Are Passwords actually Secure?

In my opinion the use of passwords is becoming much more complicated than many years ago. With the amount of security breaches over this past year, password lists posted online for all to see and then great info-graphics being created showing us that we are all really bad at password creation, no wonder there are so many issues. In reality when the top 25 passwords of 2013 are as simple as the list below what hope do we have?

123456
password
12345678
qwerty
abc123
123456789
111111
1234567
iloveyou
adobe123
123123
admin
1234567890
letmein
photoshop
1234
monkey
shadow
sunshine
12345
password1
princess
azerty
trustno1

A standard approach to creating supposedly more secure passwords has been to create an anagram from a sentence or a series of words, using symbols and numbers to make it more complicated. An example could be the following:

Password:
W/>s8Qy}

Password Phrase:
WALMART /> skype 8 QUEEN yelp }

Of course the reason why we don’t do this is the ability we have to remember it, amount of times we have to type it becomes tedious or just that like to use the same password for everything as it is easier. Also using multiple devices makes it very complicated, as well as password expiration policies getting more complicated, no longer just adding another number to the end works.

So what do we do?

There is no magic answer as such. Most security experts are great advocates of using a Password Manager, allowing it to generate new complex passwords. By the fact that they are stored within the password manager and available from any device means we don’t actually have to remember it either. If you don’t want to use a password manager then there has been much publicized about something called “cognitive passwords“. The concept of cognitive passwords is supposed to help you overcome the dilemma of passwords that are either difficult to remember or easily guessed is suggested. Cognitive passwords are based on personal facts, interests, and opinions that are easily recalled by a user. A brief dialogue between a user and a system, where a user provides a system with exact answers to a rotating set of questions. Cognitive passwords are easier to recall than conventional passwords, while being difficult for others, even close friends or associates who would not really know some of the personal details. Thought this is great study, the technology to utilize this is somewhat behind, or is not being adopted. So back to the question in hand, what do we do?

For me I use a password manager to store some passwords, but really I generate complex passwords and just train myself to remember them. I seem to be fairly okay with remembering long passwords after a few times of typing them on the keyboard. Try it, you may surprise yourself how many characters you can remember. An example of my passwords would be:

Password:
8MENM-LV?ne?nstXzd5H

Password Phrase: 8 MUSIC EGG NUT MUSIC – LAPTOP VISA ? nut egg ? nut skype tokyo XBOX zip drip 5 HULU

Does this mean my password is complex enough?

Of course not, it looks secure, and if I run it through this site it will estimate how long it would take to crack it, which in reality is only guessing based on specific technologies.

https://howsecureismypassword.net/

Using my password above I get this response.

Notice it would a LONG LONG time to crack my password on a desktop computer, however it does not say how long it would it take to crack it using cloud services, GPU’s or high powered servers. IF we now try one of the top 25 passwords of 2013 “qwerty” this is what we get.

Interesting, and you thought it was secure!! Nope, you guessed wrong, trying to create passwords using keyboard patterns does not all work as most password crackers, cater for this, looking at patterns of letters, plus using password lists. Even using the more secure “trustno1” password, I know not really secure, but does have letters and numbers, returns the same as the previous password. Thinking about it though, it is not very often that someone has to brute force your password. Most of the time passwords are captured by taking advantage of user knowledge and behavior. Read this taken from the “NIST Document for Passwords for the Enterprise“.

“Passwords may be captured by taking advantage of user knowledge and behavior. When users enter passwords into a computer, the passwords can be captured through non-technical means such as shoulder surfing—simply watching a user type a password. Although this can be somewhat mitigated by having hosts hide the password by displaying asterisks or other symbols as the user types, a trained observer who is monitoring keystrokes can determine most or all of the characters being typed. Users should be made aware of shoulder surfing threats and advised to be aware of their surroundings before and during password entry.

Password entry can also be monitored by attackers through technical means. For example, a keystroke logger, also known as a key logger, is a form of malware that monitors the keyboard for action events, such as a key being pressed, and provides the observed keystrokes to an attacker. An attacker can use a keystroke logger to acquire the usernames and passwords typed into the infected computer. Many Trojan horses and some other forms of malware can also monitor user activity to gather usernames, passwords, and other sensitive pieces of information for attackers. These sorts of threats can be mitigated by securing users’ hosts effectively, including applying patches regularly, using anti malware software (e.g., antivirus software, anti spyware software), and having the user run with user-level privileges, not administrator-level privileges, for daily tasks. Another possible mitigation technique is to avoid typing passwords, such as retrieving them from secure storage or using onscreen simulated keyboards to enter them. Users should also be made aware of common attack vectors for malware threats and how to avoid malware infections, such as not downloading and executing files from unknown sources. Users should also be cautioned not to enter passwords into publicly accessible computers, such as kiosk computers at conferences and hotels, because of the high risk of the passwords being compromised.

