INFO SECURITY: Password Complexity – How to Keep Your Crap Safe

In today’s online connected world, there is a HIGH requirement for one to keep a user id and password for just about everything.

Back in the day, you were lucky to have to remember one or two user id’s and passwords.

Currently I’ve got at least 60-70 user id’s and passwords to remember between personal and work (and I’m sure I’m being conservative on the number there).

There’s a few different ways you can do this.  You can;

•    Use the same user id and password
•    Use the same user id and different password
•    Use the same password and different user id
•    Use different user id’s and passwords
•    Use easy user id’s and passwords
•    Use complex user id’s and passwords

Let’s take a look at a few of these.

Use the same user id and password:

What can I say about this one?  It’s just plain stupid unless you’re looking to lose everything you own and land yourself in jail.  This is just plain stupidity.  If someone is able to get one of your accounts, they’re most likely going to try and use the same user id and password on every other account you have.

They do this because people are lazy.  They don’t want to have to worry about keeping multiple user id’s and/or passwords because it’s too hard, or they just can’t remember them.  Well, if they do this, they’re asking for trouble.

Use the same user id and different password:

This one is only slightly better than the last one.  Using the same user id across multiple accounts gives someone one part of the puzzle.  Granted, it’s the easier portion, but it gives them one less thing they’ve got to try and ‘crack’ to get into your system.

Use the same password and a different user id:

This one is almost as bad as the same user id and password.  I’d rather see people using the same user id across accounts as opposed to the same password.  Again, it’s one less piece of the puzzle and there’s a good chance that the user name either isn’t encrypted or not to the same level that the password would be.  User id’s are also easier to ‘guess’ than passwords.

Use different user id’s and passwords:

This is one of the best ways to handle your accounts.  Unfortunately, we sometimes don’t have the option to choose our user id. We are forced to use our e-mail address or worse yet, it’s generated for us.  But for those times when you can choose both user id and password, it’s a good idea to choose one you haven’t used yet.

Use easy user id’s and passwords:

Ok, this one is just plain stupid.  If you’re name is Joe Simpleton and you use joesimp as your user id, chances are your password is going to be something like jsimpleton.  This is almost as bad as not using a password.

Use complex user id’s and passwords:

This is suggested as even if you mix in one number and one special character among the letters, you’re increasing your odds of surviving someone cracking the password.

Now, the last two pieces of the puzzle are in addition to the first four mentions.  They are ‘supporting’ members on the team, not just primary members themselves.

There are quite a few ways of obtaining the password to someone’s account.  They include but are not limited to:

•    wiretapping
•    phishing
•    key logging
•    social engineering
•    vulnerabilities

But we won’t be covering that today as they are subjects all in their own.

Let’s take a look at some of the methods to crack passwords:

Dictionary:

This is more of a lucky guess type of cracking.  They use a dictionary and go through every possible word in the dictionary to crack the password.  It also has a ‘dictionary’ of known passwords that are used most frequently.

What are some of the most frequently used passwords you ask?  Here they are a few of the top 500 (courtesy of Whats My Pass @ www.whatsmypass.com):

•    123456
•    god
•    12345678
•    1234
•    diamond
•    12345
•    dragon
•    qwerty
•    696969
•    mustang
•    letmein
•    baseball
•    master
•    michael
•    shadow
•    football
•    monkey
•    abc123
•    pass
•    tigers
•    6969
•    jordan
•    harley
•    ranger
•    iwantu

Again, this is only 25 of the top 500 and you can already see a pattern. Some people will use things that pertain to their job for their work related passwords:

•    admin
•    email
•    login
•    password

There’s just no shortage of easy passwords.  There’s dictionary’s out there made just for the purpose of breaking passwords and even a few ‘rainbow’ books to help people with encrypted password hashes.  It takes every known possible password and encrypts it, then provides the actual encrypted hash.  All you do is match the hash that you have to what’s in the book and bingo, you’ve got the password.

Guessing or Educated Guessing:

Knowing things about the target and using those things to get the password such as child’s name, spouses name, ‘lovers’ name, pet names, favorite teams, locations, etc.

Brute Force Attack:

Basically it’s a last resort attack.  It tries every possible password.  If there’s no limit to the number of attempts to login, this one will work as long as there’s no limit to the amount of time needed.  It’s guaranteed as long as the password doesn’t change, there are no login attempts restricted and there’s limitless time.  Again, it’s the last resort for a reason.

These are only a few of the ways that passwords can be cracked.  There’s also several applications out there that assist in cracking the passwords once you have an encrypted password.  Some of those are:

•    Cain and Abel
•    John the Ripper
•    Hydra
•    ElcomSoft
•    LastBit
•    Crack
•    L0phtCrack
•    Ophcrack
•    RainbowCrack
•    SAMInside
•    DSniff

I have used several of these successfully as well as several of them unsuccessful.  It all depends on the strength and amount of time that is available.

