How to Pick a Good Password

2014-04-21 - General, Security

It is important to select a good password.

Introduction

How many online accounts do you have? 10? 20? Most of us have at least the following: email account, Facebook, Twitter, LinkedIn, online banking, credit card, iTunes, cellphone, internet provider, electric bill, Netflix, online gaming... you get the idea. For each account, we need a password. A good password that is. So how do you pick a good password?

Why You Care about Password Security

Most of us think that criminals are not interested in our data, that our live is boring (to others) and that there is nothing to gain from our accounts. However, think about what it would mean to you if you suddenly could not access you email anymore. You probably use some kind of online email provider like Gmail or Yahoo Mail. All your email contacts are stored in there and you probably do not have a backup on your computer. In addition, your entire email history, including those software licenses and tax-deductible bills, is stored in there and you probably do not have a local backup of that either. Loosing access to all that would most likely be a disaster to you.

So why would a criminal want to take that from you? They are often not interested in your emails or your past. They are much more interested in your friends. To illegally make money online, you need to get people to click on specially prepared links. Those links might install a Trojan horse or launch a phishing attack. The details of that are not important. Important is that you are much more likely to click a link that was sent to you by a friend than a link sent to you by a stranger. Therefore, the real currency they are after is trust, the trust your friends and acquaintances have in you.

Many hackers immediately change the email account password. With that, they prevent you from letting all your contacts know that something bad happened. It often takes weeks to get access back to an account that was compromised this way. The hackers also often delete the entire history and all contacts after they are done, again in an attempt to make it harder to see the real damage and to inform people that were contacted by the hacker.

I just today got a very unsuspiciously looking email containing a link from a friend. The only way I knew something was up was that I happened to catch a past business associates email address in the recipients list. They had separated on unfriendly terms years ago, so he would never send an email to both that associate and me. The email otherwise was in a style that might have come from my friend so I probably would have clicked the link…

So, why do you care? Because it is a lot of hassle, to get a hacked email account back. More importantly however, your account being hacked could mean serious trouble for your friends.

OK, I get Email Accounts. But my Online Gaming Account?

There is certainly nothing to gain there? If you followed the media over the last few years, you are aware that with frightening regularity one of the bigger web sites is hacked. There were Sony, LinkedIn and Target to name just a few of the ones that got large media attention. But there were many more. Each time the recommendation is to change your password everywhere, not only on the hacked site. Why exactly is that the case?

The Problem of Reused Passwords

Most of us do not have a hard drive implanted and therefore have trouble remembering multiple passwords. Therefore, most of us reuse passwords. However, a web site needs to store your password in the database in some form to be able to verify that you are who you claim you are, the next time you come around. For this authentication, the site asks you to produce an account identifier such as you user name or your email together with the password. If the password matches the one that is stored in the database for that account, access is granted.

There are basically three ways to store a password:

  • in plain text
  • encrypted
  • hashed

When a hacker attacks a server, they do not go after a single account on that server. Instead, they figure out a way to gain direct access to the database, for example through SQL Injection. Once they gained access to the database, they can download the list of usernames, emails and their associated passwords to their own computer.

If the passwords were stored as plaintext, they do not need to do anything else at this point. If the password was stored encrypted, there must be a key somewhere on the server. It is often not hard for a hacker to locate that key. Therefore, a password stored encrypted often is not a significant hurdle for a hacker.

The third method of storing passwords is to utilize a hash function. A hash function calculates a number out of a password that looks like a random number. However, every time the same password is hashed, the same number is produced, while different passwords lead to substantially different hash values. A (cryptographic) hash function is designed to make it practically impossible to reverse the process and calculate the password if you just know the hash value. However, for the authentication process you do not need to know the password. As the same password always yields the same hash value, you can just hash the provided password and then compare that hash value with the hash value stored in the database.

Many web sites still store the password un-hashed. If you ever come across a site that forbids specific characters to be used in the password or that restrict the maximum length of the password, you most likely are dealing with a site that does not hash the password. The same is true for sites that email you your old password during the password reset process. In fact, during a 2010 study about 40% of the sites did show those telltale signs.

