I’ve spent some time teaching computer security to friends and family, as well as a few communities on the Internet. Password security seems to be a very common weak link for many.
I’ve been musing for a long time on how to sum things up easily, and efficiently. I had an idea that involved Master Lock Wordlock padlocks:
This was a later 5-tumbler variation that had not only letter rings that fit over the tumblers, but a few rings with numbers and special characters on them. I figured I could videotape a demonstration of something tangible to illustrate how many password generation methods work.
Then I stumbled on new information that just made all of that pretty useless. So let me break it down this way.
First, watch this news video that summarizes Steve Gibson’s approach: How safe are your computer passwords?
or read more at GRC’s | Password Haystacks: How Well Hidden Is Your Needle?
(Apologies if you follow the link for the video: there’s an annoying pop-up and a prurient Carl’s Jr. commercial. I could not get an embed to work.)
“Length matters more than complexity,” Steve Gibson says here. Yes. Remember that.
Okay, here’s Randall Munroe’s take:
Confused yet? I sure hope not. It summarizes Thomas Baekdal’s thoughts in an 2007 article titled The Usability of Passwords pretty well. In fact, I’ll quote Baekdal from a FAQ he wrote in 2011 to compliment that article:
The article came to life after yet another discussion with IT, who believed that everyone should be forced to use password[s] with a minimum of eight characters, including two uppercase characters, numbers and a least one special character.
I was absolutely furious for several reasons. First, I knew it was like kicking every employee in the groin every morning they showed up for work, that it would do squat for actual security (it is likely to make it worse), and that it would completely destroy the plans I had for password free web application I was working on at the time.
So I wrote this article about how to create passwords that were really easy to use and remember. I wanted to demonstrate that complexity is a sickness of IT, and has nothing to do with actual security.
This guy is good, and I’m going to give him full credit as I summarize more what he’s written… especially as he also found Steve Gibson and Leo LaPorte referring to him for the Security Now! podcast. I’ll also tell you how I’ve seen HARD examples of why he’s right.
Okay, so how do hackers do it? This is what Baekdal listed, as follows:
- Asking: Yep, the old confidence game. Sadly, good password policies don’t protect against this. Just don’t share your password.
- Guessing: Pay attention to this one. The hacker will look for personal details and guess on that. But this also applies to password recovery and 2-step authentications that use security questions. I mean questions like “mother’s maiden name” as well as passwords based on personal details (wife’s name, dog’s name, favorite band, etc.)
- Brute force attack: Basically this is an attempt to try as many combinations as possible. What slows down a brute force attack is length and complexity– we’ll get back to Baekdal and Munroe’s idea why complexity is less crucial for you as a user.
- Common word attack: The hacker tries a list of common words.
- Dictionary attack: Like brute force and common word attacks, but with a full dictionary of words.
Brute force, common word, and dictionary attacks are usually automated with a script or program. Asking and guessing, of course, are completely manual, or the hacker may simply download a server database of passwords and pluck from that.
Now, Baekdal rightly pointed out that you can’t do much about a server hack as I described; that’s a server administrator’s job. If you want the full explanation about that (salt and hash), read his Usable Security – Reply to “Security Now” under the “Offline!” section. The concern is twofold: again, choose a password that is secure enough that it can’t be hacked online, and do not use the same password on different sites, so if a server is hacked, it’s not going to affect the other sites you use.
He does imply that you should avoid using site sign-ins that rely on commonly used services like Facebook, Twitter, and Google. (i.e., “Sign-in with Facebook”, etc.) I’ll admit I’m sometimes guilty of this.
But I have MOST DEFINITELY seen why it’s a bad idea to use the same password over multiple sites. It’s happened to me at Google– my account was compromised. (Ouch!) And I remember a fansite community for a MMORPG I play was hacked multiple times (3, I was told) because users were using the same password there as the they did for the game.
Basically, again, he says it’s better to use a password you can remember, with about 3 or more random words. Don’t worry about mixing case type (upper and lower case), as that again defeats the purpose of reducing complexity so you can remember and type it easily. (Some sites will hide what you type in, or show no input at all… that’s hard enough!) The xkcd comic summarizes it well: Randall is using 4 common but randomly chosen words.
Sometimes sites complicate matters and they won’t allow passwords with spaces. The spaces more or less act as special characters. Until the server is fixed to allow them, using Gibson’s “password padding” approach works: fill the spaces with a special character. Then there are a few sites that won’t allow special characters (ugh). I hope you don’t run into many of these as Baekdal doesn’t mention them. I guess filling in the spaces with a letter of a different case (uppercase as the method stands) could work. Or… don’t use that site, I guess.
If you want to test passwords, please, take Baekdal’s advice and avoid the password testers– again, their emphasis is complexity. Try the following:
(Please note the calculator measures brute force attack methods. Try Randall Munroe’s example if you like, but Munroe’s analysis is based on guessing methods, so the calculator results will be different.)
or if you’d like some examples of the Munroe/Baekdal method (please note this generator uses common English words):
If you are tech-savvy enough that you are actually locking down a local network– say, a server, a router, etc. well, that’s different, and it’s back to complexity. Baekdal recommends GRC’s Ultra High Security Password Generator and so do I.
Lastly, you might look at the LastPass browser extension, or something similar. You still need a good master password, so all of the previous advice still applies!