relics. Read more about those days in my bio, here.

Research has found that users will create stronger passwords if they receive feedback about password strength as they create a password. But so-called “strength meters” often measure only compliance with rules instead of statistical strength, according to researchers at Carnegie-Mellon University. The CMU geeks have created a strength meter that uses a powerful neural network to calculate the true strength of a hypothetical password on the spot, and even explains what’s wrong with your password creation strategy. The rules they recommend are:

  • At least 12 characters per password
  • Capitalized and special characters in the middle of the password, not at ends
  • No names associated with pets or sports teams
  • No song lyrics
  • Avoid the word “love” in any language
  • Avoid patterns such as “123,” including keyboard patterns (“qwertyasdfg”)

I advise using a password generator/manager wherever possible. They’re getting better at circumventing the security-limiting roadblocks that some website owners think are important. And because they generate long, strong passwords that don't need to be remembered, you are better protected in the event that one of your favorite websites will be hacked, and the encrypted password database subjected to torture by one of those high-tech password-cracking appliances. They'll go for the low-hanging fruit long before your randomized 42-character password is squeezed out.

If you prefer not to use password software, a memorable phrase is the next best thing. In the past, I've used the first sentence from the first paragraph of a certain page in an old book. For example, on page 67 of "The Autobiography of Benjamin Franklin," I found the phrase "There are Croakers in every country." It's memorable, and it makes for a super-strong password. Or as mentioned above, you can apply a formula of your choosing to such a phrase.

What's your password strategy? Do you use a password manager, a sticky note, or keep it in your head? Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 22 Nov 2019


For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 21 November 2019

The Top Twenty
Next Article:
Sockets, Caches and Cores, Oh My!

Most recent comments on "How Hackable is Your Password?"

(See all 23 comments for this article.)

Posted by:

Pennalynn
22 Nov 2019

I use my pets' nicknames, which are gibberish first and last names (think "Mic Cheedle"), I capitalize the first and last names, and then add a combination of letters, numbers, and symbols that have no meaning. I also make the password at least 15 characters long.


Posted by:

Doug W.
22 Nov 2019

I've hesitated to use password generator software. What if that software crashes or gets a bug? Then you won't know any of the passwords it stored for you and you are locked out of all your websites. I can't trust any software to work flawlessly.


Posted by:

Gene
22 Nov 2019

I use Blur by Abine, have for years. You can customize the length of the passwords, the sort of characters you want (some sites are picky), it can even generate a standalone password for those sites that won't let you automatically generate one using a password manager, there are some that are like that, just go into Blur and generate a password, then add that to the new site, edit your Blur record to include whatever else you need and you're set.

And their customer support is absolutely outstanding for premium users, there is a free version too. I know it is not widely known and others get a lot of attention, but this one is really good and I don't mind that others have better name recognition, I consider that another strength actually. It also tells you if you've reused a password, which we all did in years gone by and gives you a chance to rectify that. Very satisfied with this program. :^)


Posted by:

jcm
22 Nov 2019

The best strength meter I've found is the Gibson Research Corp. I use it to check all my passwords.
https://www.grc.com/haystack.htm


Posted by:

John Wood
22 Nov 2019

For years I have used Password Corral to keep track of all my passwords. It stores all your passwords as an encrypted file every time you exit. You only need to remember one key password to open it.


Posted by:

Richard
22 Nov 2019

The original crypt algorithm in UNIX had a maximum length of 8 characters and stored the salt in the first 2 characters of the encrypted password making cracking much easier. And while the file storing passwords was secured from easy snooping the NIS protocol to centralise the database opened it all up again (ypcat passwd). NIS+ hid that data from normal users but never caught on.

One of the issues with secure passwords in some situations is that somehow regular password changes is a "good idea" but actually leads to weaker passwords that qualify and have minor pattern changes each change. Much better to enforce strong passwords and leave them alone unless a breach or similar indicates changes.

I use LastPass, paying for Premium. I can share logins without making the password visible if needed and it allows generation of one time password sheets and other recovery mechanisms if you forget your master password. I don't put my main banking ID in there but most other systems are, where allowed 20+ random character passwords.


Posted by:

Linda
22 Nov 2019

I've used LastPass as my password manager for years. I also maintain a locked, password-protected Excel spreadsheet that lists all my websites, usernames, and passwords as a backup just in case. An up-to-date printed copy of the Excel spreadsheet is inside my safety deposit box for my will's executor in case of my untimely death as well.


Posted by:

Mike Hamilton
22 Nov 2019

For many years I have used RoboForm successfully. It has always worked well but is also continuously being improved.

