Mum's the Password

thursday, 21 september '23 @ 18:12 in Technology, Cybersecurity (last updated: sunday, 20 october '24 @ 12:06)

In my last post I explored the technology behind password security. I spoke about how, in a well-designed system, measures are taken that make it harder for hackers to get ahold of people's passwords. The engineering that goes into a well-protected database is pretty great. But that doesn't mean they're impermeable - much of the time, the weak point is still the way people pick passwords. In this post I'll talk about how we as humans get exploited by hackers and practices to avoid getting caught out.

Usually, password attacks begin a hacker gaining access to password hashes by some kind of a data breach. At this point, their ability to crack these depends on two things: power and efficiency. Power is simply the speed at which they can guess passwords. Efficiency is their ability to erase unlikely guesses without calculating them. Even with all the measures described above, the fact remains that humans are predictable. Hackers can massively boost their efficiency by taking advantage of the things we do when we think we're being clever.

How people create 'variations' of passwords

Most passwords consist of a root and an appendage. About 90% of the time the appendage is a suffix, 10% of the time it's a prefix. Many people choose words as the root with substitutions like "@" for "a", "!" for "i", and so on. Then, many people come up with a general 'root password' they use everywhere. These have slight modifications depending on the application. Password crackers have been onto these tricks for decades.

The types of password attack

  • Simply guessing. Why-oh-why anyone would use a password that appears on a list like this one is simply beyond me. Without any other details, a hacker will often try to guess common passwords and variations thereof. And the sad thing is that for a big database of password hashes, they're still probably still going to get loads of hits.

  • Credential stuffing (aka 'password spray' attack). A hacker might know one of your passwords from another data breach. They can create variations of these and guess all these too.

  • Dictionary attacks. Here, hackers take real words (perhaps Star Wars-related) and combine them to guess passwords. These can be your partner's birthday, your dog's name or your favourite football team. Or, they could be combinations/variations of random words.

  • Brute force. Hackers' pre-existing knowledge might not yield results. The attacker might thus be stuck guessing every possible combination. It bears emphasis that we want the hacker to get stuck with this option.

Picking secure passwords

The most secure password is probably one that you can't remember. Here are some tips:

  • They should be completely random characters without entire words.

  • They should be 20 or more characters long. Longer is definitely better; size definitely matters here.

  • They should be completely unique for every service you need a password for.

Of course, these are going to get tricky to memorise. Which is why most security experts I know recommend using a password manager. They can simply generate huge, completely random passwords for you and remember them. They also have the convenience of it auto-filling log-in forms in most browsers or mobile devices. They are a rare combination of both security and convenience. Though even with a password manager, there are two passwords that we'll need to memorise that we can't rely on password managers for...

  1. Your password manager itself - your master password

  2. Your email address, in case you ever lose access to your password manager

For these, I recommend the Schneier scheme. And since there's only 2 of them, make sure they're absolutely killer (and obviously unique).

But I don't trust password managers.

I do understand. It's especially difficult to look at what's been happening to LastPass over the last few years and think it's a foolproof solution. I'd still argue it's still safer than the alternative. If you are able to come up with extremely secure passwords for every site you visit and remember them without a password manager then that's great. But having a unique, random password for every site you ever visit will become impractical. Password managers thus become the superior choice. Having the password manager be your single-point of failure is a safer bet than spreading the risk around the internet. Just make sure you pick a good one.

Writing passwords down is fine, as long as they're not simply stuck to your monitor at work.

What about the xkcd scheme?

I often read about the xkcd method of coming up with passwords. All in all, whilst password length is a bigger factor in security than complexity, I'm not a fan. Once again, crackers are onto this trick. They can combine dictionary attacks with so-called combinator attacks. The attacker is going to figure this one out long before they need to resort to brute-force.

It's ok! I have a system!

Please take this from me: you are not smarter than these password crackers. These people have been at it for years, often professionally. Yet, even self-professed script kiddies report terrifyingly high success rates. Let me be perfectly clear: you have not thought of anything that these password crackers have not. Do not make the mistake of thinking you can stay a step ahead of them.

Take a look at this article from a decade ago about how even back then, seemingly complex passwords were cracked using combinator attacks. Take note of what is being said at the end of this paragraph. Is your system going to hold up against modern password-cracking technologies?

What was remarkable about all three cracking sessions were the types of plains that got revealed. They included passcodes such as "k1araj0hns0n," "Sh1a-labe0uf," "Apr!l221973," "Qbesancon321," "DG091101%," "@Yourmom69," "ilovetofunot," "windermere2313," "tmdmmj17," and "BandGeek2014." Also included in the list: "all of the lights" (yes, spaces are allowed on many sites), "i hate hackers," "allineedislove," "ilovemySister31," "iloveyousomuch," "Philippians4:13," "Philippians4:6-7," and "qeadzcwrsfxv1331." "gonefishing1125" was another password Steube saw appear on his computer screen. Seconds after it was cracked, he noted, "You won't ever find it using brute force."

Multi-factor Authentication

Where possible, especially for accounts that are very important, enable multi-factor authentication. If a password is compromised, the account has another layer of defence.

Remember that you'll need to save recovery codes or QR codes in case you also lose access to your second factor (or if you change devices). Be aware that these also need to be secure because it adds another potential point of failure. Recovery codes can go in a password manager, QR codes can be printed.

Some practices to avoid...

Beyond password re-use or picking lousy passwords, here are some things to avoid. That's even though they often start from good intentions.

Mandating regular password changes. I'd suggest this doesn't really improve security in any meaningful way. What it does do is incentivise users to pick more memorable passwords. Through this, security is actually reduced. Besides, 'enforced password changes' tends to mean an easy password and an ever-incrementing suffix. Not really overcoming the problem of easily-guessable passwords (go on, admit it, we all know you do it too).

Arbitrary password complexity. Requiring at least 1 number, 1 upper and 1 lower case character, and such, is - in my view - unnecessary. Length is a better defence against brute force. Even then, these rules don't offer much extra security since users tend to just make '@' for 'a'-type substitutions which I've already covered. Much better is to enforce password length, to enforce against reuse and to check for the presence of new passwords in existing data breaches.

Password sharing, or using a password for anything other than authentication. It doesn't matter if it's someone you trust (perhaps you wanted to see how secure your password is). Once it's out of your control, you can't tell what's happening with it.

Using REAL personal information as the answer to secret questions. This one is adjacent to the main topic here. A super-secure password is great. But it won't help if someone who knows the name of your first goldfish can bypass it using the site's 'forgotten password' feature. The secret answers can just be random strings that get stored in your password manager.

So when should I change my password?

There are 3 reasons to change your password.

  1. If your password is weak or might fall prey to any of the attacks listed above, then change it.

  2. If your password has been re-used, then change it.

  3. If you have any reason to believe that a password has been compromised or leaked, then definitely change it.

If none of the above is true, there's no need.

In conclusion...use a password manager

So I hope I've impressed upon you the importance of creating long, random passwords without any theming. And you need to come up with a unique one for every website you use. All thousand of them. Then, either memorise them all or come up with some kind of filing system for all the post-it notes. Or, use a password manager.

So in conclusion, use a password manager. 😁

-tommy

Thanks for reading! If you enjoyed reading this post and/or learned something, please get in touch and let me know. Better yet, if you've found any errata in my blog posts, please do make me aware. I'm always looking for opportunities to improve my writing!

Footnotes