Jason Palmer, CPA, CITP

Cyber Insurance Auditing

You are here: Home / Archives for Common Passwords

Strengthening Common Passwords

By 1 Comment

Raise your hands.  How many of you are still using one of the following as your Password:

First Name Birth Date
Kids Name
Dogs Name
First Name Date of Hire
Password
123456
Yankees
Mets

No Common PasswordsYou get the idea.  A Password so incredibly obvious that you really don’t even need to write it down and stick it to the underside of your keyboard for a co-worker or family member to find it.  (What?  You think you’re the only person in the world who would think to hide their password under their keyboard?)

Since you refuse to make a genuinely strong password as discussed in my article, “Have YOU changed your Password recently?” let’s see if we can take your existing, incredibly obvious password and make it stronger.

Let’s start with the ever popular First Name and Birth Date.  WALT1901  Yes, you do get partial credit for using both Letters and Numbers but fail because these are two pieces of information that many people who might want to get in to your digital accounts already know.  I understand that it is very easy to remember.  We can make is stronger with just a few minor improvements.

Let us combine the First Name with the Birth Date so that we take one letter from the first name then one number from the birth date:  WALT1901 becomes W1A9L0T1 .

We can make this a little stronger still by changing the Letter “L” to a Number “1” so the new password would be W1A910T1 .  Changing a letter to a number in this particular manner is a form of simple letter/number substitution called LEET. (Read more about LEET at Wikipedia here.)

A determined hacker who knows your name and birth date would figure this out fairly quickly as one of the few dozen combinations and possibilities.  However, the simple modification above will keep out most nosey co-workers and family members who try the incredibly obvious first. (A brute force computer program could figure this password out in a matter of minutes because it is just letters and numbers.)

Almost any Password can immediately be strengthened by using LEET – substituting numbers or special characters for letters.  LEET works well as a starting point.

Password becomes P@ssw0rd or P@55w0rd
Yankees becomes Y@nk335
Mets becomes M3t5

Unfortunately, these passwords are still very easy for anyone who knows what Sports Teams you follow to figure out.  LEET substitution patterns are fairly well known.  (I am ignoring for the moment if you are one of the tens of thousands who still use the word “password” as your actual “password” – LEET or not, you deserve to be hacked.)

In order to throw off those who might know that you like Baseball and may use Sports Team names as your password series, we need to add a special character and mix things up a bit.

If we take our LEET version of Yankees – Y@nk335 – and add an Exclamation point – Y@nk!335 – this makes the password extremely strong from a human attack and reasonably strong from an automated attack.

Going one step further:  If we move the numbers to the front:  Y@nk!335 becomes 335Y@nk!  – this password is even stronger and again could most likely only be broken by a brute force automated attack.  (A brute force automated attack is where the computer will keep trying every letter, number, special character combination until it is successful.)

I have demonstrated that you can hang on to your common, weak Password, so you can remember it, and apply a few simple techniques to make it significantly stronger.  At the bare minimum, it is will certainly keep out noisy co-workers and family members.  At best, it will make the brute force hacker’s work extremely hard to break in to your digital accounts.

A few thoughts on the selection of a Password and Strength:

Understand that every password, given enough time, will be found.

As discussed, someone trying to gain entry in to your digital account is going to try the easy, common passwords first.  For example, “123456” is the most common password and “Password’ is the fourth most common password.  A hacker is not going to have to use any fancy brute force attack to break in to an account with either of these two passwords.  In fact, they will be the first and fourth passwords that the hacker tries to use to gain entry in to your account.

The point is that any hacker will have a list of well know common passwords that include Sports Teams, Movies, Celebrities, Comic Book Characters, Seasons, Fictional Characters, Playwrights, Composers, etc.  All of these well know possible passwords will be tried first and in too many cases, will be successful.

Once you start to use Passwords that are not common and have the above techniques applied to them, you will force the hacker to use a “brute force” method of attack which can take an incredible amount of time to succeed.

Thieves like to take the cars with the doors left unlocked and the keys in the ignition.

Make sure to lock your digital accounts with a good quality password.

With a few simple modifications to your Password, you can put up enough of a challenge that most hackers will give up and move on (unless you are a specific target of an attack.)

The sites below have a combination of Password Quality Meters and the theoretical amount of time it would take for a brute force, automated attack to succeed.

NOTE:  There are significant differences in the assumptions used to determine the difficulty level in cracking your Password.

DO NOT RELY SOLELY ON THESE TOOLS FOR GUIDANCE WITHOUT UNDERSTANDING THEIR METHODOLOGIES!

The three sites below take entirely different approaches to determining the quality of a Password.

Password Quality Test Tools

The Password Meter – Traditional Analysis based on Traditional Policy Theory
http://www.passwordmeter.com/

Pass Fault – Patterns Make Passwords Easy to Crack
http://www.passfault.com
Pass Fault – Analysis based on Pattern Theory
https://passfault.appspot.com/password_strength.html

Needle in a Hay Stack Theory by Steve Gibson and Test
https://www.grc.com/haystack.htm