There is currently only one thing that still bothers me—all the sites adding an "m" to the URL for mobile sites. That requires opening the list of passwords and choosing the password for the desktop site, which always works but takes a lot longer to complete.


Posted by:

Anthony
22 Nov 2019

Since I use a password manager and therefore only need to know a few passwords (one for the password manager, one to log onto my computer, and a couple of others), I just make them random gibberish. Since I type them in every day, there's no concern that I'll forget them. Focus on making a password that's easy to TYPE, since that is your main interaction with it. Any password is easy to remember if you type it every day.


Posted by:

RandiO
22 Nov 2019

Another great article about a topic that we need to hammer into our collective brains and often.
Thank you, Mr. Rankin, for all your continual efforts to keep us safe (and secure) from our own foibles.
I keep hoping that some day you would give the Keepass password manager an honorable mention. I guess with over 482 unique password entries in my personal KeePass copy, I may be ardent about this OpenSource offering, which has been around for at least 15 years.


Posted by:

MartinW
22 Nov 2019

Just opened my LastPass vault. 837 stored passwords. Some of the "early" ones (some for defunct sites or ones I haven't visited in years) are either very simple or duplicates, though. I really should do something. Someday.


Posted by:

Karena
22 Nov 2019

I also use and recommend KeePass - though, I'm sure any of them would work fine. For those concerned with software bugs/crashes, like Doug: keep a backup! I have several electronic backups and I feel fine with that, but you can always print them out and stick them in your safe (or other secure location), too. I strongly feel that any tiny potential risk of using a password manager is overwhelmingly outweighed by the security (and convenience!) that they provide.


Posted by:

Ken H
22 Nov 2019

All good advice, though I have seen no indication that Dashlane is "getting better at circumventing the security-limiting roadblocks that some website owners think are important." It is for this reason that I often only enable letters and capitals and numbers. Dashlane tends to use so many different special characters that are almost universally forbidden.


Posted by:

Tearlach
22 Nov 2019

I am multi-lingual and make passwords from mass ups of different languages. It seems to work as I have never been hacked, even when working with Homeland Security.


Posted by:

Brian B
22 Nov 2019

I use LastPass, but of late, I am getting more concerned about putting my passwords in cyberspace. I tested my most recent password with the Gibson Research Corp and it came up time to exhaustively search its space was a minimum of 1.41 hundred million centuries. Unless I'm missing something, that sounds pretty secure to me. What I'm thinking now is would that be secure enough to use on ALL my login sites.


Posted by:

mjp179
22 Nov 2019

I wonder about the Password security of using a random password-generating software.
-Suppose my Password to it gets hacked, all of my Passwords are revealed.
-Suppose I get shut out from my random password-generating software, how will I get into all my Password protected websites?
-Can I safely store all those random password-generating software generated Passwords securely elsewhere, as a Backup?


Posted by:

Granville Alley
23 Nov 2019

@Brian B, the problem with using the same Password everywhere is not the strength of your password, but rather the fact that by doing so you are exposing all the places you log into to the lowest common denominator of the website of company with the weakest security for their PassWord Database.

This is a risk, I personally am unwilling to take. If point of fact I would argue that this is basically a guarantee that your PassWord will end up in common hacker databases of known passwords. If the companies that you are logging into do not properly encrypt, maintain encrypted their password databases using encryption that is sufficiently secure.

You are basically betting all your security on the least secure company or website you log into.


Posted by:

MikeW
23 Nov 2019

I was shown Password Corrall many years ago, and I've used it ever since. An excellent tool. Yes, like all software, there are risks in using it, but a bit of common sense and a regular back-up of the encrypted associated file mitigates that to an accetable level. And it is far better than relying on memory or mnemonics! Oh, and it's free.


Posted by:

Joel
24 Nov 2019

If the organizations that require passwords, and who doesn't any more, would give you three tries and then lock your account for a minute or two, hacking passwords wouldn't be a problem. It would take way too long.

EDITOR'S NOTE: As I mentioned in my article, that's not how they crack passwords. See the link I provided on that.


Posted by:

Therrito
25 Nov 2019

I went to the Password Strength Checker you had mentioned and it would take 3 million years to crack my weakest password. I think that my passwords are, for the time being, safe from h@ckers. :-)


There's more reader feedback... See all 23 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.


Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy     RSS/XML


Article information: AskBobRankin -- How Hackable is Your Password? (Posted: 22 Nov 2019)
Source: https://askbobrankin.com/how_hackable_is_your_password.html
Copyright © 2005 - Bob Rankin - All Rights Reserved