from the point

Are Your Passwords Good Enough?

WEB POSTED: December 14, 2016

Passwords. Now a constant in our daily lives – safeguarding our money, favourite tunes and generally our online lives from intruders and snoopy neighbours.

Chances are though, your passwords are weak and probably identical. That would leave a wide grin on any cyber criminal’s mug. Considering the information they are protecting, it’s surprising that setting strong passwords isn’t second nature by now. Nope, not so much.

Yet as more of our lives move into the clouds, we must strive to keep our feet and passwords anchored on solid ground. Failing to do that leaves your vital information ripe for the plucking.  Worse is that most of us have a very dangerous habit of using the same password on every service and site.  A single breach of that password means potentially unabated access to all your information!

Why are we so bad at this and why are threats of lost finances, messed-up credit ratings and legal problems not enough to motivate us?  Imagine your day starting like this all because of a few letters and numbers!

The Problem With Passwords

Fact: people are terrible at creating a password complex enough to even offer fair security. We all have an inherent nature to make patterns, something easy to remember, lulling us into a false belief of what we think a ‘good’ password is. Attackers, also being human, are wise to this and can easily exploit this weakness. Depending on how well an attacker knows their target, the first step is to start with the obvious – postal codes, license plates and dates of birth.

Attacks on complete strangers is no harder. That flaw of keeping things simple results in an easily attainable list of the top ten million most common passwords.  These “dictionary attacks” are faster and more reliable than the widely reported “brute force” attacks which tries every conceivable combination.

That list may seem daunting. However,  a standard desktop computer can process a billion passwords per second, so going through those ten million common passwords is short and sweet.

Password Cracking Clusters

In terms of a brute force attacks, that same desktop computer can solve an eight character password in just under 84 days. A period in which a system administrator somewhere should be noticing the vast number of failed login attempts on a service.  Ramp up the hardware to a few high-end gaming rigs and a password cracking cluster is born.

One recent example of this used five gaming machines with 25 AMD Radeon graphic cards – all readily available hardware. That configuration can make 350 billion guesses per second! That’s every possible eight character Windows password solved in under six hours.  Older windows systems which are common in many enterprises will fall in under six minutes and any using passwords on those lists – mere seconds.  Imagine what nation-state sponsored clusters can do.

Need for Long Complex Passwords

The above example shows exactly why ugly eight-character passwords are no longer enough. Secure data sites offer at least 128 bit security on accounts which would take trillions of years for clusters to crack. Humans screw this up by using eight characters or less in their passwords and reducing the security to just 18 bits. It’s like locking a bank vault with a wad of bubble gum.

Most experts suggest at least 12 character hashes and most cloud-based services will support upward of 18, 20 or even 24 characters.  Create and use them and get yourself a password storage solution like 1Password (Canadian), Dashlane or LastPass which can help you generate, store and recall the right password and username combinations.

If you are still going to make your own, these are very weak passwords:

  • dictionary words;
  • dictionary word with a number appended ( i.e. “5alive” );
  • simple obfuscation ( numbers as vowels like “sm1l3yface” );
  • repeating words ( i.e. powpow, tweet tweet );
  • obvious keyboard patterns ( i.e. 123456, fred, qwerty );
  • common numeric sequences ( i.e. 911, 2567, pi (314159) );
  • usernames, birthdays or personal identifiers ( i.e. jenny87, bsmith );
  • license plates, phone numbers, your SIN, address, kids, pet or nick names;
  • keeping the default password on any device (like “admin”, “password”, “master”);

Sleep better. For much stronger passwords do this:

  • at least 12 characters; over 16 is needed to be considered ‘secure’;
  • mix uppercase and lowercase letters properly (i.e. rAeIoU, not RAEiou);
  • use numbers randomly or where it makes sense, never just at the start or end;
  • toss in some punctuation, an exclamation point goes a long way;
  • have different passwords for each site;
  • avoid common words, repeating characters and keyboard patterns;
  • rethink the use of personal info (i.e. your birth date);
  • don’t use information a colleague may know;
  • be mindful of generated passwords – trust the machine generating them;
  • change them often and ask services to remind you if they can (90 days is a good);
  • use two-factor verification if available and while a pain is a best practice.

How strong is your password? Check it out here.

You Want Me to Remember What?

The most secure passwords are long and, for most of us, impossible to remember.  Character strings or hashes like k46F%74Ru5E2Wrzbg^BP are good because they go against human nature of keeping things simple. (Try entering that before coffee.) However, if too short the risk of making it easy for a computer to guess presents itself. 

The above example is 20 characters long with case-sensitive letters, numbers and common symbols. On the strength meter it rates at 43 Quintillion years for that desktop computer to guess this.  That’s 18 zeros (one million to the power of five) … I won’t wait up.

When it comes to passwords remember: long is strong! Just don’t write it on a sticky note on the front of your monitor!