With millions of passwords stolen from LinkedIn, eHarmony and Lastfm.com in the past few weeks, it is a good idea to re-think your password strategy. It should certainly make it clear that re-using one or even several passwords across many web sites can be dangerous. But creating and remembering individual passwords for the ever-growing collection of web sites that comprise our digital lives can be daunting. What should you do?
How are Passwords Stored
First, a little background on passwords and how they’re typically stored…
Most passwords are protected with rather basic encryption called “hashing,” by which a password is transformed through a mathematical algorithm. After you’ve created an account and you login to a web site, the password you enter is transformed in the same way and then compared with what is stored. If they match, you’re granted access. However, this transformation should not be so simple that hackers can easily undo it or quickly generate lots of comparisons to figure out a password (this is called password cracking). Hackers can use automated tools and hardware you can pick up at Best Buy to test, say up to a million passwords per second. They can also use password dictionaries — collections of common passwords and their pre-calculated hash values. If they need to try every possible combination, they can use “rainbow tables” which have the hash values for every character combination up to a certain length. Some of these may have as many as 50 billion hash values.
The web site operator has a couple of weapons against this, but perhaps the most important is to use strong password hashing algorithms, and they are not designed for efficiency such as those from the SHA family of hashing algorithms. If it takes 10 or 100 times longer to calculate a hash value, that means it will take a hacker 10 or 100 times longer to crack passwords, and that can mean days can become months or years, giving you more time. Most of the stolen LinkedIn passwords were cracked in a couple of days.
For individuals, the best weapon is a better password — and we don’t typically create good passwords!
How Do Humans Create Passwords?
In 1956, George Miller published a paper in the Psychological Review in which he maintained that human information processing capacity is limited to at most seven, plus or minus two, chunks of information. If we chose truly random passwords, each character would be one chunk. But we do not! In fact, of the 76 easily-typed symbols (for English, this includes upper- and lowercase letters, numbers and symbols), research shows that 80% of the symbols used in passwords are chosen from only 32 of those, and, 10% of passwords are comprised solely from those 32 symbols. For the curious, those 32 symbols, in order of occurrence, are:
The bottom line is that although a truly random nine-character password is very difficult to crack, our passwords are not usually very random and therefore much weaker. Given how much information is protected by passwords, many have argued that we should ban them in favor of passphrases, which are easier to remember and can be stronger than shorter, random passwords.
Enterprises often invest more and more in a single password. We use one password to access e-mail, file shares, among others. For remote access, multi-factor authentication is clearly best practice. Without it, the single password is also the “lock on the front door.” Fortunately, enterprises also typically enforce password complexity rules that require the use of different character classes — typically three of the following four: upper- and lower-case letters, numbers, and special symbols. Most also require a password length of at least eight characters. Despite all of this, passwords are a common attack vector and weak password storage and encryption can expose hashed passwords that can often be cracked. How to solve this problem?
- Digital certificates
- Better passwords
In the long run, using digital certificates instead of passwords may be the best approach for enterprises, but it is not inexpensive to establish, nor is it practical for individuals.
You are strongly encouraged to use a passphrase. A simple, but effective way to create a good pass phrase is to use a short sentence or phrase that can end of with different words. When you are asked to change it, you can then substitute a different word and/or punctuation. For example, “My dog and I “, and then add “are owned.”, “shop!”, “eat pizza?”, etc. Introducing misspellings adds even greater strength to your passphrase. If you’re not a good typist, try using words that alternate right and left hands when typing, e.g. “the proficient turkey” (look online for list of example words using alternation). If instead you wish to use complex password, a good strategy is to use one letter from each word in a phrase or sentence, and then add a number or symbol.
But why create our own passwords at all? Instead, I’m convinced that the best approach is to let a computer generate long, complex, random passwords for you. But how will I ever remember them, or type them accurately, you’re asking? You don’t have to!! If you use a good password safe, you can use it to enter your generated password for you. Let your password safe generate passwords as long and with a random selection of all the characters a web site will allow. The statistics from the cracked LinkedIn passwords show that Which password safe? If you like slick, consider 1Password. If you like free, consider KeePass. There are others. The point is that you need one really, really good password (and an encryption key along with it, if you want the added security of multi-factor authentication) to open your password safe. You let your password safe enter your other credentials for you.
Of the 6.5 million passwords stolen from LinkedIn, over 1.3 million were cracked within a few hours. The statistics from that sample is very revealing about the kinds of passwords most people use.
If the events of the past few weeks have taught us anything, it should have been:
- Never re-use a password on multiple web sites — if one is compromised, you need to quickly change multiple passwords.
- Use really long, complex, random passwords — if a web site is compromised and your hashed password is stolen, this will make it difficult to crack.
We’re now told that, on average, a person has 25 online accounts, but also, on average, there are 6.5 passwords per person. And 66% of U.S. consumers use 1-2 passwords across ALL sites! No one wants to use unique passwords for every site, but that’s because it’s too difficult to create and remember all those passwords. Stop trying!