Easy Technique for Secure, Easy to Type Passwords - Size Matters 4
Updated 10/2015 – just the minimal length suggestion, not the speed or GPU costs.
The ladies have always known that size matters. We need to apply that knowledge to passwords. Password security experts know that
- a longer password is better
- a password with as many different types of characters is important – call it a large alphabet
- a password that cannot be found through a dictionary attack
- a password that hasn’t been cracked before
These rules seem to be conflicting with the most important things from a user’s perspective. A user wants:
- a memorable password
- an easy to type / enter password
So what’s the solution? A long, but easy to type and easy to remember password. Below is how to get all 6 of these requirements, easily.
Password Cracking Explained
When a professional wants to crack a password, she doesn’t attack it like a normal user typing on a keyboard.
- She uses brains to be as efficient as possible.
- She uses automated software tools to be as efficient as possible.
- She uses the most efficient hardware available for password cracking – usually she has multiple $150 ATI graphics cards performing billions of password attempts every second against an off-line password database. The current cracking systems can try over 30 billion passwords every second.
I saw a professional password cracker speak at a computer security conference. Here’s how a professional cracks passwords:
- Gets a copy of the encrypted password database – doing this is easier than most people know regardless of platform. Getting the MS-Active Directory User DB seems pretty trivial based on what he said whether he used social engineering or system insecurity methods or a combination.
- Sets up his $1500 cracking PC password cracking tools – these are freely available.
- His tools know to try to capitalize all words and try those automatically.
- His tools know to swap in l33t sp3ak automatically and try those automatically.
- His tools use rainbow tables when it makes sense. This is less and less useful.
- Builds a dictionary using the common languages spoken in that location + adding all the company and industry specific jargon. He also takes every password that he’s previously cracked in 5 years of cracking passwords and adds them to his dictionary. Every password database that gets published, he grabs a copy and starts cracking. This becomes a pre-built dictionary that he may have spent a month 24/7 running brute force attacks against.
- The first attack is a dictionary attack from the built specialized dictionary, swapping in capital and l33t characters where needed. The English language has about 250,000 distinctive words. His cracking machine can try 30 billion passwords every second, so the entire dictionary attack takes 30 minutes to setup and runs in just a few seconds. For a non-trivial password database, this usually discovers 20% of the passwords for a company when they don’t enforce stronger password length and complexity requirements.
- The 2nd attack is a brute force attack against all passwords from 1 to 7 characters. This attack takes less than 30 minutes and finds between 10 and 20 % more of the passwords. 7 character passwords are not long enough regardless of the alphabet used. In the first hour, he’s cracked 30-40% of the passwords.
- The 3rd attack adds 1 or 2 numbers to the beginning and ending of each dictionary word. This covers anyone who uses months or years to the beginning or ending of their base password. He also adds punctuation characters to the end. Remember, she/he is being as smart as possible. Running this attack takes longer since the complexity has gone up, but not as long as you’d think. Remember, this is still based on the smart dictionary. It takes the rest of the day and uncovers 20% more of the passwords.
At this point, our cracker friend has uncovered 50-60% of all the passwords in the database. To get more of them, only the most difficult type of attack remains. Brute force. For brute force attacks, size matters to protect your password, assuming we have already used the the largest alphabet possible.
With this knowledge, how do we craft the best password that still meets our end-user needs?
Required – Not in a Dictionary or Generated Dictionary
Now that we know how a password cracker works, we know to avoid using:
- no dictionary words,
- no industry or company jargon,
- no word capitalization,
- beginning with numbers,
- ending with numbers or
- punctuation at the end.
- Fantastically11. would be cracked in the first few hours. Do you see the problem? Even though it is 16 characters and uses upper, lowercase, numbers and special characters, it is part of the normal techniques used by crackers.
Required – A Large Alphabet
- We know that using just numbers in our passwords isn’t enough. Just 0-9 characters.
- We know that using just lowercase letters in our passwords isn’t enough. Just a-z characters.
- We know that adding uppercase in the middle of a password adds 26x difficulty for every character. Just A-Z characters.
- We know that adding special characters – push shift + a number to get those. `~!@#$%^&*()-_=+[]{}\|;‘:",.<>/? are those characters. I hope these don’t mess with my blogging software. Regardless, you get the idea. It is 34 more characters – more than the normal alphabet. Don’t forget to use spaces. When I use a space, I never use just 1 and I try to avoid using them between things that look like words. We want to avoid something that looks like a pattern, right?
