2-Apr-2014 • Chris C.
Password strength and security is continually brought up by security professionals, and for good reason. Despite the many warnings that we have all heard and seen in the office or when registering new accounts online, individuals and organizations continue to fall prey to password cracking. Most commonly this comes in the form of a brute-force attack, sometimes referred to as an exhaustive key search, wherein an attacker essentially guesses various password or key combinations until it is guessed correctly. The problem lies in the fact that this style of attack is increasingly becoming more sophisticated while password strength and security is on the decline.
Cracking passwords, especially strong passwords, can be a resource and time intensive pursuit. The simple fact that the computational resources available to hackers today is vastly superior to what was available decades ago, let alone even a few years ago, has increased the threat. In a paper written by Gordon Moore, the co-founder of Intel, Moore predicted in 1965 that computational power would continue to double roughly every two years. Known as Moore’s law, his prediction has generally held true. The cost of constructing a powerful graphics card array, which leverages GPUs for parallel processing, for the purpose of cracking passwords has gone down substantially. Indeed, such arrays can run billions of passwords per second. Further compounding the advances in individual chip technology, cloud computing, which harnesses the power of scale through the use of grid technology, has put the power of entire server farms at the disposal of hackers.
Facing this threat, websites and web apps, with few exceptions are all requiring passwords as more and more of our day-to-day life is networked and moved into the cloud. Simply put, it has become quite difficult for the average person to remember all of the passwords they are required to have. The essence of human memory involves encoding information and uses shortcuts and primers to facilitate recall. Commonly, this is in the form of patterns and repetition. However, in terms of password strength and security, the devices we use to remember our passwords make our passwords inherently weaker.
When faced with remembering yet another password, people tend to reuse passwords. From a security standpoint, this grossly reduces the password security regardless of its strength. If an attacker can attempt to compromise multiple sites instead of just one, they will have a greater chance of success. Where duplication is not used, weak password creation is another way people get around the problem of remembering passwords. Using names (e.g., family members or celebrities), words (e.g., favorite sport, interest, or hobby), dates (e.g., graduation, marriage, divorce, birthday, etc.), and number combinations (e.g., zip-codes, address, phone numbers, social security numbers, etc.) are all shortcuts used to remember passwords. They are also things that an attacker could know about you or easily guess.
Where organizations do enforce strong passwords, many make the mistake of having policies which give a false sense of security and actually undermine their overall security. One such example, which is not entirely inadvisable, is not allowing words from the dictionary in passwords. The problem with this is that many users will then switch to relying more on number sequences that are memorable, as well as shortening or abbreviating words as a work around. Hackers have caught on to this and have compiled their own commonly used short-word lists to use in attacks.
Another common policy is requiring special characters and numbers in passwords. Again, not entirely inadvisable, but more times than not, the user will prefix or postfix their root password to satisfy such rules. Given that fact, hackers can take that knowledge and actually make such rules more harmful than helpful to organizations.
Finally, you see a lot of organizations forcing their users to change their passwords incrementally (e.g., quarterly, annually, etc.). This can be bad for a couple of reasons. First and foremost, such policies become a known window of opportunity for would-be attackers, a luxury in the realm of hacking. Secondly, users run into even more difficulty with remembering passwords, and the harder it is for a user to remember a password the more shortcuts will be taken, or the user may simply write the password down and keep it in an insecure place (e.g., affixed to their computer monitor via a Post-it note).
It is important to also note that a password’s length does not necessarily make it stronger. With password cracking software today taking into account statistical probabilities, using password lists derived from the wild, using biographical information, and leveraging advanced computing environments, a 24 character password that contains non-random common words is less secure than a 16 character password without words that contains numbers and special characters. However, that 16 character password is still not as strong as a randomly generated 8 character password that includes numbers and special characters.
So what should you do to get away from all of the password pitfalls and improve your security? There truly is not an alternative to random passwords as they are the only way to guarantee strength in a password. In the case of randomly generated passwords, the strength goes up exponentially with length. But the issue comes back to memory. Random passwords, by their very nature, do not provide built in memory devices. This leaves most people with the option of writing down their passwords (this is not advisable unless you have a truly secure place to keep your password list, like a safe that requires a combination) or utilizing an encrypted password manager.
The benefit to using a password manager is that you will only have to remember a single password to access your other strong passwords. If you use a randomly generated password (key) of 10 – 16 characters (which you memorize), combine it with 2-factor authentication (e.g., Yubikey), and place all of your passwords within an encrypted manager (e.g., Password Safe), you will make yourself an incredibly difficult target. A second best option, if a randomly generated password of sufficient length proves to be too difficult to memorize, is Diceware.
Diceware is “a method for picking passphrases that uses dice to select words at random from a special list called the Diceware Word List. Each word in the list is preceded by a five digit number. All the digits are between one and six, allowing you to use the outcomes of five dice rolls to select one unique word from the list.” If you then take the results of six randomly generated words and put them together in the order generated, you will have a random password.
But what about dictionary attacks? While not impervious to such an attack, and though it is not a perfect substitute for randomly generated all-character passwords, the random nature of Diceware and the fact that it uses more than just common words, makes it far more secure than user defined whole-word passwords. If you wish to strengthen this method, you can use more words and drop all but the first letter to create a password (e.g., duck, toy, pail, phone, computer, grass, mirror, sweater, frame, zoo = dtppcgmsfz). It is important to note that this is actually less strong than randomly generating a pronounceable password due to the varying number of words beginning with any given letter in the English language (e.g., there are very few words beginning with X in contrast to S which allows for probability to be factored into a cracking program).
Perhaps the easiest method of generating a memorable password which still affords above average strength, is to use the Schneier Scheme. Basically, you take a memorable phrase or sentence and you break it down into something that does not resemble the original string of words, but provides a shortcut for remembering the password. Schneier uses the example, “This little piggy went to market” might become tlpWENT2m.” Despite not being random, unless the attacker knows biographical information about you which could clue them in on what your sentence may be and knows your method of password generation, this is plenty strong as it will not be dictionary breakable.
The bottom line is that no password is impervious to keylogging or phishing schemes where the user unwittingly provides an attacker with their password. Moreover, if the authentication process itself is not secure because passwords are not salted and hashed with a computationally expensive algorithm (i.e., key stretching), but rather are held as-is, in either plaintext or ciphertext in a database, the strength of the password does not really matter. 2-factor authentication is great and should be used, but again, if the authentication platform is not hardened from other means of attack, it may also be in vain. Unauthorized database entry by employees resulting in the theft of account information is also a reality if physical security is not appropriately implemented.
Finally, some food for thought. You may in some instances benefit just as much from strengthening your user ID’s as you will from strengthening your passwords. “While userID is not generally considered secret the fact that obtaining a list of valid userID’s is hard presents a real barrier…In fact he [the hacker] must now search the userID-password space rather than the passwords space alone.” (See: Do Strong Web Passwords Accomplish Anything?)