Would you give your password to an unknown web site? Many
people have probably done exactly that at www.passwordmeter.com.
It takes your password and checks its strength using a variety of criteria.
These criteria are supposedly related to the algorithmic complexity required
for a hacker to figure out your password. What people are losing track of,
though, is the flow of information.
I’ve thought a lot over the years about passwords, and I’ve
read various articles, such as this, this and
this.
I figure it’s about time to write a little bit and put my knowledge and
thinking on the matter out there. :-)
There are two things a password must do in order to be
useful. It has to stay in your head, so that you can easily recall it when
needed, and it has to stay out of everybody else’s head. A password typically gets
into someone else’s head in one of three ways:
1)
Someone tells them the password. That someone
could be you, or it could be the support representative they’re talking to at
Amazon Inc.
2)
They obtain an obfuscated version of your
password and figure out the original. This is the area that most attempts to
improve password security focus upon.
3)
They obtain access to a server to which you’re
sending your password and intercept it.
The first point is largely outside of your control. You can
only exert a sort of “meta-control” over it; if everyone makes sure that the
people around them are savvy enough not to be fooled by the social engineering
tricks of a hacker, then the “zeitgeist” will shift, and social engineering
will get harder overall. This is a statistical change, and there might in fact
be no change at all with respect to the safety of your password in particular.
If you’re lucky, though, that Amazon rep might figure out that the person
calling them actually isn’t really you.
The second point has to do with password cracking. This
largely falls into two bins: online attacks and offline attacks. The concept of
an online attack is quite simple: the attacker makes a small computer program
that pretends to be you and tries to log in, over and over, with a different
password each time. Most systems today will detect this sort of attack and make
it more difficult for the attacker, typically restricting their network identity
so that, as a rough gauge, the more times it fails, the longer it has to wait
between attempts. There are some that won’t, but ultimately, online attacks are
greatly limited by the number requests that can be handled per second. You won’t
find many sites that will obligingly test thousands of potential passwords per
second for you; you’d be lucky to get 100 attempts per second, a rate at which
only very short passwords and straight up dictionary words would be at any
risk.
An offline attack is one where the attacker has obtained a
version of your password that they can’t decrypt, but they can take possible
guesses and encrypt them the same way. The results of the encryption can then
be compared; if their guess was right, it’ll have the same encrypted version as
your password. Because they don’t have to go over the network to do this sort
of attack, the limitations to speed are removed. This is where things start
when it comes to deciding on password complexity. Intercepting hashed or
encrypted passwords is the easiest form of information gathering related to
your password (unless the attacker is an accomplished social engineer).
This touches, then, on what exactly a password is. Sure, it’s a sequence of characters
such as letters, numbers and punctuation that only you know, but what does that
mean, mathematically? Well, an
attacker can make some guesses as to the format of your password, but what it
comes down to is that it’s a number.
Any number can be divided into parts. Take the number 1701:
|
1
|
7
|
0
|
1
|
|
(part 1)
|
(part 2)
|
(part 3)
|
(part 4)
|
Each one of these parts can be any
digit from 0 to 9 – ten different possibilities. With four different boxes to
fill, the number of possible 4-digit numbers is ten x ten x ten x ten – 104,
or 10,000. We can see this easily in the numbers, which range from 0 to 9,999.
When we think of 1701 as a quantity, we think of part 1 as
being the “thousands’ place”, part 2 as the “hundreds’ place”, and so on, but a
password doesn’t carry this type of meaning. Still, it can also be divided into
parts and treated numerically in much the same way:
|
E
|
w
|
8
|
#
|
X
|
|
(part 1)
|
(part 2)
|
(part 3)
|
(part 4)
|
(part 5)
|
Each part, in this case, can be
any digit from 0 to 9, or any letter,
or any punctuation. There are more
than ten possibilities, but it’s still a fixed number of possibilities. The
actual number is in the vicinity of 95 – you could think of it as being a
number used by an alien whose hands had a sum total of 95 fingers instead of 10
fingers. That alien would need 95 different symbols to write out the possible counts
before they ran out of fingers and had to have another digit. In fact, here
they are:
|
|
!
