On password security

Note: this post is basically a rewrite of a post I ran across a few weeks ago but don’t remember where. If I find it then I’ll give the original author full credit in an update.

I wonder whether you can spot the true significance of the following stories?

October 2011: WineHQ hacked, no damage done to website, but entire username/password database stolen.

September 2011: Linux Foundation hacked, all usernames and passwords considered compromised.

February 2012: India Microsoft Store hacked, entire username/password database stolen.

June 2012: Linked-In hacked, 6 million passwords stolen and published online.

August 2012: Blizzard’s verifier database stolen, majority of World of Warcraft users’ passwords probably broken. Note in this story the casual mention of a well-known “Top 1 Million Passwords” list: “From the database they stole, the attacker can likely test at least 100 billion passwords per day, and they will successfully crack at least every password which can be found in a ‘Top 1 Million Passwords’ list.”

Now the point to all of this is not that you need to change your Linked-In password. The point, once it sinks in, is much more serious:

The world’s hackers have accumulated massive databases of usernames and passwords that they can use to figure out how most people create pseudo-strong passwords.

What this means, in turn, is that the advice you get from your company’s IT department about “strong” passwords is terribly, terribly wrong. You will be told to create a password that mixes upper- and lower-case letters, and that includes numbers and possibly underscores. You’ll be told to make it at least eight characters long. You’ll be told to use a different password for every user account you have in your life. You’ll be told to change your password every so often. You’ll be told never to write your password down. And behind all of this advice is a calculation of the “strength” of a password that is based on the assumption that the password is being attacked by brute force (63 possible characters, 8 characters long, makes 250,000,000,000,000 possible password, give or take a few quadrillion). But that calculation is in turn predicated on a demonstrably false implicit belief: the belief that people are capable of remembering random, meaningless sequences of characters.

But we are not capable of it. And so we cheat. We all cheat. We reuse passwords, or we come up with an algorithm (coworker’s name in reverse order plus _1) that we can use to generate different passwords while only having to remember one simple thing per account (I used Clarissa for Hotmail = assiralC_1, Matthew for Linked-In = wehttaM_1, and Sherry for corporate login = yrrehS_1), or we keep all our passwords in a note on our iPhone, or maybe all three.

The trouble is that hackers now have at their fingertips massive databases full of these pseudo-random passwords. They’ve had “Most Common Password” lists for a long time (if you’re using “qwerty” or “ihavenopass” or “mypc123” or my personal favorite “incorrect” as a password, you can kiss your identity goodbye). But now they can do a much higher level of meta-analysis — they can figure out the “Most Common Password Algorithms”.

Now I don’t know what yours is, but there’s a good chance that whatever yours is, other people in the 3 billion or so people in the world who have computer passwords, have hit upon the same method. If you’re lucky, you’ve picked on that only a few other people have used, and so your algorithm comes in at number 1,000,001 on the “Top 1 Million Passwords” list, and other people will get hacked instead of you. But if you’ve happened to hit on one of the Top 10,000 — well, you better just pray you’re not a target.

The only way to get back to a really secure password, is to restore true randomness. So our real challenge is to come up with something that is (a) truly random, (b) long enough for the randomness to render brute force methods unusable, and (c) easy to remember. It would also be very nice if the resulting passwords were also (d) easy to type.

A few weeks ago I happened across an article on the web that presented a solution, though I don’t remember where. The solution is simply this: your password should be four randomly chosen medium-length words strung together. The reasoning seems to me to be thoroughly sound:

  • What defeats brute force is, overwhelmingly, the legnth of the password. A 24-letter password typed entirely in lower-case English is 37,000,000,000,000,000,000 times stronger than the “strong” 8-character password mentioned above. You’re vastly better of with a longer password that uses only lower-case letters than with a shorter password that uses mixed alphanumerics.
  • Words are much easier to remember than are any other long strings of characters, because words can be visualized. (So can numbers, if you’re a memory wonk who uses a Jerry Lucas-style system; but few people can turn “918595219200291” into “A beautiful blonde bounces on a bed.”)
  • A string of four words is much easier to remember than a string of four characters, because, again, words can be visualized.
  • Even if the hacker realizes you’re using words, there are more than 100,000 usable words in English, making a brute-force attack on a four-word password require something like 100,000,000,000,000,000,000 attempts.

And if that’s not enough for you, then consider that many of us are multilingual — I’m an extreme case in being able to make each of four words in the password be in a different language, but let’s say that you live in Texas and know Spanish. So let’s your random word string is “bell” + “keeper” + “happiness” + “believe”. The password “Bell1keeperhappinessbelieve” would be hard enough to guess. But “Bell1keeperfelicidadcreer” is going to defeat anybody — and it’s not even particularly hard to type. Meanwhile you can imagine the guardian of your Hotmail account telling you proudly, “That bell is a keeper, I have the happiness to believe,” or something along those lines, and that is vastly easier to remember than “My Hotmail password is x3kr9z_2.”

The thing is, if your password is truly random, then only brute force can break it; and the brute force guys will leave you alone and go after the users of pseudorandomness. But if you can’t remember truly random passwords, then you’ll cheat, and open the door to smart hacks. This approach, it seems to me, gives you what you need: memorable randomness.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s