Tuesday, July 28, 2015

Your password isn't as strong as you think

Your password may not be as strong as you think it is

How strong is your password?

You've heard the recommendations: mix uppercase and lowercase letters, add in a number or two, and if you're really on the ball, add a "special character." Something like 16F^umQcb makes use of all four categories and is suitably random; as 9-character passwords go, it's pretty strong.

Guess what?

Austin15! uses all four categories too. So do Fall2015$ and IL0veTX<3. If a website shows a "password strength meter" when you create or change a password, more than likely it will deem these passwords pretty good despite the obvious patterns.

Unlike my random example earlier though, these examples follow a predictable pattern: a word from the dictionary, possibly changing a letter or two, with a couple of digits and punctuation marks thrown in for good measure. We humans are pretty predictable: we tend to use the same patterns.

A 9-character password randomly selected and using all four categories (upper, lower, digit, special) takes some work to crack. Exactly how much work depends on how many special characters a particular site allows, but just for argument sake let's say a site allows the following: ! @ # $ % ^ & * ( ) + = and .

With those characters, there are approximately 75 quadrillion possible unique passwords (that's 75 with 15 zeros, or 75 million billion). That's a big number.

Computers can test many passwords per second, but still it takes time to test that many passwords.

Password cracking specialist Rick Redman gave a talk to the professional organization ISSA in Austin (full disclosure: I am a board member for the Capital of Texas chapter of ISSA) in which he talked about real-life examples of breaking into user accounts for Fortune 50 companies (with permission, of course!). While that talk was not recorded, he covered much of the same material in a talk at the DerbyCon security conference a few years ago. That 45-minute talk is available on Youtube.

Rick's research shows that a 9-character truly random password stored in Windows might take about 9 weeks to crack. That metric is about 2 years old, so newer and faster computers might cut that in half, but still we are talking about over a month to crack a single password. Unless you personally are a highly valued target, few crooks are going to invest that kind of time breaking into your account. They'll move on to someone else pretty quickly.

But that is only true for truly random passwords. Humans are terrible at randomness. By focusing on the top patterns people follow, Rick showed that he could crack a majority of actual 9-character passwords - in a security-conscious company - in just a few hours. At some businesses, he could break half of passwords in less than 20 minutes, all using a basic run-of-the-mill computer.

Humans are far too predictable.

That's why I don't trust myself to make up my own passwords.

Here are some recommendations:

  1. Use a unique password for every web site. By using different passwords for each site you ensure one lost passwords means one site compromised instead of every site compromised. At a minimum, use unique passwords for sites that are important to you (sites you would be disappointed to have stolen), but keep in mind that a determined criminal might piece together details about you from a combination of "throwaway" accounts. If you follow the next two recommendations as well, there really is no reason not to use unique strong passwords for everything.
  2. Remembering dozens if not hundreds of unique passwords is an exercise in futility. So don't even try. Let a computer do it for you - use a password manager or password vault - a computer program that securely stores all your passwords, and automatically brings up the right password when you want to log in to a website.

    Password managers fall into two basic categories - cloud-based solutions where your password vault is stored on a web server and thus easy to share among multiple devices; and offline solutions where the vault is stored on your local computer. Each has its own pros and cons; I discuss a few of the most popular ones in a previous post.
  3. Let the password manager make up passwords for you. Human nature is human nature: we all have patterns we like to use, whether consciously or subconsciously. Those patterns can be predicted. A password generator will come up with truly random passwords, eliminating any chance of subconscious patterns.

    Since you are letting the computer make up and remember passwords for you, you might as well let it create the strongest password that a website will allow. It is no more difficult to create and store 25 character passwords than it is to create 8-character passwords (assuming of course that the website allows a long password!) Every password manager that I know of has a built-in password generator.
  4. While not directly related to password strength, a fourth recommendation pertains to the overall protection against a criminal gaining unauthorized access to your accounts. Where possible, enable two-factor or two-step authentication. 2FA involves both something you know (your password) and either something you have (commonly your phone) or something you are (such as a fingerprint). A previous post talks more in depth about two-factor authentication, but suffice to say that it makes it exponentially harder for a crook to break into your account.
A few simple habits can make a world of difference in protection yourself from the most common password mistakes!

If you found this post to be helpful, why not share it with a friend?

Brief update: most security experts recommend password managers, but a few websites foolishly block pasting passwords into the login fields, making it inconvenient to use a good password. WIRED has a great story explaining to website developers why that is a bad move.

Another update: SANS trainer Lenny Zeltser wrote an article on password managers for the October 2015 edition of the Securing The Human "Ouch" newsletter. The link above is to the English language edition (downloadable PDF file); other languages are available at https://www.securingthehuman.org/resources/newsletters/ouch/2015

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen