Jason Palmer, CPA, CITP

Cyber Insurance Auditing

You are here: Home / Archives for Strong Passwords

A Complex Password may not be a Strong Password

By 2 Comments

Keyboard PatternJust because your password meets complexity requirements does not necessarily make it a strong password.  It is a given that many sites require you to have a password of a minimum length of at least six or eight characters.  Some go so far as to require the addition of a number and at least one upper case letter.  At first glance, this gives the appearance of a complex password that, in theory, should be harder to crack.  If we consider a blind brute force attack that starts at six characters with “000000” and cycles through every combination of upper and lower case letters and numbers through “zzzzzz”, this is essentially true.

The problem is that automated password attacks have become intelligent in the sense that hackers have added “Pattern Matching” and LEET algorithms. (LEET refers to the substitution of a character in a word with a corresponding number or special character.  Read more about LEET in Wikipedia here.)

In my article, “Strengthening Common Passwords”, I discuss that Hackers will look first to the most common passwords.  For example, “123456” is first and “Password” is fourth on the list of common passwords.  This fact reduces the need to even begin a brute force attack on your Password until thousands of common words, phrases, and numbers such as Sports Teams, Birth Years in the 1900’s, Popular Baby Names, Movie Titles, and Fictional Characters have been tried first through a pattern match attack.

This is just the tip of the iceberg in breaking a password that appears to be complex.

If we start with a common password, “yankees” and modify it to meet complexity requirements, it might become “Yankees1” which is not necessarily any more secure than if it were all lower case without the addition of the number.  Applying “Pattern Matching”, what would be the most obvious “Pattern” modification to any common word (password) to meet complexity requirements?  Answer:  The capitalization of the first letter, which follows standard English Grammar rules and the addition of the number 1 or even 12.  Even adding LEET so the password becomes “Y@nK33s1” is not really a significant improvement because the next “pattern” applied in the attack to the well-known password list will be LEET substitutions.

How many of you just realized that your own password that properly met complexity requirements is not nearly as strong as you thought is was sixty seconds ago?

A pattern match attack program will first try making common pattern modifications to its’ list of well-known passwords before it starts a brute force sequential search.  This will significantly increase the chances of success with minimal increase in the time required to crack your password.

Some of you are thinking, my password is really strong, it’s “1234qwerUIOP”.  “No one could possibly guess that password, right?  Again, on a pure sequential, brute force attack, to break a twelve character, non-dictionary password is a very long time.  If we look closely at this password we see that it is three groups of four sequential characters from a standard computer keyboard:  “1234” are the first four numbers of the numeral row, “qwer” are the first four characters of the top row, and “UIOP” are the last four letters of the top row.  In short, a common pattern used for a password.

In order for a Password to be strong, it needs to be more than complex.  It needs to be sufficiently long and suitably random to be truly effective.

Before you decide to abandon all on-line banking and social media activity for fear that almost no password you could create could ever be strong enough to protect your digital accounts, keep in mind a few key issues:  The above discussion applies to a hacker making a concerted specific effort to crack your password to gain access to one of your digital accounts.  The likelihood that you will be a specific “high value” target is minimal.  Again, I go back to my analogy that car thieves look for unlocked cars with the keys in the ignition.

The key take away is to make it as difficult as possible so that the hacker gives up after trying obvious well-known Passwords with or without Pattern Matching algorithms applied and moves on to someone else.

Follow best practices by trying to make your passwords sufficiently long with at least eight characters, use upper and lower case letters (if recognized as different by your particular web site account), always include a few numbers either as substitutions for letters (LEET) or as additional characters added at random places in the Password (do not just put at the beginning or end), and where permitted, try to do the same with special characters such as @ $ %! # by placing them at random locations in the Password.

As a closing example looking back to “yankees”, we can even make it reasonably strong by applying all of the techniques so that it becomes “y@!nk3#3s”.  (Note that it uses LEET and adds in two special characters in random locations.)  Even though we start with a very common password, “yankees”, a pattern match attack will most likely fail and the only option for the hacker will be to use a brute force sequential search.

Finally, you can also use “Patterns” to your advantage.  (The Patterns which just capitalize the first letter, add a number 1 at the end or only use LEET on a well-known common password or dictionary word should not be used.)

In an effort to be able to remember your passwords you can create a non-obvious pattern to strengthen your common passwords:  Perhaps you always add a # after the third letter and an ! before the last letter or instead of using a U in your spelling, you always use a V.

