In today’s online connected world, there is a HIGH requirement for one to keep a user id and password for just about everything.
Back in the day, you were lucky to have to remember one or two user id’s and passwords.
Currently I’ve got at least 60-70 user id’s and passwords to remember between personal and work (and I’m sure I’m being conservative on the number there).
There’s a few different ways you can do this. You can;
• Use the same user id and password
• Use the same user id and different password
• Use the same password and different user id
• Use different user id’s and passwords
• Use easy user id’s and passwords
• Use complex user id’s and passwords
Let’s take a look at a few of these.
Use the same user id and password:
What can I say about this one? It’s just plain stupid unless you’re looking to lose everything you own and land yourself in jail. This is just plain stupidity. If someone is able to get one of your accounts, they’re most likely going to try and use the same user id and password on every other account you have.
They do this because people are lazy. They don’t want to have to worry about keeping multiple user id’s and/or passwords because it’s too hard, or they just can’t remember them. Well, if they do this, they’re asking for trouble.
Use the same user id and different password:
This one is only slightly better than the last one. Using the same user id across multiple accounts gives someone one part of the puzzle. Granted, it’s the easier portion, but it gives them one less thing they’ve got to try and ‘crack’ to get into your system.
Use the same password and a different user id:
This one is almost as bad as the same user id and password. I’d rather see people using the same user id across accounts as opposed to the same password. Again, it’s one less piece of the puzzle and there’s a good chance that the user name either isn’t encrypted or not to the same level that the password would be. User id’s are also easier to ‘guess’ than passwords.
Use different user id’s and passwords:
This is one of the best ways to handle your accounts. Unfortunately, we sometimes don’t have the option to choose our user id. We are forced to use our e-mail address or worse yet, it’s generated for us. But for those times when you can choose both user id and password, it’s a good idea to choose one you haven’t used yet.
Use easy user id’s and passwords:
Ok, this one is just plain stupid. If you’re name is Joe Simpleton and you use joesimp as your user id, chances are your password is going to be something like jsimpleton. This is almost as bad as not using a password.
Use complex user id’s and passwords:
This is suggested as even if you mix in one number and one special character among the letters, you’re increasing your odds of surviving someone cracking the password.
Now, the last two pieces of the puzzle are in addition to the first four mentions. They are ‘supporting’ members on the team, not just primary members themselves.
There are quite a few ways of obtaining the password to someone’s account. They include but are not limited to:
• key logging
• social engineering
But we won’t be covering that today as they are subjects all in their own.
Let’s take a look at some of the methods to crack passwords:
This is more of a lucky guess type of cracking. They use a dictionary and go through every possible word in the dictionary to crack the password. It also has a ‘dictionary’ of known passwords that are used most frequently.
What are some of the most frequently used passwords you ask? Here they are a few of the top 500 (courtesy of Whats My Pass @ www.whatsmypass.com):
Again, this is only 25 of the top 500 and you can already see a pattern. Some people will use things that pertain to their job for their work related passwords:
There’s just no shortage of easy passwords. There’s dictionary’s out there made just for the purpose of breaking passwords and even a few ‘rainbow’ books to help people with encrypted password hashes. It takes every known possible password and encrypts it, then provides the actual encrypted hash. All you do is match the hash that you have to what’s in the book and bingo, you’ve got the password.
Guessing or Educated Guessing:
Knowing things about the target and using those things to get the password such as child’s name, spouses name, ‘lovers’ name, pet names, favorite teams, locations, etc.
Brute Force Attack:
Basically it’s a last resort attack. It tries every possible password. If there’s no limit to the number of attempts to login, this one will work as long as there’s no limit to the amount of time needed. It’s guaranteed as long as the password doesn’t change, there are no login attempts restricted and there’s limitless time. Again, it’s the last resort for a reason.