Doing this makes our alphabet is at least 96 characters. That’s pretty good. If you can use unicode or accented characters, not all passwords will accept these, then you can vastly extend your alphabet. For now, those characters are used only when in dictionary words. Sadly, most password systems I’ve seen prevent non-7-bit ASCII characters.
Good to Have – Random or Patterns that aren’t easily recognized
Patterns are dangerous for passwords. This is why we all know to use different password for every login. If a pattern can be recognized, it can be used for guessing your password. Having access to your other passwords from other systems means a pattern may be uncovered. Avoid using the same pattern across different logins.
Required – Length
Longer passwords are better. This is the grand daddy for any password security, provided a pattern isn’t discovered through some other means like looking over your shoulder or having cracked some other password used elsewhere.
Every extra character added to the length makes the cracking exponentially more difficult.
Suggestion: Use 20 characters or more from
- uppercase
- lowercase
- numbers
- special characters
After you use these characters and use any other non-trivial, non-pattern, non-dictionary way to buffer the remaining characters, then you are set.
Suggestions for Making Memorable Passwords
- Misspell words, if you must use words at all
- Capitalize in strange places, never the first or last characters
- Begin and end with a lowercase letter, not numbers or punctuation. Numbers and special characters need to be in the middle of the password, never at the ends.
- Put 3 unrelated, misspelled, (7) character words together for length with special characters and numbers separating them.
- Don’t use any names, first, middle, last, nicknames, userids, pets, wives, husbands, etc.
- Don’t use any locations, events, celebrity, websites, charities, company names, or commonly used abbreviations. If it is in pop-culture, it is in the special dictionary.
- Don’t use dates alone. 06011955 is a terrible password. If you are specifically targeted, every important date will be part of the dictionary. Anniversaries, birth dates, graduations, deaths, job start dates, retirement dates … etc.
Actually, don’t use words or patterns in your passwords.
Some Good Long Examples
I’m paranoid, so all my passwords are as long as possible for the system. Sometimes this is 8 characters and sometimes this is 100 characters. Today, let’s just use 20 characters as our goal. Provided we have a password that isn’t in the dictionary.
- “h$3e- ioioioioioiou”
- easy to type,
- large alphabet,
- not in a dictionary
- uses multiple spaces (how many are there?)
- doesn’t start or end in numbers, uppercase, or punctuation
- “fDD3!
#!
#!#!
#!@zz”- easy to type,
- large alphabet,
- not in a dictionary
- doesn’t start or end in numbers, uppercase, or punctuation
- “f!
#!
#!#!
#!@zzDD3” - “asdf$43asdasdasd0asd” – a pattern, but broken in unexpected ways.
- mFaNtaStincally11.z – based on our initially bad password, but
- added letters to the beginning and end
- misspelled the word
- mixed case in an odd way
Is that clear? Basically, there are 4 characters to remember, then a pattern.
Also, don’t use any of these because they are now known to the password cracking folks and have been added to their cracking dictionaries.
Final Results
Doing all this is getting complex as far as I’m concerned. I will
- continue using my password manager which uses a system generated, complex passwords of fairly long lengths.
- start using the above techniques for those very few passwords that I need to remember like my main desktop(s) and to access my KeePassX database and for the WPA2 keys to the WiFi router at home (assuming I ever need to change that password).
Assumptions
As most of you will know, security is never as simple as a strong password. If a prepared cracker has physical access to your PC for 10 seconds, that PC can be compromised unless you do many more things. The time to connect a USB/Flash memory and run a script is all that is needed.
We also know that remote attacks for using passwords usually aren’t useful because after the system sees more than 3 or 10 failed attempts, the IP should be blocked for an hour or a day or forever. Not all systems do this, however.
On TV and in the movies, passwords are shown being solved 1 character at a time. Clearly this isn’t the way it happens in the real world. All that a password cracker knows is either the password worked or it didn’t. They probably know the password complexity rules and length limitations for the system, so they don’t bother with trying any that do not meet those criteria. Still, they only know that the password worked or did not work.