Now, let’s take a look at how long it takes to crack a few passwords.

For ease of reference, I am re-producing the information found at Lockdown (www.lockdown.co.uk):

They use 6 ‘Classes’

A – 10,000  – typical recovery of MS Office on a Pentium 100
B – 100,000 – Typical recovery of Windows password cache on a Pentium 100
C – 1,000,000 – typical recovery of .ZIP or .ZRJ passwords on a Pentium 100
D – 10,000,000 – fast pc, dual processor
E – 100,000,000 – workstation or multiple pc’s working together (distributed computing)
F – 1,000,000,000 – medium to large scan distributed computing or supercomputers

Sample Passowrds     Class of Attack    (s=Seconds, H=Hours, D=Days, Y=Years)

Class A      Class B     Class C     Class D    Class E    Class F
darren                             8.5 H            51.5 M         5 M              30 S           3 S              Instant
Land3rz                          11 Y              1 Y                41 D             4 D             10 H           58 M
B33r&Mug                     22,875 Y    2,287 Y      229 Y         23 Y           2.5 Y        83.5 D

As you can see, the more complex the password, the longer it takes. Even with 8 characters, upper and lower case letters and special characters, it could still be beaten in less than 100 days.  With the availability of computing power today?  It’s not surprising that kids sitting in their mom’s basement can crack passwords at the drop of a hat.

So what can you do?  Well, you can do one of several things.

Do nothing.  You’re bound to get hacked eventually, why wait, make it easy for them (sarcasm here)

Follow these simple rules for passwords:

Minimum 10 characters (or less if the individual application won’t allow ten)
Minimum 2 upper case letters
Minimum 2 lower case letters
Minimum 2 numbers
Minimum 2 special characters
No recognizable words
No PII (personal identifiable information)
No phone numbers
No addresses
No pet names
No spouse names
Change the password every 30-45 days minimum
Never share passwords
Never give your password to anyone no matter what the situation
Never write down your password no matter what

I’ve given you an example of easy passwords now let’s see an example of how using the above listed guidelines will give you a good password:

G%5tgH^6yhJ&7ujK*8ik
Z#z3X$x4C%c5V^v6
1qaz@WSX3edc$RFV

Yes, all of these passwords will meet most complexity requirements down to and including the Fed Gov requirements.

Yes, all of these passwords are hard as hell to remember.  Yes, it’s more likely that someone will get your password via a backdoor program or keystroke logging than to be able to crack the password.  But isn’t a little peace of mind worth it?

Now, you ask, how do I remember the passwords if they’re 15 characters and all jumbled like that?

Easy; give yourself a system.  Either it is a rhythm, a song, an anagram, a keyboard algorithm, something.  Yes, I know it’s a pain in the butt, but would you rather have to worry about something like this than having to go and reset ALL of your 60 passwords every time someone hacks your Facebook account?

There ARE other ways to remember them.  Writing them down is one.  Yes, I know, I said never write them down.  Well, there are exceptions to every rule.  You can write them down in a specific location (small notepad) and keep it in a secure location (safe, lockbox, etc).  You can use a password keeper application on your computer, phone, etc.  Something like that.

I won’t be going over these applications here as this is already going to be a lengthy article, but I can put a few links in the companion post on the forum for you till I do a proper write up of some of the ones out there.

In the mean time, try and think of how many user id’s and passwords you actually have.  Do you use any of the methods I discuss here?  Do you have the remember feature turned on in your browser or on your phone?  How about writing them down?  Is your password on a sticky note under your keyboard, mouse, chair or on your monitor?

Just a few things to think about.

As always, thanks for your time, and let me know if this was beneficial to you – Thanks again.

—————————————————————————————

~Norm W.
Information Security Correspondent

Norm W. is an information security engineer currently employed as a CONUS civilian contractor. He has worked in the computer industry for the past 20 years and holds several security and non-security related IT certifications. Norm has worked with multiple agencies in the private and public sector as well as foreign companies and agencies to resolve information security issues.

Be Sociable, Share!

10 thoughts on “INFO SECURITY: Password Complexity – How to Keep Your Crap Safe”

  1. I appreciate the bit about using your keyboard as a map – hadn’t thought of that before. Thanks!

      (Quote This Comment)

  2. Great article Norm. That was some great info that you passed on to us. I just used a few of your tips being that it is around the time I change all my passwords. Which for me is every 3 months on the dot. The map is a good idea never thought of that. For me and remembering them I generally use an anagram mixed in with numbers and symbols that has something to do with the site that I am accessing.

    Generally all 10 to 12 characters has worked for me with remembering them. For secure sites and work emails and even my phone (loving the complex password entry for OS4 on the Iphone) It is usually 15 characters of random characters the map system that you told of will certainly help with those.

