Before you can understand what a secure, or even an insecure, password looks like, you need to understand how a password works. The basic notion of it being a “secret” word that, when entered into a login box, is compared against your username in a database of plain text system login passwords is flawed. Not least because a password stored in plain text is about as secure as an unlocked door bearing a big sign saying “rob me”.
The question isn’t whether a password file is encrypted – it’s how it’s encrypted. Some systems still rely on basic encryption using a reversible algorithm, so that when you log in, the password associated with your username is decrypted and access is authorised. This is dangerously insecure, because a hacker who receives access to the encrypted database file can attempt to reverse-engineer the encryption algorithm, and thus gain access to the full password list. That’s why the majority of today’s passwords are converted into a hash – a one-way mathematical function – and that hash value is stored in the database instead of the actual password itself.
A hashed password is encrypted using a one-way algorithm that, in effect, turns it into a long number. This means it can be readily decrypted to find the original value of the password in question. However, as the hashing process effectively destroys the password data itself, it’s all but impossible to reconstruct a password from that encrypted hash. So you type your password into the system and it then compares your hash value against the hash value stored in the user list – if they match, you’re in. A hacker gaining access to that database of hash values is still none the wiser as to users’ passwords.
Not that a hashed password is totally secure: two identical passwords would share the same hash value, as the algorithm creates them using the original character string as the base. If a hacker gained access to the database, they could identify user groups with matching hash values as likely to be using a dictionary word, and launch a dictionary attack on those to uncover it. Also, the most dedicated of hackers – such as those working for nation states and organised crime syndicates – will likely use something called a rainbow table to attack a hashed password list.
A rainbow table is a pre-computed list of cryptographic hashes for every possible password of a certain length from a specified character set. Rainbow tables can stretch into terabyte territory and so require serious computing resources to process, but can very quickly crack password hashes for those with the necessary hardware. Which is where a salted hash comes in. By introducing a random value (or salt) into the password before encryption, even multiple users sharing the same password would have entirely different and unique hashes. It’s possible to compile a salted rainbow hash table, but the sheer size of the task makes it all but unfeasible.
When a hosting company tested passwords hashed using the industry-standard MD5 algorithm using the fire-power of a GPU-enabled brute-force cracker, it successfully cracked a seven-character non-complex (standard lower case and digits) password in only seven seconds. Make that a seven-character complex password (any letter, number or symbol), and the time increases to 1hr 40mins when encrypted with MD5, and 12hrs 53mins when hashed using the stronger SHA256 algorithm.
In terms of complexity versus time to crack, Andrey Dulkin from Cyber-Ark Software provided the following maths: “if the password is a four-digit number, then there are only 104=10,000 possible variations (four digits with ten options for each). If the attacker can check 100 variations per second, it will take ten seconds at most to find a password that works. However, if the password is ten characters long and involves capital and regular letters, special characters and digits, there are about 7010 variations, which for the same 100 variations per second will take the attacker up to 28,247,524,900,000,000 seconds (or 89.5 billion years!) to try them all.”
Don’t let those numbers give you a false sense of security, however, since those billions will drop to millions when the number of variations checked per second goes up to 1000 (throwing more processing power at the problem), and the millions will drop to thousands or hundreds of hours given enough machines to spread the processing load across. When you consider zombie networks and other distributed computing methodologies, cracking timescales start falling from eons into something that could be cracked in a coffee break.
Now you may think this doesn’t matter, because most sites and services will simply block attempts to log in after you get it wrong three times. That might be true, were it not for the simple fact that most password hacking takes place offline, using a set of hashes in a password file that’s been “obtained” from a compromised system. Often the system is compromised courtesy of a hack on a third party, which provides access to the system servers and those all-important password hash files. The password cracker can then take as long as needed to crack the code without alerting the target system or individual user. The methodology of password crackers varies considerably, but a combination of dictionary and brute-force attacks are the most common, using software to try a whole dictionary of words and variations including numbers and special keyboard characters to automate the hacking process.
A password such as “P455w0rd” or “p@$$w0rd” might have been clever enough to fool the criminals 20 years ago, but it most certainly isn’t anymore. The kind of brute-forcing tool that every self-respecting hacker will have to hand can combine dictionary and hybrid dictionary lookups to crack your “P455w0rd” in minutes. Which begs the question: if non-dictionary words don’t make a password secure, what does?
Alas, there’s no such thing as an uncrackable password. If someone has enough money and hardware to throw at the task, any password can be beaten. A secure password, therefore, is one that is complex enough to make cracking it uneconomical, given the data it’s protecting.
Length and complexity are the two keywords bandied about when it comes to secure password creation. Your password should be more than eight characters long, preferably over ten characters and ideally over 12, then you’re in the right ballpark for frustrating the would-be cracker. Everyone has a different method for creating complex passwords, all of which start with the same basic premise that the password string itself should consist of upper- and lower-case letters, numbers, and ideally special characters or symbols. Some advise taking a phrase that is memorable to you, such as “Pitch, Lottie and Mix are the names of my cats” and then using the first letters of each word as the first phase of password construction to give you “PLaMatnomc”.
To beef this up you’d then change the o to a zero, plus the “and” to an ampersand, to give “PL&Matn0mc”. This can be top-and-tailed with the $ sign – which is overlooked by many
For the best possible security, however, you need passwords that are truly random, which is where a password-generator application comes in. These come either as standalone applications or built into password vault software, and ask the user to select the number of characters and whether they want to use special characters as well as alphanumerics.
These are much less likely to fall victim to the multitude of standard crack attacks. But unless your name is Marvo the Amazing Memory Man, you’re unlikely to remember one of these maximum security passwords, let alone more.
You might, therefore, be tempted to let your web browser remember your passwords for you. This would be a big mistake. The number of keyloggers, screen-scrapers and form-grabbers built into malware is phenomenal, and most malware will attempt to access the browser client password files by default. If this isn’t bad enough, there are dedicated Windows Password Recovery tools that will readily extract password data from browsers. Which is why the real saviours of password security are dedicated vaults.
Vaults: friend or foe?
Password vaults sound like a security incident waiting to happen, because you’re literally putting all your eggs into a single basket. There’s no doubting they’re a very attractive target for thieves, but to the best of our knowledge the “big four” password vaults haven’t yet suffered a successful breach of their databases. Even the much publicised possible breach at LastPass in May 2011 was dealt with efficiently.
If you want the ultimate in password-vault security then it’s probably best to avoid those that store your data in the cloud, as a centralised store is going to be more of a target
for hackers than the local stash on your laptop.
What these vaults do offer, however, isn’t only the opportunity to automatically generate truly random and complex passwords, but to do so without the user having to remember what they are, because they fill entry fields for you. If you don’t know what a password is, you can’t give it away.
What you can give away is the all-important master password that’s used to secure access to the vault itself. By definition this needs to be a highly secure and complex password.
Passwords here to stay?
Are insecure, crackable, old-fashioned passwords here to stay? Despite their inherent problems, passwords remain irreplaceable, according to Amichai Shulman, CTO and co-founder of Imperva, because “their knowledge is protected inside the user, yet they can be replaced if compromised in some form” – factors no other security measure that has been devised to date can match. So if you’re stuck with them, better make sure they’re rather strong ones.