Home  |  Sarah  |  Services  |  Blog  Contact

Friday, 10 Apr , 2015

UPDATED: Passwords – Long? Strong? Keep Getting It Wrong?

Share this article

Passwords are back in the news thanks to Ed Snowden and a certain French media outlet. As the 2014 Worst Password List shows, length really does matter. Why not have a read.

At the time I wrote this passwords were in the news thanks to Mr Edward Snowden and a certain French media outlet. Ed cautions us to assume the big bad guys can make at least 1 Trillion guesses per second and even went as far as suggesting a secure example:

SnowdenPassword
As for the French…there’s a few folk suggesting the reported ISIS takedown of TV5Monde may have been helped by videos. Not just any videos. Ones broadcast by the TV channel featuring passwords on post-it notes in the background.

Unbelievably they’re not the only ones to have done that. This ITGovernance article highlights 3 other embarrassing password reveals…less said about that the better me thinks.

Then there’s the overwhelming evidence that people just make poor password choices:


In this report on worst passwords of 2018, #1 and #2 spots were STILL “123456” and “password” (yes REALLY!). The list was put together from the millions leaked last year. Passwords that get posted on hacker sites to inform development of cracking tools.

But just today that got Trumped – pun ENTIRELY intended – as you saw from the tweet at the top. But never fear, lots of help is here, so you don’t get caught with your password pants down (also very topical for October 2020 as it transpires). 

image

The graphic is from Stanford’s IT Service department, giving user friendly advice on creating a passphrase. Some folk (like Snowden) will suggest including numbers, special characters and upper case letters, but that’s down to what you are setting a password for.

The same goes for businesses. They have to work out their user recall/complexity/support overhead equation – e.g. if no-one remembers them, that racks up one heck of a lot of lost productivity and helpdesk effort.

Whether you go Snowden or Stanford this represents a far better place to be (thanks to Al Berg – @alberg – and his Paranoid Prose blog for finding it).


Why does doing LOTS better make sense?

Because there’s an ever increasing amount of processing power available to crack passwords. Even complex ones (if they’re short), are vulnerable.  We’re not just talking about pure brute force attacks e.g trying all available characters in every possible combination. There are shed loads of shortcuts that tools can leverage, even if you’re trying quite hard to be safe. Things like;

  • Dictionary attacks – not quite as obvious as it sounds, but it is a digital list of words and other common character strings folk like to use.  If in any doubt about how simple some peoples’  passwords are, do check out that SplashData list. You’d also be amazed how similarly people think when it comes to making up passwords (as this Psychology Today article shows). Unlike a pure brute force attack this focuses on the guesses most likely to get a result and will probably include stuff like:
  • Common substitutions – did you think p@55w0rd was good enough? Nope. If it’s an easy substitution of a special character or number for you to remember, then it’s programmed into a cracking tool somewhere (just between you and I the wireless password for a world famous institution was a very simple substitution password, but pointing that out didn’t prove very popular).
  • Progression patterns – got a favourite password you recycle by adding 1 then 2 then 3 to the end of it when you have to change it?  Not recommended. if anyone harvested that password from anywhere they’re probably wise to that trick.
  • Keyboard patterns – here’s an imagur video of the 20 most common keyboard patterns used as passwords. This info was harvested from 10 million that were leaked . A really simple thing for a password cracker to add to their dictionary.
  • Common ways around basic complexity rules  – these are fairly standard (e.g. one uppercase, one numeric, one special character). Something else cracking systems are aware of and can use to cut down effort required to work passwords out.

How long is strong enough?

password1

This is a password testing app where you can fire in whatever you think MIGHT make a good password in to see how long it might take to crack. Take it with a pinch of salt, because it makes a fair few assumptions about available processing power and unlike social engineers, it hasn’t got to know you,, but it It goes a fair way to underlining the point at the top. Maybe test a password or two similar to (BUT NOT THE SAME AS) yours. Also remember that all bets are off if you password gets stolen, unless you put something like 2 factor authentication in place (more about that at below).


Going On The Offensive – You can always resort to abject smut to make your password more memorable. No-one should know, so what the heck. The only pitfall,  if you’re an unconscious password mumbler, is potential to get fired. 


…and in case you were wondering, that Margaret Thatcher-o-phile password from Snowden stacks up like this

It would take a computer about

8 nonillion years

to crack your password

 

And this, is Trump’s:

16 hours

 

16 hours to brute force, or 5 tries to guess. if you know something about Trump (according to the guy who “hacked” it)


The maths behind all this

For those in the trade, this article by Johannes Webber (@webernetz) unpicks the maths foundations of the well known xkcd password cartoon. Password-Entropy
He convincingly recommends aiming for 80 bits of entropy (he also shows best ways to up the number without pushing password limits too far). So we just have to keep everyone updated as the entropy/easy to access processing power equation evolves.

