Passwords You Say?
Passwords. The bastion of authentication. Defenders of data. Bane of those shadowy figures wearing hoods and ski masks in darkened basements whilst attacking your servers. Passwords protect your secrets, but how effective are they really?
Plenty of articles have been written on the short-comings of passwords — mainly around complexity, reuse, expiry, and how these additional “controls” may not truly solve the problems inherent to passwords. I will touch on these, but in the spirit of education I felt a duty to provide context and to answer the inevitable question one hears when they enact some new policy or control in the security world: “Why?”
I will start by saying that, in my humble opinion, passwords are here to stay — in one form or another. “What about biometrics?” you may ask — to which I will reply with another question: “What happens when your fingerprint is stolen?”. You can easily change a password. You can’t (easily) change your fingerprints. What about the tokens used in two-factor authentication? Couldn’t we simply just use those instead? Yes we could, but they can be lost or stolen, and can be expensive relative to a password. Economically speaking, we would have to see executives, as a whole, start taking security a lot more seriously if that is to happen.
So, for now, let us say that passwords will be with us for the foreseeable future. Maybe I’m wrong and some new technology will supplant passwords as the de facto standard — but for now they are here and we have to deal with them.
Now, Let us take a look at the current “state of the art” of passwords.
Password policy varies from organization to organization, but in general they seem to follow the lines of NIST SP-800 53’s example. Don’t know what NIST SP-800-53 is? Not to worry, it’s the US Federal Government’s catalogue of controls for “information systems” (aka: software systems, etc.).
In other words, it’s a list of things you need to do security-wise if you want to play ball with the US Feds. It’s good practice to do much of this if you are in the private industry as it’s a crazy world out there with crazy-hooded-masked-basement-dwellers around every corner.
So what does NIST SP… bla bla bla … say? It’s quite simple actually. It wants your passwords to:
- Have a mix of upper-case letters, lower-case letters, numbers, and/or special characters (symbols and such) (Usually 3 of the 4)
- Have a minimum password length (Usually 8+)
- Not be the same as your last password (Some say “can’t be one of your last 10 passwords” or so)
- Expire after some period of time (Usually 60 or 90 days)
NOTE: There are a few other requirements, but they don’t directly relate to password complexity so I’m leaving them out. If you really want to check it out, here’s the NIST SP 800-53 standard (pdf). It’s on page 253.
So what passwords fit this criteria?
Why is this important? Because adding complexity makes it hard to guess — in a way. What it actually does is make it hard to do what is called “brute-force”. That simply means to check every possible combination of values.
Time for some math. I promise it won’t be too much.
Let’s look at our criteria again:
- Upper, lower, number, symbol
- There are 26 upper-case letters (English alphabet)
- There are 26 lower-case letters (English)
- 10 numbers (0, 1, 2, 3 ,4, 5, 6, 7, 8, 9)
- 16 symbols (~!@#$%^&*()_+,.?) (Yes I know there can be more but I had to choose)
- TOTAL = 26 + 26 + 10 + 16 = 78 possible “characters” for each position in the password
- Minimum password length
- Assume this is 8 (can be longer, set by policy)
- Not the same as your last password(s)
- Doesn’t affect complexity
- Expires after 60 or 90 days
- Will affect how long we have to crack the code!
With all this, we can calculate how many possibilities there are in this 8-character password:
78 x 78 x 78 x 78 x 78 x 78 x 78 x 78 = 78^8 = 1,370,114,370,683,136 possible passwords
That’s a lot! Even with some decent-powered computers this would take a long time to go through. But a hacker is smarter than that. They know that it’s not worth trying every combination — especially on a live system where an increase in traffic might get noticed.
So they think about how people choose their passwords instead.
A Hacker’s Approach to Passwords
Hackers aren’t going to brute-force the passwords. There are just too many possibilities. They are going to use their brains. They’re going to think about how you choose your passwords. They see the standards too! They know you have to change them. They know the complexity requirements. But they also know that it is hard to remember lots of passwords. They take advantage of this by:
- Looking at “Common Password Lists” that are occasionally published
- Looking at common themes:
- 60-90 day password changes are around the time of Fall, Winter, Summer, and Spring
- Fun Fact: ‘Fall’, ‘Winter’, ‘Spring’, and ‘Summer’ come up in passwords
- Use of a year range — usually at the end of a word. For example: Winter2018
- Or, if they know it, your birth year or date in different formats
- Common substitutions of numbers for letters. For example: W1nter2018
- General words with numbers at the end. For example: Test1234
- Noticing that most passwords start with a capital letter and end with one or more numbers
- Noticing that people use the same or similar passwords for other accounts
- If another account get hacked, they will look for published password dumps and try those
These are a lot of rules, but let’s take a look at just the “common password list” one.
