What you should know about passwords

Whenever I give a presentation on forensics and e-discovery I always include a couple of slides on security, and one of those slides will be on passwords.  In any audience there will invariably be some embarrassed throat clearing and shifting of seats when I explain that a password should never be blank, your first name, your last name, or the words “password” or “1234”.

We all know that we shouldn’t use these kinds of passwords, but sometimes we still do.  Human nature being what it is, our judgement occasionally lapses and we take the easy choice – we think we’ll change the password to something secure later but don’t get round to doing so, or we think that in a given situation that it doesn’t matter.  Hey, it happens to the best of us, I’ve been guilty of breaking my own rules too.

So, let me repeat, don’t use a simple password.

But now let’s reverse this and ask what makes a good password?

Passwords can be broken a number of ways, via social engineering, via brute force computation, or by a combination of the two.  In this post I will look at brute force methods and how to make passwords more invulnerable to this process.

Brute force cracking means trying every conceivable combination of characters until you hit the correct password.  A three letter password using lower case letters will have 26 x 26 x 26 = 17576 possible combinations.  If we have a password of 10 lower case letters then the number of possible combinations jumps to 26^10 = 141,167,095,653,376.  That looks pretty impressive, and maybe 10 years ago we might have heard the phrase, “It will take 1000 years to break this password”.

My, how things change.  In the intervening 10 years, processing power has increased by 10 so that it now only takes 100 years.  And instead of using the computer’s engine, the CPU, we use the computer’s gaming engine, the graphics card.  A graphics card has thousands of small engines that are great at doing simple tasks like cracking a password.  Now we are down to 2 weeks to break that password.  And a dedicated password cracker will spend the money to put a rack of 10 graphics cards together so that the invulnerable password from 10 years ago is broken in a day.

A password like “qxozyfrpwp” is both easy to crack, and hard to remember!  Neither are good.

How can we improve the strength of a password?  The easiest way is to increase the size of the character set, that is, use both UPPER and lower case characters.  By doubling the number of available characters to choose from means that a 10 letter password has 2^10 = 1024 more combinations.  And you only have to change 1 letter to upper case to benefit.  So “qxozyFrpwp” is 1024 times harder to crack than “qxozyfrpwp”.

But even this isn’t enough.  It is normal practice now to include numbers 0 thru 9 and the special characters like !”#$%&'()*+,-./:;<=>?@[\]^_`{|}~

Now we have 94 characters to use and “qxozyF5>wp” is 381,000 times harder to break than “qxozyfrpwp”.  That’s much better and you can sleep a little easier at night.

The only thing left to consider is how to make it easy to remember.  Here’s one method I use.  I create an acronym based on a few lines from a poem and add a number and special character.  How about a line from Shakespeare? “Shall I compare thee to a summer’s day?”  turns into “SIcttasd?%9”.  Easy to remember, reasonably hard to crack.

Finally, please, please make sure your WiFi router password is of this type as they are particularly vulnerable to opportunistic hackers!  So make it at least 10 characters long, preferably 15 characters.