Does Your Password Suck?

Web Posted:

Passwords are a big part of life

Passwords are a constant in our daily lives – at least until something better comes along which likely isn’t going to be anytime soon. They safeguard our money, favourite tunes and generally everything in our lives from intruders down to that snoopy neighbour looking for free WiFi.

Making cyber criminals smile

Chances are though, your password(s) are far too weak and easy to guess. Plus most of us have just one that get recycled from site to site and card to card. All this leaves a big wide grin on the mugs of cyber criminals and identity thieves because if they get hold of it they can essentially run (ruin) your life.

Considering the information our passwords are supposedly protecting, it really is surprising that setting strong and unique passwords for every login is not second nature by now. Nope, not even close.

As more of our lives move into the cloud, we simply must do better in protecting our data and stop leaving it as low hanging fruit ripe for the plucking. So many of us have the bad habit of using the same weak password for everything. A single breach of that password means potentially unabated access to all your information!

We must get better at this!

Why are we so bad at creating and remembering passwords?

Why do we shrug off threats of lost finances, messed-up credit ratings and legal problems?

Why the false sense of security?

The few letters and numbers of a password is often all that stands between us and mayhem!

The Problem With Passwords

Fact: people are terrible at creating a password complex enough to offer even fair security. 

We all have an inherent nature to make patterns, something easy to remember, lulling us into a false belief of what we think a “good” password is. Attackers, also being human, are wise to this and can easily exploit this weakness. Depending on how well an attacker knows their target, the first step is to start with the obvious – postal codes, license plates and dates of birth.

Attacks on complete strangers is no harder. That flaw of keeping things simple results in an easily attainable list of the top ten million most common passwords.  These “dictionary attacks” are faster and more reliable than the widely reported “brute force” attacks which tries every conceivable combination.

That list may sound daunting. However, just a moderately powerful desktop computer can process such a list in less than a couple of minutes.

Password Cracking Clusters

In terms of a brute force attacks, that same desktop computer can solve an eight character password in just under 84 days. While one would hope a system administrator somewhere should notice a vast number of failed login attempts on a service over almost three months, it is seldom a single computer employed for this task.  Ramp up the hardware to a few high-end gaming system with lots of processing power and a password cracking cluster is born.

Powerful clusters up the anté

One recent example of this used five gaming machines with 25 AMD Radeon graphic cards – all readily available hardware. That configuration was able to make 350 billion guesses per second! That’s every possible eight character Windows password solved in under six hours (letters, numbers and symbols).  Older windows systems which are common in many enterprises will fall in under six minutes and any using passwords on those hack lists can open up in just mere seconds.  Imagine what a nation-state sponsored cluster could accomplish.

Update: New more powerful clusters have successfully cracked complex eight-character passwords in under 39 minutes and now in combination with “rainbow tables” (reversing cryptographic hashes), even complex 12 character passwords are within reach. The new standard for a secure password in 2022 should be considered as 16 or more characters using numbers, both cases of letters and symbols.

Need for Long Complex Passwords

The above example shows exactly why ugly eight-character passwords are no longer enough. Secure data sites offer at least 128 bit security on accounts which would take trillions of years for clusters to crack. Humans screw this up by using eight characters or less in their passwords and reducing the security to just 18 bits. It’s like “locking” a bank vault with a wad of bubble gum.

Most experts suggest at least 12 16 characters and most cloud-based services will support upward of 18 characters.  Create and use them and get yourself a password storage solution like 1Password (Canadian), Dashlane or LastPass which can help you generate, store and recall the right password and username combinations.

Keep Your Passwords Complex

If you are still going to make your own, these are very weak passwords:

  • dictionary words;
  • dictionary word with a number appended (5alive);
  • simple obfuscation (numbers as vowels like “sm1l3yface”);
  • repeating words (powpow, tweet tweet );
  • obvious keyboard patterns (123456, fred, qwerty );
  • common numeric sequences (911, 2465, pi (314159) );
  • usernames, birthdays, personal identifiers (jenny87, bsmith );
  • license plates, postal codes and phone numbers;
  • your SIN, address, kids, pet or nick names;
  • keeping the default password and username on any device – especially WiFi access points, routers etc. (admin, password, master)

Better, much stronger choices are:

  • at least 12 characters;
  • only more than 16 characters are considered ‘secure’;
  • mix uppercase and lowercase letters properly (rAeIoU, not RAEiou);
  • use numbers randomly, never just at the start or end;
  • toss in symbols, an exclamation point goes a long way;
  • have different passwords for each site;
  • avoid common words and keyboard patterns;
  • avoid repeating characters in the same password;
  • rethink the use of any personal info;
  • don’t use information a colleague may know;
  • be mindful of password generators – do you trust the website, app or machine generating them?
  • change often and set reminders to do so;
  • use two-factor verification if available

How strong is your password? Check it out here.

You Want Me to Remember What?

The most secure passwords are long and, for most of us, impossible to remember.  That’s actually a good thing and why those above noted password managers exist.

Character strings like k46F%74Ru5E2Wrzbg^BP are excellent because they break the human experience of keeping things simple. Just try entering that before coffee! Our tendency to make things easy to remember (a.k.a “short and sweet”) amps up the risk of making it easy for a hacker to guess too.

The above example is 20 characters long with case-sensitive letters, random mid-line numbers and a few common symbols. On most crackability score tables, it ranks in at 43 quintrillion years for a moderately powered desktop computer to crack.  That’s 18 zeros (one million to the power of five) … I won’t wait up.

Update: That same above password in 2022 now only takes 500 quadrillion years to crack. I still won’t wait up, but it is also amazing in the six years since this article was first written that the crack speed has shed 3.8 quintillion (3.8e+18) years!

Our standard passwords now for CMS admin passwords are 32 characters which comes out to a crack time of around two quattuordecillion years. That’s 2e+45 for the nerds in the room.

When it comes to passwords remember: long is strong! Just don’t write it on a sticky note on the front of your monitor 😉

Posted in Interesting Times