Anything you can do to be non-standard and appear random in creating your Password will afford you a reasonably high degree of protection from hackers who use common, pattern match and brute force password attacks.

 

Technical Note:  The ability of a brute force sequential attack to succeed in cracking your Password depends largely on who is behind the attack and the amount of computer power brought to the task.  A Hacker with a single computer may take months or centuries to crack your sufficiently long complex random password.  A Hacker who has tens of thousands of zombie PC’s coordinating an attack will take significantly less time to be successful.  If a Government Security Agency is behind the attack, with that amount of computer power, it might be a matter of hours or days to crack your password.

As scary as this all sounds, the provider of your digital account can go a long way to slow these attacks to a crawl.  Many web sites will not allow another login attempt for a certain period of time after three to five login failures or will lock the account completely after five or ten login attempts.  No automated attack can proceed if the web site will not allow a login due to failed attempts – human or automated.

Strengthening Common Passwords

By 1 Comment

Raise your hands.  How many of you are still using one of the following as your Password:

First Name Birth Date
Kids Name
Dogs Name
First Name Date of Hire
Password
123456
Yankees
Mets

No Common PasswordsYou get the idea.  A Password so incredibly obvious that you really don’t even need to write it down and stick it to the underside of your keyboard for a co-worker or family member to find it.  (What?  You think you’re the only person in the world who would think to hide their password under their keyboard?)

Since you refuse to make a genuinely strong password as discussed in my article, “Have YOU changed your Password recently?” let’s see if we can take your existing, incredibly obvious password and make it stronger.

Let’s start with the ever popular First Name and Birth Date.  WALT1901  Yes, you do get partial credit for using both Letters and Numbers but fail because these are two pieces of information that many people who might want to get in to your digital accounts already know.  I understand that it is very easy to remember.  We can make is stronger with just a few minor improvements.

Let us combine the First Name with the Birth Date so that we take one letter from the first name then one number from the birth date:  WALT1901 becomes W1A9L0T1 .

We can make this a little stronger still by changing the Letter “L” to a Number “1” so the new password would be W1A910T1 .  Changing a letter to a number in this particular manner is a form of simple letter/number substitution called LEET. (Read more about LEET at Wikipedia here.)

A determined hacker who knows your name and birth date would figure this out fairly quickly as one of the few dozen combinations and possibilities.  However, the simple modification above will keep out most nosey co-workers and family members who try the incredibly obvious first. (A brute force computer program could figure this password out in a matter of minutes because it is just letters and numbers.)

Almost any Password can immediately be strengthened by using LEET – substituting numbers or special characters for letters.  LEET works well as a starting point.

Password becomes P@ssw0rd or P@55w0rd
Yankees becomes Y@nk335
Mets becomes M3t5

Unfortunately, these passwords are still very easy for anyone who knows what Sports Teams you follow to figure out.  LEET substitution patterns are fairly well known.  (I am ignoring for the moment if you are one of the tens of thousands who still use the word “password” as your actual “password” – LEET or not, you deserve to be hacked.)

In order to throw off those who might know that you like Baseball and may use Sports Team names as your password series, we need to add a special character and mix things up a bit.

If we take our LEET version of Yankees – Y@nk335 – and add an Exclamation point – Y@nk!335 – this makes the password extremely strong from a human attack and reasonably strong from an automated attack.

Going one step further:  If we move the numbers to the front:  Y@nk!335 becomes 335Y@nk!  – this password is even stronger and again could most likely only be broken by a brute force automated attack.  (A brute force automated attack is where the computer will keep trying every letter, number, special character combination until it is successful.)

I have demonstrated that you can hang on to your common, weak Password, so you can remember it, and apply a few simple techniques to make it significantly stronger.  At the bare minimum, it is will certainly keep out noisy co-workers and family members.  At best, it will make the brute force hacker’s work extremely hard to break in to your digital accounts.

A few thoughts on the selection of a Password and Strength:

Understand that every password, given enough time, will be found.

As discussed, someone trying to gain entry in to your digital account is going to try the easy, common passwords first.  For example, “123456” is the most common password and “Password’ is the fourth most common password.  A hacker is not going to have to use any fancy brute force attack to break in to an account with either of these two passwords.  In fact, they will be the first and fourth passwords that the hacker tries to use to gain entry in to your account.

