2 October 2019

Philosophizing about passwords

  • By Loïc Calvez
  • POSTED IN Technology
  • With 0 COMMENTS

There as been a lot of discussions lately in the Cybersecurity community around passwords. How long should they be? How often should you change them? Are dictionary words that bad if I use a couple of them? We wanted to provide a bit of insight about where things stand and help you make some good decisions.

First let’s look at it from the side of the attacker, let’s forget about hacking and all and just go straight to password cracking. To help understand scale, let’s use for reference a server with eight GPU (Graphic Processing Unit (they are faster than CPUs for floating points calculations)) can calculate around 500,000,000,000 (5x10^11) passwords hashes per seconds. Depending on who is trying to get in, that may or may not be that expensive (some vendors we know use cracking rigs with 60 GPU to benchmark passwords strengths…). So, an 8 characters password with uppercase, lowercase, numbers and special (let’s call this 112 possible character) is in theory 24,759,631,762,948,100 (2x10^16), which translates into 14 hours on our “medium” cracking rig (hence why 8 characters passwords are not that good anymore).  12 char? Well that would be 90 million days. Safe? Maybe.

“Unfortunately,”, we are dealing with humans, so most do not use 112 characters in their passwords. They also do not use special characters in all locations (many people will just add an exclamation mark at the end). They also do not use upper cases in all locations, usually only the first letter of a word. So what would have passed for a strong password a couple of years ago (WordWord1!) is actually a fairly weak password in today's world. It becomes a game of statistics, which passwords an attacker tries first in order to minimize crack time.

So here is a classic bad actors approach to cracking passwords:

  1. Start with a list of all known passwords (you know when you see the headline “x millions passwords were leaked”, well people have been assembling lists of all of those since forever)
  2. Create a list of all dictionary words (including all Latin languages and slang)
  3. Add the classic permutations for special (@ for a, 3 for E …)
  4. Add the words with first letter uppercased (word and Word)
  5. Add some classic keyboard walk “words” (qwerty, asd …)
  6. Now you have a fairly complete dictionary and you can try the most common combinations (word!, wordword!)
  7. And as the attacker learns about the list they are cracking they can add some refinements (if you know the policy states minimum of 10 char, you don’t test passwords with less than 9!)

And with all of those things, you can crack the weak passwords in a reasonable amount of time.

So, how does one not create a weak password?

  • First, the non answer: don’t just use naked passwords! Use Multi Factor Authentication (MFA): whether it’s a push to an app or a number token that changes often, this will make it impossible for someone to crack that password since it changes all the time
  • But if you must use a naked password
    • Use a password manager that will generate random strong ones and remember them for you (great for home, may not work for all businesses (businesses have other options))
    • Never re-use an old password (see #1 above)
    • Make it long, we would recommend at least 16 chars
    • Use special characters everywhere, not just at the end
    • Don’t just use the easy permutations of specials (@a, 3E) just be creative
    • Use the fun specials [,],{,},_,-,%,,.;: not just the boring ones [email protected]#
    • Use made up words IaaNap (I am a nerd about passwords)
    • Sprinkle caps in illogical places (just the N in the above)
    • Use at least 3 made up words!
    • Change at least some portions of that password in multiple places (never, ever, use the same password in different systems)
    • A variation of the password manager above is to use randomized passwords, but save them in an encrypted something (I like MS Excel spreadsheets, they encrypt with AES256 which is great for today’s standards).

Does that sound complicated? A little, but it is better than getting your bank information stolen… 

The first time you create a new strong password, it will be hard, but as you get used to it, it becomes easier (and passwords must be different in all systems, but that does not necessarily mean an entirely new password, just different.