Do chuck in a comment if you have better/more to add.


Sensible choices and keeping passwords safe

Back to the de-geekified advice, it’s not all about choosing good passwords, I also recommend;

  1. Changing them – Ooooh this kicked of a debate on Twitter. A good friend of mine called out why changing them regularly, is not always (or mostly) necessary. I recommend signing up for haveIbeenpwned.com. The sit will email you if that the address you use with a compromised password every turns up on the internet as part of a breach.
  2. Maybe Changing them – If your password is older, shorter and/or dumber than your kids…CHANGE IT! Stumped for a good long random passphrase? XKCD has a great passphrase generator (plump for as long a one as you can remember, or really go for it if you’ve got a password safe to remember it for you). Then change it again if you ever see news of a breach at a company you use, anything suspicious happens with your accounts, or (if like me you think it’s better to be super-safe than sorry) do it every now and then anyway.
  3. Using different ones for different sites/applications and remembering them – Try a password safe. One BIG password to protect all the others and a way to conjure up a new secure password and automatically store it when needed.  Worried that puts all your eggs in one basket? Don’t be.  If you follow rule 4 it’s far more safe than re-using passwords on multiple websites or never changing them. Techradar with some reviews with links to buy and/or download.
  4. Taking advantage of 2 factor authentication (2fa) where availableGood guide on setting up backup logon checks e.g. via an authenticator app (ideal), or via a text message (2nd best, but still worth it), for commonly used sites.  This protects you if someone hijacks then tries to lock you out of an account by changing your password for you. Won’t work unless they’ve nicked your phone too (you’ll get an alert or verification code to check it’s you making the changes).
  5. Not sharing them – Bleeding obvious? I know, but you’d be amazed how often folk do.  Especially, if tales I’ve heard from some techies are true, directors with their PAs.  I’m not going to say don’t write them down. Just treat any written or digital mention of a password like a sex tape that could cost you your career, marriage and/or custody of your kids if it was ever shared. Nuff said?
  6. Try not to get scammed – Even the most savvy internet user can get caught out by a determined conman, so do educate yourself about the latest email and telephone tricks being used to get you to share your password or information. It doesn’t take long for cyber criminals to piece together enough info to quickly guess (instead of taking the more effort intensive step of stealing or cracking) your password.  There’s more on that in this post ‘Phishers’ Delight

But what about biometrics?

Folk are saying passwords are dying (or dead) – aren’t biometrics taking over?  There’s definitely some fun stuff happening on that front.  Smart phones are already out there with finger print and retinal scanners.  But how about your pulse as your password?  Had a chuckle thinking about that – one passionate kiss on the doorstep and the door won’t open (that’s the PG version anyway 🙂 ).

Biometric-Security-Systems-shutterstock_118793329-617x416
This article looks at 5 biometric alternatives to passwords that might become more or less common, including your pulse, your ear shape and even your sense of humour.  But even biometric tools are far from perfect. Remember the movies where someone gets their hand chopped off to get through a door with a scanner? Well no need for such brutality when a 3D printer can produce an exact copy of a hand complete with unique finger prints.  To guard against that (and severed limbs/ownerless eyeballs) folk are having to put “liveness” tests in place (find out more in this Secure ID News article).

That’s ignoring any possible security holes in systems where master copies of biometric scans are stored. That’s down to us (security, IT and our company directors) to build systems securely, test them well and if they’ve got serious holes, fix them.

Regardless of what the future holds, passwords will be around for a long time, either by themselves or together with other ways to prove you are who you say you are.

Right now it does make sense to change any old, short or reused passwords. Here”s a good calm look at Heartbleed and it’s implications for your online security. Yes, that all kicked off a long while ago, but some firms are still vulnerable. Advice in that first article is very user friendly and will be good to remember when the next theft of passwords hits the news.

So…if you do now head off to do some updating, have another look at that advice here. It really is workable.


When you’re not ALLOWED to set a good password

That’s sorted then! Unfortunately not quite. Due to old software design habits and inherent application/operating system limitations, you might not be allowed to set a good strong password. That password choosing frustration is pretty explicitly vented here (VERY NSFW); http://weknowmemes.com/wp-content/uploads/2014/01/creating-a-password-cabbage.jpg

If somewhere has daft password rules you’re not completely powerless – call it out. Perhaps add #DaftPword to the tweet or post, or tell me and I’ll shout about it for you.  The tech community hate password laxness so you won’t be alone.

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...