Passwords - Complexity < Length

I'm revisiting the topic of password security today because it's essential to understand why passwords exist and how having a weak password can bring a world of pain.

Many services that you have signed up for have password complexity requirements. Something to the effect of:

  • At least 8 characters
  • 1 Uppercase
  • 1 Lowercase
  • 1 Numeric
  • 1 Symbol

Why the complexity?

In short, the service is following a password "standard" by not allowing you to create an utterly useless password. However many services aren't doing very complex checks to see if your password is actually secure. Guess what password meets the above requirements: "Password123!" While a computer can generate words very very quickly (we're talking in the order of millions of words per second), a computer with no knowledge of the English language could theoretically take somewhere around 34 thousand years to crack that password.

But wait a minute, theoretically - is that what happens in the real world? Do hackers task computers with computing entire word-spaces for a given set of characters? No.

Length is king, not complexity

Hackers know that people generally don't pick incomprehensible gibberish for passwords. We use words that tend to make sense; maybe they have personal meaning to us or are just random words out of the dictionary. When performing password-cracking, hackers use dictionaries and other recognizable patterns like:
  • adding symbols/numbers to the start/end of a password
  • common substitutions like '3' for 'e' or '0' for 'o'
  • previously breached password lists (other people's passwords)

Password security is about making sure you are not among the "low-hanging fruit" of a breach.

Here's a hypothetical series of events of what a pernicious person with hacking skills may try to do.
  1. Your favorite online marketplace gets breached by an unknown party.
  2. The user database is dumped including your password hash (not your actual password, which is "Summer2017!"; the unsalted SHA-2 hash of this password is 7DF93F9233D7EA3BFA77DEAFDADC51E9D540944158A7727372DC8AF9A95F585B).
  3. Somebody makes that dump available to the public (aka "leaks" it).
  4. Sup4l33th4x0r95 (aka John Doe) finds the dump and decides to try cracking the hashes that were dumped. He is essentially telling a computer to guess passwords until the hash matches yours.
  5. Since he has a seriously beefy password-cracking machine and a basic working knowledge of human behavior, he is able to crack your password in less than a minute since you used a common password pattern - Season+Year+Number/Symbol.
  6. John then uses this password to check other major services that he thinks you're likely to use - Google, Facebook, LinkedIn, and now that he knows you use a seasonal pattern, he can try older years if "Summer2017!" doesn't work.
  7. Once he gains access to your email or other accounts, he can use this as a way to expand the number of victims of his cybercrime. His options are virtually limitless if he can make sure you're unaware of your accounts having been compromised.
Fortunately many services offer two-factor authentication, and additionally will notify you if someone signs in from an "unrecognized" device, however this is still not the case for many well-known services.

The solution (to not being part of the low-hanging fruit)

The best solution is to use a password manager. Generate random passwords that are 15 or 20+ characters in length - the longer the better.

For the few passwords that you must remember, use a passphrase (a more specific type of password that consists of a sentence including spaces). Make that passphrase nice and long! "Cute and cuddly kittens 1!" is actually stronger than "[email protected]&oZ#Ks&Z", and it has the added bonus of being easy to remember. However, recall that reusing the password on another service increases your attack surface. A couple more reminders before you go:
  • Use a different password on every account. 
  • Avoid using personal information or common password topics and patterns (e.g. dates, sports teams, seasons, any semblance of "password").
Thanks for reading. Be safe.


NIST SP 800-63B


photo credit: Tom Simpson 1938 Lone Ranger Butter-Nut Safety Club Card Secret Code via photopin (license) photo credit: Christoph Scholz Hacker mit Einsen und Nullen - Nahaufnahme via photopin (license)


Popular posts from this blog

How someone tried to phish me

Google's "Smart Lock" and Android Autofill

Botnets and DDoS attacks - What are they?