However, even if the passwords were stored hashed, we still might have a problem. There are sophisticated password crack programs with apt names like JohnTheRipper or HashCat that can chew through a list of usernames and their hashed passwords in no time. HashCat for example claims on their web site to be able to try 1 billion possible passwords against an SHA256 hash every second on fairly modest hardware.

Some Password Math

If you have a password of eight random letters, there are about 200 billion possible passwords. If the program had to try them all, it would be done in about 200 seconds. If you add mixed casing and digits into the mix, you increase the number of possible passwords to about 200000 billion. Hashcat would need about 200000 seconds of 2.5 days to crack that password. Just by increasing the length to 12 characters we can catapult the number of possibilities to about 4 sextillion which would take HashCat an estimated 150000 Years to work through.

However, this does not take the human factor into account. We need to be able to remember that password, so we often start with some real word like "troubadour" and then alter it with common substitutions to make it fit the password rules imposed on us by the web site we are signing on to. Password crackers are aware of that. In fact, there are extensive lists of common password terms available on the internet, sorted by their popularity. The crack program then just has to try those words and their common alterations.

There are also additional techniques available, like so called rainbow tables that increase the speed of the cracking attempt even more. What that leads to is that sophisticated hackers can figure out 90% of the passwords in a 16000 entry list of hashed passwords in just a few hours. And that list contained passwords like "momof3g8kids," that you probably considered "good" until now.

There are two ways to generate a memorable password that beets the word-list game. You can use a site like correcthorsebatterystaple.net to assemble a password for you using multiple random words from a wordlist with some additional filler characters. If we assume their word list has 100000 entries, using five random words will give you about 10 septillion possibilities, so more than the 12 random character password we talked about a few paragraphs ago. The additional filler characters will add even more possibilities. However, as the password crack programs have caught on to this, do not use fewer than five words and make sure the words are selected truly at random.

The other option is to memorize a paragraph from your favorite book and then use the first letter of each word as your password. In this model, you should aim for at least 15 characters. Again, you might want to add some special characters in the mix to increase the complexity.

But what about Sites that store my Password Unencrypted?

When you sign up with a web site, you cannot know if they will handle your password with care. That means you have to assume that your password is stored in plain text, right next to your user name and email address. If a hacker gets access to that sites list, they will be able to use that information to logon to your email, at least if you used the same password there.

The important part here is however, that no matter if the passwords were stored unhashed, or the hacker was able to decrypt a large portion of it anyway. Once a hacker has that list, two things will happen. The original hacker will try to logon to other services like email using all accounts in in that list. This is a fully automated process. That means, if your password was in that list, it will be used to logon to your email provider eventually. Besides that, the original hacker will sell that list to other hackers that then will do their thing with it.

What that means is, that you really cannot reuse the password of any important account like your email or your online banking anywhere else on the internet. In fact, you really do not want to reuse a single password. But who can memorize that many different passwords? You could use a base password and add a different prefix to it based on the current site. That would give you a head start on many other people, but as random-character-prefixing (and -postfixing) is already part of the attacks executed by HashCat and the like, this will probably not last long.

The Last Password Ever

Most of use already utilize the browsers ability to remember passwords. However, if you do not need to memorize the password at all anymore, you can use a random, long and most importantly unique password for each account you work with. However, I would not trust the built in functionality of your browser. Instead, use a program that was developed by security experts and that specializes in keeping your passwords secure while making it still simple to use.

Those programs store the passwords in an encrypted file and require you to open that file with a master password. The file itself, as it is encrypted can be safely stored online, e.g. in your dropbox account. From there you can even use it on all your machines.

My current favorite under these programs is 1password, but there are other good ones too like lastpass, keepass and passpack. While most of them are not free, it is a small investment to protect your online life. And remember, we are not only talking about you, as an attack against your accounts can easily affect all of your friends too.

Categories: General, Security
Tags: , ,

Trackbacks

  1. […] incidents in the media lately, you probably have heard about recommendations along the line of How to Pick a Good Password. You might even think you have taken all the necessary precautions by picking that 15 letter random […]