Let's Start Taking Passwords Seriously
By Thom McGrath on
To get this entry rolling, you owe it to yourself to read this XKCD comic: Password Strength. If you're any kind of computer geek, you'll have read this a long time ago. And there's a good chance you've done nothing with what you've learned.
Back when the internet was new, users were instructed to create passwords for their stuff with absolutely no guidance. The result was a whole boatload of people using "password" as their new password for everything. So websites began to suggest not to use dictionary words, and people began to use "pa$$word" instead. This was a good defense for about 6 months, because the hackers were only guessing A-Z (either upper or lower case) and not guessing symbols. So the hackers update their methods, and websites start applying rules like "must have 1 uppercase letter and 1 number" assuming that would help.
It didn't. Rules like that are completely pointless. I'd even argue they assist the hackers. Why is that?
Most hacking of user accounts is entirely brute-force. This is the act of simply guessing passwords rapidly until you find a match. But it's not random, it's not even aaaa-aaab-aaac etc. Brute force software is very sophisticated, and will actually start with a list of the most common passwords in the world. If that doesn't work, they move onto dictionary words. But not just plain dictionary words, they'll use words that meet length criteria, and every possible combination of letter swapping. Sure, it is a very large list, but it is still faster than guessing in sequence. If the dictionary trick fails, then it's onto sequencing.
Because passwords have become slightly more sophisticated, sequence attacks now include nearly every typeable character. There are 94 by my count. Because of this, requiring passwords to contain an uppercase letter and number is completely pointless, every character will be guessed wether you include it or not! The hackers cannot know wether or not you included a 7 in your password, that's the point of a password. By making rules such as this, hackers can adjust their software to not make a guess unless it meets the criteria, thus reducing the number of guesses.
The math for determining the maximum number of guesses to break a password is 94^length. Since most passwords require a minimum length of 6 characters, you must also subtract 94^5 guesses. That means a 6 character password would require up to 682,530,740,832 guesses. At 100,000 guesses per second, all guesses could be made in 78 days, regardless of the contents of a password. An 8 character password would require 6,095,682,046,370,590 guesses, or 1,932 years.
See what makes a password stronger? Length, not contents, unless the contents are stupid such as common passwords, or the username. What really bothers me is when websites have a maximum password length. Who does that help? Hackers. It lets them know when to stop guessing, rather than letting them decide on their own.
Then there is the issue of password reuse. This is the act of using the same password for your Facebook account as your account at Jim's Drugs. You can trust Facebook to take care of your password, but what about Jim's Drugs? Jim's website gets hacked, his user's passwords are stolen, and the hackers then try to use those passwords on Facebook and presto. Facebook did everything they could, but reusing that password made all their efforts worthless.
You could swap Facebook for Twitter and Jim's Drugs for Sony. It doesn't really matter, the point is password reuse is risky. So don't do it. Invest in a good password manager, such as 1Password. I use it myself, it is fantastic. Available on nearly every platform and nearly every browser, it is very easy to use. Combine it with Dropbox sync, and your passwords can be available on every computer and device you own. Although Mac OS has the keychain, it doesn't help you easily generate and store new passwords, only store passwords you created yourself.
Now, I fully understand my little blog post isn't going to change the world. But hopefully I can influence just a couple minds.