Brute force methods are started by computers and use systematic trial and error methods. Computers like to go from a to b to c to d …. z and then A to B to C … to Z. Sometimes computers count backwards, so Z, Y, X, …. A are used instead. If I wanted the most difficult password that would take the longest amount of time to brute force, I wouldn’t start my password with A, B, C, D or a, b, c, d or Z, Y, X, or z, y, x characters. I’d pick something from the middle of the alphabet and perhaps slightly towards the higher letters. That would ensure at least the 50% theoretical amount of time to brute force my password would be necessary. When we are using 20 characters, even the 50% theoretical cracking time is thousands of billions of years, so if you don’t do this, don’t worry too much. ;)
Effective security needs to be layered with defenses at many levels. Physical security first, network security next, followed by disk encryption, good passwords and not doing risky activities on the internet.
I find that just using a password manager and having it randomly generate the passwords using as complex and long an alphabet as the login will allow is easier. For example, an old password was:
C+b>%kY `$FOe6%o:~k6L{8v{@LAu;o742O;e!~#7jfUTSW}(ghS8+
Doubt that would ever be cracked by any brute force method. A flaw in the math or implementation would be needed. Plus I never typed it – not once, so how ugly it is doesn’t matter at all.
Very bad advice! Ok – it is true that there are not a lot of people using these kinds of patterns – and because of that, crackers usually don’t check these – but you are using patterns that are very easily programmed into cracking software – and if people start using these kind of passwords (at least 5%) – they will be programmed…
Your pattern – several random characters – some repetetive pattern – maybe broken somwhere – and random characters…
Also – misspelled words are as good as correctly spelled – because they are in the dictonary as well…
If there is just a few passwords you need to remember (and use password managers filled with random passwords for rest) – it shouldn’t be a problem to remember few hard passwords… Like “Iwj15,IwiVamS.Sdnm” (I was just 15, I was in Vienna and met Sasha. She didn’t notice me" or just few words “correct horse battery staple”.
@Stijak Length defeats the programming. It becomes a brute force issue again. How many different patterns and lengths of patterns can be tried for a 25+ character passphrase? It is 25 characters or 35 or 45?
All the cracker knows (and his software) is
a) yes, I cracked the password or
b) no, I need to guess again.
There are hundreds of thousands of patterns that are easily typed on a keyboard. There are lots of different ways to make it longer … length matters. To the cracker, there is always a desire to get all the passwords in a specific password file, but often they are happy with 60-80%. That is enough to do all the damage they need and I doubt they will bother looking for 25+ character passwords that aren’t in a dictionary. That have no pattern at the front or the end and you can’t guess the length.
Yes, definitely use a password manager with long, random passwords everywhere you can – especially any online accounts – AND MOST ESPECIALLY EMAIL ACCOUNTS. I couldn’t tell you any thing about my gmail account password other than it is really long and random. I have never typed it in. The password manager handles that – even on Android tablets.
We’re talking about the direct login to your desktop and laptop and for the password manager – nothing else.
Still, a stronger password is always better – this is just a way to get more length for the average user, while not doing things that the crackers already look for.
Thanks for the tips!
There is also an excellent article on this subject here: http://www.baekdal.com/tips/password-security-usability
He uses a different method and has some very interesting comments. Worth checking out!
@Lloyd – this issues I have with the linked article are:
the lack of password length being mentioned at all the lack of mixed case and special characters being emphisized the estimated time to crack a password is woefully incorrect and shortAny password less than 13 characters shouldn’t be allowed … anywhere – even on a blog for comments.
We aren’t trying to protect our passwords against network-based attacks – after 10 attempts, those attackers should be blocked, though I will admit that some of the software here doesn’t do that. We require a VPN for access for most of our tools anyway.
It is the attacks where the password file is taken to a different location and the cracker has days or months to hack on it. Those are what I’m worried about. If someone gets on any machine on the same subnet as the system with the passwords, I expect that file/db would be taken.
These days, any 6 character password can be brute forced in under 2 hours on a slow PC. Any of them. http://www.lockdown.co.uk/?pg=combi and these numbers do not reflect what the hardware that professional crackers have. A single $300 graphics card can make anyone be able to try 500M passwords per second. If you click on that link, I’m talking about a Class E attacker (or better).
The last benchmark that I read has every 8 character password using a 96 character alphabet would be completely brute forced in 26 hours. This is with just $1000 in PC hardware and free software tools.
Being over secure with your passwords isn’t a major issue, but being under secure – well, there’s the problem.
Chances are that someone else’s password will be cracked on the system anyway, but hopefully those accounts will not have any elevated access to the current or other systems.
If you are an admin anywhere on any box, we need to do it much, much better than average users.