|
"
|
#
|
$
|
%
|
&
|
'
|
(
|
)
|
*
|
+
|
,
|
-
|
.
|
/
|
|
0
|
1
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
9
|
:
|
;
|
<
|
=
|
>
|
?
|
|
@
|
A
|
B
|
C
|
D
|
E
|
F
|
G
|
H
|
I
|
J
|
K
|
L
|
M
|
N
|
O
|
|
P
|
Q
|
R
|
S
|
T
|
U
|
V
|
W
|
X
|
Y
|
Z
|
[
|
\
|
]
|
^
|
_
|
|
`
|
a
|
b
|
c
|
d
|
e
|
f
|
g
|
h
|
i
|
j
|
k
|
l
|
m
|
n
|
o
|
|
p
|
q
|
r
|
s
|
t
|
u
|
v
|
w
|
x
|
y
|
Z
|
{
|
|
|
}
|
~
|
|
(that first box with nothing in it
has what you get when you press the spacebar)
These aliens, then, instead of writing out “55” as two separate
digits like we do without thinking might simply scratch out “W”.
So, if a password is a number in this wacky “base 95”, we
can start to see how big that number can get with only a few digits:
|
1 digit
|
95 possibilities
|
95
|
|
2 digits
|
95x95 possibilities
|
9,025
|
|
3 digits
|
95x95x95 possibilities
|
857,375
|
|
4 digits
|
95x95x95x95 possibilities
|
81,450,625
|
|
5 digits
|
95x95x95x95x95 possibilities
|
7,737,809,375
|
This rapidly-growing series
illustrates quite clearly why your IT administrator wants you to use a long
password: the longer it is, the more possibilities an attacker has to go
through if they want to exhaustively check every possible sequence. Obviously,
if you use just a plain word (which has only 52 possibilities for each
character, 26 if it’s all lower-case), the guesswork gets that much easier. So,
the solution is to use the greatest possible diversity of characters, and as
many of them as possible, right?
Wrong!
Most administrators will tell you to use a password that is at
least 8 characters long. In practice, for the vast majority of people, this
means “exactly 8 characters long”. With the full character set, you’re
producing a great deal of possible candidates for them to have to hash through
(6,634,204,312,890,625, to be exact), but a modern computer can actually crunch
through that many relatively quickly. Sure, your home PC might not be able to
do more than few tens of million per second – that would still take hundreds of
millions of seconds to exhaust the list. But for only a few dollars, I can buy
time in the cloud – huge farms of servers with many, many nodes. I can send the
work out to a thousand computers for under $100, and all of a sudden hundreds
of millions of seconds becomes a hundred thousand seconds, which is just over a
day. I might not pony up the Benjamin if I was after your account alone, but if
I got a file with password hashes for half of the registered accounts at
Amazon.com and I could check them all in parallel, well, you get the picture.
So, even at 8 digits, the password isn’t really secure,
though it would take a concerted effort to crack it. You are allowed to feel a
little bit secure at this point. However, you now need to memorize the
following and type it many times every day:
1%,d>n`0f
If that were all you had to memorize, you could probably do
it. But we all know you should use a different password on every web site,
right (more on that later)? So, what you really need to memorize is:
|
E-mail:
|
Xidbuh7.
|
|
Office:
|
];"W#hRA
|
|
Bank 1:
|
)Niw^RV6
|
|
Bank 2:
|
=Hmtxbhb
|
|
Credit Card:
|
t70Sg7U`
|
|
Tax Bureau:
|
hD)w$#7/
|
|
Library:
|
`XIV^No>
|
|
That fast food place you like:
|
\<cYg&B/
|
Okay, this is getting ridiculous.
The inside of your brain is starting to look like a One Time Pad used by army
intelligence in the 1940s.
Let’s look at a different approach. Take a list of common
words, say a good 5,000 candidates – everything from “architecture” to “porridge”
to “zoologist”. Words that you know, you’re confident in spelling. Pretend that
the whole word is a number – the first
one in the list is 0, the second one is 1, the third one is 2, and so on.