These are only a few of the ways that passwords can be cracked. There’s also several applications out there that assist in cracking the passwords once you have an encrypted password. Some of those are:
• Cain and Abel
• John the Ripper
I have used several of these successfully as well as several of them unsuccessful. It all depends on the strength and amount of time that is available.
Now, let’s take a look at how long it takes to crack a few passwords.
For ease of reference, I am re-producing the information found at Lockdown (www.lockdown.co.uk):
They use 6 ‘Classes’
A – 10,000 – typical recovery of MS Office on a Pentium 100
B – 100,000 – Typical recovery of Windows password cache on a Pentium 100
C – 1,000,000 – typical recovery of .ZIP or .ZRJ passwords on a Pentium 100
D – 10,000,000 – fast pc, dual processor
E – 100,000,000 – workstation or multiple pc’s working together (distributed computing)
F – 1,000,000,000 – medium to large scan distributed computing or supercomputers
Sample Passowrds Class of Attack (s=Seconds, H=Hours, D=Days, Y=Years)
Class A Class B Class C Class D Class E Class F
darren 8.5 H 51.5 M 5 M 30 S 3 S Instant
Land3rz 11 Y 1 Y 41 D 4 D 10 H 58 M
B33r&Mug 22,875 Y 2,287 Y 229 Y 23 Y 2.5 Y 83.5 D
As you can see, the more complex the password, the longer it takes. Even with 8 characters, upper and lower case letters and special characters, it could still be beaten in less than 100 days. With the availability of computing power today? It’s not surprising that kids sitting in their mom’s basement can crack passwords at the drop of a hat.
So what can you do? Well, you can do one of several things.
Do nothing. You’re bound to get hacked eventually, why wait, make it easy for them (sarcasm here)
Follow these simple rules for passwords:
Minimum 10 characters (or less if the individual application won’t allow ten)
Minimum 2 upper case letters
Minimum 2 lower case letters
Minimum 2 numbers
Minimum 2 special characters
No recognizable words
No PII (personal identifiable information)
No phone numbers
No pet names
No spouse names
Change the password every 30-45 days minimum
Never share passwords
Never give your password to anyone no matter what the situation
Never write down your password no matter what
I’ve given you an example of easy passwords now let’s see an example of how using the above listed guidelines will give you a good password:
Yes, all of these passwords will meet most complexity requirements down to and including the Fed Gov requirements.
Yes, all of these passwords are hard as hell to remember. Yes, it’s more likely that someone will get your password via a backdoor program or keystroke logging than to be able to crack the password. But isn’t a little peace of mind worth it?
Now, you ask, how do I remember the passwords if they’re 15 characters and all jumbled like that?
Easy; give yourself a system. Either it is a rhythm, a song, an anagram, a keyboard algorithm, something. Yes, I know it’s a pain in the butt, but would you rather have to worry about something like this than having to go and reset ALL of your 60 passwords every time someone hacks your Facebook account?
There ARE other ways to remember them. Writing them down is one. Yes, I know, I said never write them down. Well, there are exceptions to every rule. You can write them down in a specific location (small notepad) and keep it in a secure location (safe, lockbox, etc). You can use a password keeper application on your computer, phone, etc. Something like that.
I won’t be going over these applications here as this is already going to be a lengthy article, but I can put a few links in the companion post on the forum for you till I do a proper write up of some of the ones out there.
In the mean time, try and think of how many user id’s and passwords you actually have. Do you use any of the methods I discuss here? Do you have the remember feature turned on in your browser or on your phone? How about writing them down? Is your password on a sticky note under your keyboard, mouse, chair or on your monitor?
Just a few things to think about.
As always, thanks for your time, and let me know if this was beneficial to you – Thanks again.
Information Security Correspondent
Norm W. is an information security engineer currently employed as a CONUS civilian contractor. He has worked in the computer industry for the past 20 years and holds several security and non-security related IT certifications. Norm has worked with multiple agencies in the private and public sector as well as foreign companies and agencies to resolve information security issues.