Users may also reveal their passwords to attackers because of social engineering. For example, an attacker could pretend to be a help desk agent, call a user, and ask the user to provide a password to assist the agent in troubleshooting a problem. Social engineering can take many forms, some of which involve technical methods, such as phishing emails that direct users to a malicious web site that mimics a legitimate site. The goal behind many phishing attacks is to collect usernames, passwords, and other sensitive information from users. Mitigation of social engineering threats primarily involves user awareness of such threats and how users should handle them, although some technical controls are also available (for example, many web browsers offer anti-phishing capabilities). Social engineering may also target help desk agents, system administrators, and other IT staff with access to privileged accounts, so organizations should ensure that they are aware of how to recognize such attacks and how to respond when an attack is suspected.

Another problem with users revealing passwords is that a malicious insider, such as a disgruntled current or former employee, may know valid passwords and share them with other parties. A malicious insider may also be intimately familiar with authentication processes and protections, particularly their weaknesses. A user might also benignly share passwords with other users, such as to grant a colleague access to a system for which the colleague has not been specifically authorized.”

There are many ways that your password can be guessed or cracked, most of this has to do with sheer luck. The four core ways are:

  1. Brute Force Attack
  2. Dictionary Attack
  3. Hybrid Attack
  4. Guessing Attack

A “Brute Force Attack” tries to figure out the password character by character, until it gets the whole password. This is time and labor intensive but can be very successful. “Dictionary Attacks“, are similar but use pre-existing lists of passwords and characters to get the password. In a “Hybrid” attack both are used together, guessing characters and variations of the password list are used. The “Guessing Attack” can be quite successful, normally within your organization. Simply looking at someone’s desk location, office or surroundings can often lead to figuring out the password. Understanding the individuals can also help, knowing memorable dates and locations can also reveal the password. Too often passwords are set to things that “only we know“, “associated to us” or “important to us“. Too many times passwords are set to birth dates, locations, family member’s names, the current year plus a combination of these. In fact a few years ago Troy Hunt did some research and his chart below explains a lot.

Having strong passwords will help to mitigate guessing and cracking. Password strength is determined by a password’s length and its complexity, which is determined by the unpredictability of its characters. We should be using a complexity policy which should be requiring from at least three of the following four groups be present in every password: “lowercase letters“, “uppercase letters“, “digits“, and “symbols“.

I like to use the following site to get passwords: http://passwordsgenerator.net/

It works great and lets me set how complex I would like the password to be. For example if you want ultra-secure you could choose the “2048” password length and get something like this.