If your password is just one word from the list, then, its
strength is “1 in 5,000”. Why 5,000? That’s how many possibilities it was
picked from. Now take any two words from the list. The strength has catapulted
up to “1 in 25,000,000”. The following table tracks the growth in complexity as
you add words to your passphrase:
|
1 word
|
5,000
|
5,000
|
|
2 words
|
5,000x5,000
|
25,000,000
|
|
3 words
|
5,000x5,000x5,000
|
125,000,000,000
|
|
4 words
|
5,000x5,000x5,000x5,000
|
625,000,000,000,000
|
|
5 words
|
5,000x5,000x5,000x5,000x5,000
|
3,125,000,000,000,000,000
|
At 4 words, your password is in
the same order of magnitude as 8 letters of gobbledigook, and 5 words is a
thousand times stronger – and that’s if the attacker knows how you put your
passphrase together. If they don’t know what your dictionary looked like, they’ll
have to try more than 5,000 possibilities, and if they don’t know that you’re
using a passphrase, they’re stuck doing it character-by-character. If all they can
see is the encrypted form of your password, then they have no way of knowing if
it looks like this:
“buckets envelope gray walking”
..or like this:
“&-Ke+>{N[xv*@p_(j&lH].*FSfsQ:”
(In fact, with many types of encryption, they don’t even
know how long your password was to begin with.)
What this means is that your 4-word password is ridiculously secure compared to the
8-letter password. It’s a lot more than 8 letters, to be sure, but words are
much, much easier to type than random sequences of characters.
What is it that makes these secure, though? The words have
to be randomly selected. Those crazy 8-character
passwords are considered secure because
there isn’t any pattern to their characters. If you pick an easy pattern, like “12345678”
or “ABCDE”, then an attacker will very easily guess it. Perhaps “6046948038”
looks pretty secure – until the attacker finds out you work for iQmetrix. Similarly, the following
passphrases are almost certainly near the top of any competent attacker’s
dictionary – sequences that their cracking software will try first, before it
starts trying for random permutations:
“it is a good day to die”
“roses are red”
“to be or not to be”
You only get the benefit of all those possibilities if they were in fact possibilities. You can’t
pick the phrase yourself; the words must be randomly-selected.
So, you put all that together and you’ve got a pretty good
toolkit for creating a password that could actually be relatively easy to
remember, but there is still a very important thing to keep in mind: If an attacker
finds out your password in one place, they’re going to try that same password
in other places! News articles on prominent cases of identity theft, time and
time again, make a point of mentioning that it was possible in large part
because the victim used the same password everywhere.
Suppose you use your secure password for online banking and
for browsing a forum with pictures of kittens. Your bank probably has decent
security on their server (though I am actually somewhat skeptical of it), but
the kitten server may be very easy for an attacker to take over. They may not
even bother to encrypt your password. Having obtained your password from the
kitten server, a savvy attacker can now proceed to your online banking and
transfer your savings to their offshore account. These attackers play for
keeps, too; in a recent case, a tech blogger who uses Apple products found his
hard drives erased. The attacker had logged into his iCloud account and
triggered a remote wipe of all his devices. Why? Simply to slow him down. It wasn’t related to the objective of the
hack. In your case, you might find changes made to your online banking profile
that make it take an extra day or two for the bank to sort things out and give
you back access – long enough for the transfer out of the country to be completed
and your money to disappear without a trace. If you’re lucky, they’ll stop at
your money...
The last paragraph is somewhat alarmist. Don’t be too
worried; you probably won’t ever be the target of an artist with these sorts of
skills. However, in that unlikely event that you are, you can bet there will be
no holds barred. Don’t skimp on your security: Use a different password in each
place, and don’t pick it yourself. A randomly-picked sequence of words can be
easily remembered with the aid of mnemonics. Use a different one for each
service, without exception. :-)
As a final closing note, let me also mention that if a given
server on which you have an account gets compromised, the data that that
account controls is effectively no longer restricted by your password. With
administrative access to the server, an attacker can go directly to the data
and bypass the logic that would normally check your identity and access
permissions. Something to keep in mind when you’re putting information into web
sites and other online systems.