If the list has 100,000 of the most used passwords, the hacker is expecting to have decent luck and will only have to try 100,000 times per user. That’s far better than the 1,370,114,370,683,136 possible passwords per user we calculated earlier.
Sadly, in many cases this is as far as the hacker has to go to get into a system. Common passwords are published as “common” for a reason. They are out there in numbers.
Let’s take a look at another few rules.
“Starts with a capital, ends with a number” (Ex: Testing1)
The hacker can brute-force using this rule to reduce the possibilities, but brute-forcing will always be their slowest option. They are more likely to use a pre-existing dictionary of words and apply this rule to those words. For example, let’s say that the hacker obtained a dictionary of the top 100,000 words in the English language that are 7 characters or more in length. Then they apply their rule to it:
“abashed” becomes Abashed1, Abashed2, Abashed3, Abashed4, Abashed5, Abashed6, Abashed7, Abashed8, Abashed9, Abashed0 and so on.
We add 10 words for every one word in the dictionary since we are adding a number to the end. If there are 100,000 words in the dictionary, this rule will have 1,000,000 possibilities.
This is a very effective method to guess passwords when a hacker has no other information to go by.
Seasons or Trends
Similar to the “dictionary” method above, except our list of words consist of only Winter, Fall, Summer, and Spring (Or some other noticed trend). The hacker may try a variety of date ranges on the end to try and find old passwords too. For example:
Winter2015, Winter2016, Winter2017, Winter2018, Winter2019
This is quick and dirty, but sometimes works. This is an attack that may even be done manually (no scripts or automation). If a hacker sees a username and password portal, they may try these out (along with username:password combinations such as admin:admin, admin:<blank>, root:admin, etc.)
Fun fact: After the Equifax breach it was found that one of their servers had the admin:admin username and password combo. It works because it is still used. Hackers know.
NOTE: Hackers will also think about who they think you are. If your email is email@example.com, they might just passively try semperfi as the password (US Marine’s motto). Or batman. For some reason the password batman is always in password dumps. Odd. Or awesome. Not awesome. Choose better passwords.
Ultimately, the hacker is going to try and think of ways that people try and remember passwords — because those methods also make it easier to guess. So if the only good password is one that is hard to guess and it seems that our techniques to remember them are making things worse, what do we do?
I’m glad you asked.
How Can We Make Better Passwords
The examples above are guessable because they aren’t random. If you had a truly random password there would be no patterns and it would be hard to guess. The problem with this is that it would also be hard to remember. Enter the password manager.
The password manager … wait for it … manages passwords! Now you only have to remember one strong password and it will deal with the rest — better yet, add two-factor authentication for that added kick. +1 to awesome!
In addition to storing and managing your passwords securely, some password managers also give you the ability to auto-generate strong random passwords for you, enter them when needed, and update them when your password expires. Very nice indeed!
Don’t Use Predictable Patterns
If you can’t (or don’t want to) go down the password manager route, you can always just up your password-making game, but know this:
- Common substitutions are almost as easy to guess as if they were just the normal character/letter
- Don’t follow a predictable pattern such as a single word that starts with a capital letter, then followed by some numbers. You’re better than that.
- Never use the seasons as part of your password — They are one of the first few passwords guessed
- Know what the top passwords used are (they get published from password breaches) and make sure your passwords don’t follow any of those patterns
- If your password expires, don’t make the new password the same as your old password just with a capital or number or other slight change
- Where possible, use two-factor authentication (AKA: 2FA)
NOTE: Adding 2-factor authentication is good, but the solutions aren’t all equal: Getting a text is the weakest 2-factor authentication you can have. It is better than nothing, but not by much. You can buy a physical token but this has an added cost. It’s ultimately about economics… and how tinfoil-hatty you are.
There has been some discussion that points towards passphrases as a way forward. A passphrase is an entire phrase (as in multiple words) as opposed to a simple password (which is a single word). A passphrase will be longer and include multiple words that make simple dictionary methods fail. They will also be easier to remember.
It is my hope that in this journey through the darkened minds of hooded deviants you are able to think a little like them when you choose your next password. Don the tinfoil hat with pride. And know that your data is just a little bit safer because of it.