The point is that any hacker will have a list of well know common passwords that include Sports Teams, Movies, Celebrities, Comic Book Characters, Seasons, Fictional Characters, Playwrights, Composers, etc.  All of these well know possible passwords will be tried first and in too many cases, will be successful.

Once you start to use Passwords that are not common and have the above techniques applied to them, you will force the hacker to use a “brute force” method of attack which can take an incredible amount of time to succeed.

Thieves like to take the cars with the doors left unlocked and the keys in the ignition.

Make sure to lock your digital accounts with a good quality password.

With a few simple modifications to your Password, you can put up enough of a challenge that most hackers will give up and move on (unless you are a specific target of an attack.)

The sites below have a combination of Password Quality Meters and the theoretical amount of time it would take for a brute force, automated attack to succeed.

NOTE:  There are significant differences in the assumptions used to determine the difficulty level in cracking your Password.

DO NOT RELY SOLELY ON THESE TOOLS FOR GUIDANCE WITHOUT UNDERSTANDING THEIR METHODOLOGIES!

The three sites below take entirely different approaches to determining the quality of a Password.

Password Quality Test Tools

The Password Meter – Traditional Analysis based on Traditional Policy Theory
http://www.passwordmeter.com/

Pass Fault – Patterns Make Passwords Easy to Crack
http://www.passfault.com
Pass Fault – Analysis based on Pattern Theory
https://passfault.appspot.com/password_strength.html

Needle in a Hay Stack Theory by Steve Gibson and Test
https://www.grc.com/haystack.htm

Have YOU changed your Password recently?

By Leave a Comment

Password Expiration 67Account Security is not like the Weather.  You can do something about it.  Almost weekly, someone reports that a Social Media Site, Content Provider, or Financial Institution has had a breach and that customer account information “may” have been compromised.

 

The absolute best defense against this insane level of carelessness is a good offense.

CHANGE YOUR PASSWORDS EARLY AND OFTEN.

This is an aspect of digital account security that is completely within your control.

The sites that care most about the security of your data force you to change your password on a periodic basis of no less than ninety days.  If they do not force a periodic password change, take it upon yourself to change your password at least monthly.  If they really care, they force you to use a “strong” password which generally means it is more than eight alphanumeric characters, must include at least one letter, one number, one special character, and is case sensitive.

Unfortunately, most sites feel that forcing you to change your password, even if for your own protection, is too invasive and not very customer service friendly.

Be honest.  How many of you have NEVER changed your password on your email account?  Facebook?  Gmail?  AOL?  AIM?  AppleID?  Your bank account?  Seriously? Never?  Need I go on?

Stop reading this right now and GO CHANGE YOUR PASSWORDS.  I will wait…  Hmmm… still reading?  Well then the least I can do is to give you some advice on creating a strong password.

As amazing as it seems, some Banks do not allow special characters as part of the password.  (Special characters are punctuation marks like # @ $ ! % * .  – anything that is not a letter or number.)  Even without special characters, you can still make a strong password that will be difficult to guess and withstand a good number of basic hacking techniques.

Let us start by creating a password not from a word but from a phrase.  Take the first letter from each word in the title of this article as a starting point.  “Have You Changed Your Password Recently” would translate to HYCYPR.  This is absolutely not a word in any dictionary which eliminates the possibility of a dictionary based hacking attempt.  To anyone who is not you, the password looks like complete gibberish.  (A dictionary attack uses an English Dictionary or a list of common words and tries thousands of them until it succeeds.)

Now, let us make it even stronger.  We are going to substitute the some of the letters with their numeric position in the Alphabet.  HYCYPR is going to become 8Y3YPR.  H is the eighth letter and C is the third letter of the Alphabet.  To keep with my own statement that a strong password should be at least eight characters, I will pad this with some extra numbers.  The final password will be “ 8Y3YPR42 ”  (Ignore the quote marks.)  This password is now virtually impossible to guess and it is definitely impervious to a dictionary attack.  By the way, I chose 42 as that is the answer to “Life, the Universe, and Everything” from “Hitch Hikers Guide to the Universe.”

Which bring up another point:  Try to use a sentence, phrase or quote that is not common or attributable to your personality, likes, or habits.  If someone knows you like Douglas Adams (Author of the Hitch Hikers Series) and has figured out how you assemble your passwords, this gives that person a starting point if you are being specifically targeted.

Now that you know how to make strong passwords, GO DO IT NOW for all of your accounts.

Take this opportunity to get one giant step ahead of the hackers.