Passwords - Complexity < Length



I'm revisiting the topic of password security today because it's essential to understand why passwords exist and how having a weak password can bring a world of pain.

Many services that you have signed up for have password complexity requirements. Something to the effect of:

  • At least 8 characters
  • 1 Uppercase
  • 1 Lowercase
  • 1 Numeric
  • 1 Symbol

Why the complexity?

In short, the service is following a password "standard" by not allowing you to create an utterly useless password. However many services aren't doing very complex checks to see if your password is actually secure. Guess what password meets the above requirements: "Password123!" While a computer can generate words very very quickly (we're talking in the order of millions of words per second), a computer with no knowledge of the English language could theoretically take somewhere around 34 thousand years to crack that password.

But wait a minute, theoretically - is that what happens in the real world? Do hackers task computers with computing entire word-spaces for a given set of characters? No.

Length is king, not complexity

Hackers know that people generally don't pick incomprehensible gibberish for passwords. We use words that tend to make sense; maybe they have personal meaning to us or are just random words out of the dictionary. When performing password-cracking, hackers use dictionaries and other recognizable patterns like:
  • adding symbols/numbers to the start/end of a password
  • common substitutions like '3' for 'e' or '0' for 'o'
  • previously breached password lists (other people's passwords)

Password security is about making sure you are not among the "low-hanging fruit" of a breach.

Here's a hypothetical series of events of what a pernicious person with hacking skills may try to do.
  1. Your favorite online marketplace Etsy.com gets breached by an unknown party.
  2. The user database is dumped including your password hash (not your actual password, which is "Summer2017!"; the unsalted SHA-2 hash of this password is 7DF93F9233D7EA3BFA77DEAFDADC51E9D540944158A7727372DC8AF9A95F585B).
  3. Somebody makes that dump available to the public (aka "leaks" it).
  4. Sup4l33th4x0r95 (aka John Doe) finds the dump and decides to try cracking the hashes that were dumped. He is essentially telling a computer to guess passwords until the hash matches yours.
  5. Since he has a seriously beefy password-cracking machine and a basic working knowledge of human behavior, he is able to crack your password in less than a minute since you used a common password pattern - Season+Year+Number/Symbol.
  6. John then uses this password to check other major services that he thinks you're likely to use - Google, Facebook, LinkedIn, and now that he knows you use a seasonal pattern, he can try older years if "Summer2017!" doesn't work.
  7. Once he gains access to your email or other accounts, he can use this as a way to expand the number of victims of his cybercrime. His options are virtually limitless if he can make sure you're unaware of your accounts having been compromised.
Fortunately many services offer two-factor authentication, and additionally will notify you if someone signs in from an "unrecognized" device, however this is still not the case for many well-known services.

The solution (to not being part of the low-hanging fruit)

The best solution is to use a password manager. Generate random passwords that are 15 or 20+ characters in length - the longer the better.

For the few passwords that you must remember, use a passphrase (a more specific type of password that consists of a sentence including spaces). Make that passphrase nice and long! "Cute and cuddly kittens 1!" is actually stronger than "kh@&oZ#Ks&Z", and it has the added bonus of being easy to remember. However, recall that reusing the password on another service increases your attack surface. A couple more reminders before you go:
  • Use a different password on every account. 
  • Avoid using personal information or common password topics and patterns (e.g. dates, sports teams, seasons, any semblance of "password").
Thanks for reading. Be safe.

References

NIST SP 800-63B


Credits

photo credit: Tom Simpson 1938 Lone Ranger Butter-Nut Safety Club Card Secret Code via photopin (license) photo credit: Christoph Scholz Hacker mit Einsen und Nullen - Nahaufnahme via photopin (license)

Comments

Post a Comment

Popular posts from this blog

Cloud Services - Friend or Foe?

Image
The question has arisen many times in my profession, and my friends and family have even asked me:  "Is it safe to store this information in the cloud?"  To answer this question, we need to understand what the cloud is. Then we need to determine what kind of information you intend to store, and how important it is that the information remain private. The "cloud" - what does this nebulous term mean? Understanding the cloud Let's make sure we understand what the cloud is not . You're reading this article on a device such as a smartphone, personal computer, or tablet. Your device is not part of the cloud, but it is a client of a server that is part of the cloud. A word on client vs server Suppose you go to your neighbor's house and knock on the door, but no one answers. Your neighbor wasn't expecting anyone, and they don't let strangers in. On the other hand if you visit a restaurant, usually a host or hostess will greet you and
Read more

How someone tried to phish me

Image
A couple of weeks ago I received an email that looked like this. This email went straight to my spam folder which I check occasionally to make sure I don't miss anything important. This particular email appeared to have come from one of my relatives. Let's see what's inside the email. I have obfuscated the actual email address because it is the first and last name of a relative. So the email came from someone[at]kkfi[.]org. I don't recognize that domain, but a quick lookup tells me it belongs to a radio station. Checking the hyperlink in the email body, I found that only one Antivirus vendor has the link categorized as phishing. But one bad verdict was enough for me to not visit the link. You can see the verdict  here . So why did someone at a radio station try to phish me? Well, actually it's likely that it wasn't an individual at the radio station but someone else who abused their domain and/or mail server. Let's dig so
Read more

Google's "Smart Lock" and Android Autofill

Image
Have you ever heard of Google's " Smart Lock "? When I first discovered Smart Lock, it was just a feature of Android that allowed your device to remain unlocked as long as certain conditions were met - such as being at a specific location (say, at home), the front camera recognizing your face (you mean "Face ID" has been around for a long time? yes, and it never worked well and still doesn't work well, even on iPhone), your phone being on your body, or connected to a trusted device. Recently Google has added another piece of functionality to Smart Lock called Smart Lock for Passwords. I first noticed this inside the Netflix application probably one or two years ago when I was offered to automatically sign in because my login info at the time was saved in my Google Chrome password manager, but no other apps that I used regularly seemed to have this new functionality. Looking at the developer page for this feature, it makes sense as to why since it ap
Read more