The Truth About Passwords

It’s often said that for passwords to be secure they must be “complex”. The reality is that a password is a single point of protection between a bad guy and your sensitive information, so there’s no doubting its importance, but how strong is a password? IT security expert Jay Abbott reveals some astonishing facts.

Along time ago, a single “pass-word” was perfectly adequate protection for sensitive data, but that is no longer true. Why? “Moore’s Law” is the answer. Essentially, Moore’s Law states that every two years the power of computing hardware doubles. Whilst I, a human, can’t reasonably guess a “pass-word” in any sensible amount of time, Moore’s Law has allowed the computer to be used as an attack tool against the humble “pass-word” and, as we know, computers do things a little bit quicker than us. To put this in perspective, a humble dictionary-based “pass-word” can be guessed by your average desktop computer in minutes or less. That’s any word in the English dictionary.

To tackle this, IT specialists decided to complicate words with additional characters, forcing bad guys to do it the hard way, by “brute-force cracking”. This approach requires the brute-force application of trial and error, in which every possible combination of letters, numbers and special characters has to be tried to guess your password. The length of the password has to be multiplied by the combinations possible, both by quantity of characters in the password (length) and potential characters that could have been chosen from (character set).

In the case of an all lower-case password, the character set is only 26. However, if you use upper and lower case, you get 52. Add in numbers 0-9 and that makes it 62, then for additional super complexity – and the average IT persons requirements – add the complete extended special character set from a standard PC (33 or more), and you get a pretty big character space to work with. Typically, those IT requirements are a minimum of eight characters, using upper and lower case, at least one number, and one special character. Something like this:

T4$cwPQs

On face value, this additional complexity seems to be the right solution, as it makes potential brute-force attacks on a password harder to perform and therefore the passwords more secure. The big problem is that humans are not computers, and our ability to remember obscure combinations of letters, numbers, cases and special characters is limited. As a result, the added complexity only serves to frustrate, annoy and cause us humans to do what we do best – work around the system! A great example of an insecure, secure password is this:

Pa$$word1

It meets the complexity requirements, but is easily guessable. Other good examples of this tend to involve number plates, family names and pet names, all using common character substitutions based on similarity of shape.

But let’s test the theory. Below is the time needed to brute-force a password based on a typical desktop PC:

Password                  Time to Crack

Hello                           0.002970344 seconds

T4$cwPQs                 3 days

Pa$$word1                 275 days

Notice that the password used as an insecure example is actually more secure than the one that was hard to remember. That’s simply because it was one character longer. Yes, just one more character made that kind of impact.

This is the revelation often overlooked by IT specialists. Length is much more important than character-set in the context of a password. As long as you’re dealing with at least 26 characters, i.e all lowercase, or even better, upper case too, you can get some pretty astonishing results just by switching from a “pass-word” to a longer “pass-phrase”

Let’s look at what that does to our table:

Password                               Time to Crack

Hello                                        0.002970344 seconds

T4$cwPQs                               3 days

Pa$$word1                               275 days

helloworld                                 9 hours

HelloWorld                                1 year

HiMyNameIsJay                       161 thousand years

todayisabrightsunnyday           106 trillion years

TodayisaBrightSunnyDay         447 quintillion years

Now, I am no rocket scientist, but that’s the first time I have ever seen the word “quintillion” and am pretty sure it’s going to keep my sensitive data safe!

Before we all change our passwords to pass-phrases, there are some gotchas to consider. Firstly, a number of attacks exist that surpass brute forcing approaches, such as hybrid attacks (which combine multiple attack methods) and the dreaded “Rainbow Tables”.

A Rainbow Table is a file that contains every possible brute force combination already written down, so all you have to do is search through it for your encrypted password to find a match. This is much quicker. So much so, that it can do any combination of upper, lower, number and special character passwords up to 14 characters long in a matter of minutes. Again, we come back to length – go for a longer pass-phrase to be safe.

The final gotcha, is that most IT experts haven’t got their heads around this concept yet, and many will force you to have a counter-intuitive, easy to crack “complex password”. My advice is to use a phrase whenever you can; and where you can’t, make it as long and easy as you can to remember!

www.justasc.net

Jay Abbott is the Founder and Director of Advanced Security Consulting Limited (JustASC), a specialist business offering consulting and managed services, focused on improving the SME and mid-tier sectors ability to understand, and ultimately withstand inevitable cyber-attack – Contact: 08456 437 406