    Also I use for sites that require answers to particular questions, I tend use slang terms or even the answers mixed with symbols. How about yourself, any tips for those. Since there are some sites that require those or use those as backups if you forget your password. The person trying to hack that particular site you use might not be able to figure out the password, but may be able to figure out the answer to the backup question.

    Thanks again for the article Norm, keep em coming.

      (Quote This Comment)

  3. Hi,

    I like the article a lot, but would like to throw my .02 in, since this a subject that is near and dear to me. :)

    When dictionary attacks fail, I will switch to dictionary augmentation before dealing with brute force. In a sense, you are brute forcing through the dictionary lists anyway. Using special characters to replace letters, alternating the capitals and appending digits to the end. Slow, but much faster than brute force.

    Sniffing and keylogging are two major vulnerabilities where the unfamiliar are likely to loose their creds. Hardware and software firewall combinations are something that really need to be considered. So is having an encrypted and switched network. Just having an switched network isn’t enough to prevent sniffing. Cain and Abel makes short work of switches. Network encryption keys need to stand up hard against attacks and should be as complex and annoying as possible! And for the sake of your infosec, DON’T USE WEP!

      (Quote This Comment)

  4. Personally I think password managers are the way to go. You can make ridiculously complex passwords, and only have to remember one, that can be even more ridiculously complex. Even using a “system” like with the keyboard is prone to attack, becasue if anyone finds out what your system is, the keyspace is severely impacted for a brute force attempt.

    My favourite password manager is PasswordSafe. Open Source so there is transparency on how things are stored, versions for all the major OSs, and can be run from a separate USB stick (easy on ‘nix, and there is a portable apps version for Windows), so your key file never needs to live on a system where someone can copy it to brute force it. Plus newer versions have a built in virtual keyboard, making keystroke logging much harder.

      (Quote This Comment)

  5. Also I use for sites that require answers to particular questions, I tend use slang terms or even the answers mixed with symbols. How about yourself, any tips for those.

    I tend to use alternate answers to those or ‘code words’ for those. That way, even if people know the answers, they won’t be able to guess my code words. And yes, I do use the alternate letters/numbers thing. ‘g33k sp3@k’ if you will. :)

    And for the sake of your infosec, DON’T USE WEP!  

    I can’t stress this part enough, WEP has been hacked easily and any script kiddie could do it. WPA is hackable but it’s not worth the trouble any more since there’s so many other open/wep sites out there. Good point.

    Personally I think password managers are the way to go.

    I’ve never really used them enough to get comfortable with them. Plus, I don’t like the idea personally of the “all your eggs thing”, but for some, it might be the way to go.

      (Quote This Comment)

  6. Norm – great article, I too hadn’t thought of the keyboard “maps” which could be as complex as anything one wants to remember. I just cannot remember even easy, dumb passwords like my name, so I went the other way and will literally slowly type in random characters in as passwords, but this means I have to have them all written down, then that little book is hidden – and even when writing them, I’ll swap the characters in a pattern I do remember. Paranoid? Maybe, but I had zero experience at passwords and had to get into a “document” one time. Got the password in about 10 seconds from some free online site. Scared me. I am an idiot with technology and if I can do that, anybody can. Oh, on the questions like “what’s your pet’s name” – I make up those answers at random, too. Resets are about every other time I use whatever (or every month on daily use items). Yes, it’s a pain but like you said, I don’t want to lose stuff and end up in jail!
    Thanks again — please keep this stuff coming.

      (Quote This Comment)

  7. Another vote for PasswordSafe here. In my work we have about 9 passwords that we use regularly, and each one has different rules – some of them get changed every 90 days, some 60, some require 6+ characters, some require 9+, it’s a pain. Having a good system to remember them all is key.

      (Quote This Comment)

  8. Think of the 50 people who know you best, now ask each of them to write down the 50 passwords they think you are mostly likely to use. If any one of them could guess one of your passwords, don’t use it. (note: this is a thought experiment, you don’t actually have to ask them..)

    Same goes for your password recovery questions. If the question is something like: what was your first pet’s name? Give an answer like the square root of 77. No one, no matter how well they know you, will ever guess that.

    Longer passwords are a lot better than short ones, so “Longer passwords are a lot better than 8 Short * ones” is a good password, and easy to remember.

      (Quote This Comment)

  9. My partner and I absolutely love your blog and find many of your postings to be thoroughly researched.

    Would you offer the option for guest contributers to submit blog posts
    for your website? I would love the chance to post on subjects
    related to the content that you publish here.

    More to read on my web site Home Page

      (Quote This Comment)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Upload Files

You can include images or files in your comment by selecting them below. Once you select a file, it will be uploaded and a link to it added to your comment. You can upload as many images or files as you like and they will all be added to your comment.