F$pgKr%LR2ezQswT%M%SrbGMf7YXbZg8wL8F%VftuC8rf%QMvjXsw6f=T6pVRW8=g8%zN!=M-dpXzF*RxG?j+#yv#McEXNdQ4rY#M?bJf+rswDfg&Ba^CjYpJ26GMu8R#nQnarFvMCHZ5K34FBhT6xyNWNsyuB5SdJN%HQ79zfCsBWeF3S6N6gYUSu96XN_FWmp@bTMLD#rh+ymRkrn?5$Qx9W-L5&RT^pP!QC*DL%h4D6@jTcv_6eCgpLuU@YQVzZM2GMyvhcNJeX#4QBDC@Zd5WWVbPL8mxb9c#s^7jGM9jw5@wmUfex-g%qbF85QzL5EbYMCqysG#Aa7FY^_kdhMm?Fr%uW7nHeCwBD^ZhgraM5T%Z=!uqH_mGxD**e$eXXW+at2aH+w&_XbwV@n_vJuCZtaMBNmfqLF4zWzt_Gr^P#2^mb#@ncy4JzDRpf3VeN#qR4*!Brh?b&G*yvFpGUDD$+7PaSau?PTALREUX9m$uZ2c=T99^DvSFvMNmbp-qnmn&b9HscK!wSBAnt7_dT$ZU8QGKxzu_y*ebWh#5#w+4L4Vz*@mNp*NzhkKxgtz9XZ52a-$EajrMX3$_5^tx4r_=4$=$hnCkT5mrmdBJESp5yJWzg!SnF+#z52gZFbgJsQ&7ANMdEeu=$cdW_SWZT=3A=7MUu6=E9uVkg2BmK=3EdDTvrxvMs?TE@9HX*@6uqgbFA8&%h#7^34KWNmm7-EuH?s3C955X&wYveNj=bx^%B&jQe*F@&5nbtCJJj+MM&aGr+d5THS7*Hn=%hHQ7HkN2J_VLDvLvrYarrpRH=!C+MByrd$UGUpS45+t^CBVzGMZVB#Y%jv$G$++pTHWq-au@x_u3xqn8MyDuhYME^bMWxKmUrwwbSQ–pJNvAP*A%M_4JgD2j7MKt5ak&28S*sKuxy?$tpHR6D&hWGnzT@3m_x@hbAgQ6W4C4aewtU_y$4Y7uBqtVg45x_yS6xxd22*BpL4Fy+gJdKAN?TPm+CCmrC22zGzE#=Jc+FfQR!*#X*M-@%DE+LrBeN#x&m#eBcvJPT!z+qFGT5*?yd9=R!FZ#^L2ytz_wh4#PN3V7cTx+h&q$+2VPrW&U4b%7Vg4aJ8*%VC?PTpUtPckrgY3G2%TX+r?zxc&SGBv?Tr@NR!c3G$4FEcBa67sPWgG2cdQ%eR-SCK!WcKqh*k8mSDc#6raWQqUK42T#evvGqXf&e%EnmH8B4pw@N&8VpD35ZrB&Xp9buPLU-wGzH#&w?J@EN+JG%rBve^CKXr%#EC@hG92We+n+=!X=s9LFX#CnUmss@+4ZpD7E!UZ^3hxJjPGg%F&79%74XT7cdE@EnJgxGUMRftrF!h5KrGgrq4dKsaRX?H@4FnXXkC&Q5xpL5$Xs9$Y=pnVMYDHEw2#Fx=!aSspjmFmg9*u$z*R32=2grVRk2wAZLN3w_V*Uhtu&aBGpxfrGK%pJbMLNHZF#w#7=f8q=qHSV$94Z-UNY2cc^D6VNw4Rkf5KnmU=E8JvCV-U_u-sZ5E3BsR+fT=#_rHvSZ4VU_T87BH+UVPSPwG@A4mZr4f4y?*&%*__WfuH3YFJcxtjTSr!KC6@jWc2r5H3-2_JNdPskgRn=Bz%kcT*uk649#!U9#_Yk=aq_K=#tQ_g3$sNza9$A@eY2y&TJ=cb_6jgDSK=5gn@wqDvz&ksyH$g5n4mkBs66ATu*T-5R*f&e%DN#A@Cz$ChQa4Heqf_V#LX@BB#2M3putp$cWaa6yvs^_@h&Q=@3bKS*eh=ktDZ9E#!uUm$LxmX&93D-vny6fgEKXW@v%TsQhUt_+#Xe+?y5Z?$rQYeeN77kxSjdB9F?f3ApxksAykgLM-E%bWJkY9wLtegyNSPgDwFe_!p&sFBE7zXaSv?85#s&bJu^v#9&a4WNDcQDunx8EMpYKKGhHw8TKR7ubRzHRbbXEJHQQmT@ZZm#4@625jxn@+#xu?v?DDE29Qn?NPCAP2j37LEn&5ag7yw-FJBD6t=e=jzFadA+^#gHBDN#6g#X&7wYeHH*DyP3VqJMSJp$+-$7XCf4Gt

If we run this one through the testing site we get this!!

So lesson learned here, is to use “2048” characters in your password from now on. So in wrapping up, get better at more complex passwords, reset the password more often and of course don’t use the same password for all accounts. Outside of this, look at the services you use and opt in for “Multi-Factor” services if they provide this.

If you think you may have had your account compromised then head over to this site: https://haveibeenpwned.com/ ran by Troy Hunt. At the moment the site is able to check the following breaches.

Good luck with setting more complex passwords and protecting yourself as you travel the internet highways.

As I got reminded, I forgot to share the standard approach to passwords in the great graphic from “XKCD

Password Strength

Liam Cleary

I work as an Associate Director for Protiviti in Virginia. My main focus is to ensure that SharePoint can either natively or with minimal customization meet the business requirement securely. I am currently a SharePoint MVP focused on Architecture but also cross the boundary into Development and Security. I am often found at user groups, conferences speaking, offering advice, spending time in the community, teaching my kids how to code, raspberry PI programming, hacking the planet and sometimes building Lego robots.

You may also like...

  • slingeronline

    Surprised you didn’t mention this… http://xkcd.com/936/

    • helloitsliam

      Had thought about showing that one again, but assumed everyone has already seen that a million times. Good point though, will add the link to it again at the bottom, Thanks for the reminder 🙂