Your Password Habits Are Faulty
Humans, as a general rule, do not cope well with habits that did not emerge in the ancestral environment. Nowhere in the ancient savannah was it necessary to memorize a list of several nonsense alphanumeric phrases for the purpose of protecting things like their home address, credit card, and social security number. In fact, when presented with the complexity of the problem, most people—55% according to a study from the UK—tend to want to solve it as simply as possible, choosing one simple password and using it for most of the services that they use every day. Even as of 2015, the most common password in use is still “123456.”
Choosing a secure password, choosing a different secure password for every service you use, and then memorizing the entire list may seem like a waste of time. Actually, you’d be right. It is extremely possible to choose only one or two secure passwords, use them for every service you own, and avoid exposing your data to the risk of theft. To do this, however, you need to understand some fundamental concepts regarding how passwords are used, stored—and stolen.
What Makes a Password Good?
Have you ever watched a spy movie where the be-suited hero is trying to hack the bad guy’s computer? Even in supposedly “realistic” films, it turns out that the password is some phrase that’s tied to the villain personally. Maybe it’s the name of their first love, a childhood pet, or the codename of their sinister project. Whatever it is, the hero always manages to unlock the computer within three or four guesses, usually just in the nick of time.
I blame this narrative laziness for a lot of the bad passwords that people end up using. People tend to think, “oh, the bad guys will never guess the name of my goldfish from when I was three.”
Spoiler alert: they don’t need to. In order to guess your password, hackers will typically resort to variations on a method known as “brute force.” This is an attack similar to trying to guess every combination of a combination lock in order to open it up. At merely human speeds, even a short password might take forever to guess using this method, but computers can do it fast.
Let’s say that your password is “abcdef.” This password is terrible for many reasons, which I’ll get to, but the primary reason is that is lacks complexity. It is only six characters long, and uses only one case. Let’s say you started trying to guess this password, starting with a combination like “aaaaaa,” going to “aaaaab,” “aaaabb,” and so on. Using this method, there are exactly 321,272,406 possible guesses you could make—that’s every possible combination of six lowercase letters. Now, over three hundred million guesses sounds like a heck of a lot. Here’s the thing though: an average desktop computer, using freely available password-cracking software, can make one hundred million guesses per second (your mileage may vary). A six-letter lowercase password will last all of 3.2 seconds against a barely competent hacker.
Actually, they won’t even need to take that long. Another misconception about hackers is that if they want to crack your password, they’ll go into the login screen of the service they want to breach and start making guesses. This is another reason why people pick simple passwords—they think that even if a password is easy to guess, that the automated login system will lock out a hacker after they’ve made a few tries.
This is sadly not the case. All websites and other applications store passwords on a spreadsheet in their database. If they’re doing their job right, the site won’t store those passwords in plaintext, but rather in a kind of cryptographic cipher called a hash. A hacker probably won’t try to steal your password directly from the login screen (unless they’re using a man-in-the-middle attack, but that’s a different article). Instead, they’re going to steal that list of hashed passwords.
Once that list of hashes has been stolen, anyone who’s chosen a simple password is basically doomed right out of the gate. See, each hash is created by a special algorithm that slices and dices and cuts and cubes a password until it’s not only unrecognizable, but impossible to reverse-engineer. There are only two things that keep a hash from being perfectly secure.
- It is possible to determine which algorithm was used to create a hash.
- The same input will always produce the same hashed output when you use the same algorithm.
- See where this is going?
Hackers know that a lot of people use simple passwords. Since they’re smart, they already know what the output hashes of these simple passwords look like in every major hashing algorithm in use. In what’s known as a “pre-computed dictionary attack,” they’ll have already cooked up the hashes of those simple passwords, so that once they steal a list, they’ll be able to expose not just you, but potentially thousands of other people who haven’t read this article. What’s more, the principles behind this attack mean that…
Even “Complex” Passwords Aren’t Particularly Safe
So, a lot of people are starting to get the message. Maybe instead of “baseball,” a commonly-used insecure password, you’ve decided to use a password that incorporates numbers, both capital and lower-case letters, and some special characters to boot: “1B4seba11!” for example. You may think that the latter password is safer, but, as distinct from baseball itself, the concept of safety is only an illusion.
There are a few strikes against “1B4seba11!” in terms of its security as a password. It seems great though, doesn’t it? Using the set of criteria that it satisfies—over eight characters long, uses both upper and lower case letters, uses numbers, and at least one special character—there are over one quadrillion possible combinations. Our hypothetical desktop password-cracker can make one hundred million guesses per second, so guessing the password would take about ten million seconds, or 116 days. That’s a long time, but not super long. If someone badly wanted whatever your password was protecting—such as the bank account containing all of your retirement savings—four months really isn’t a long time to wait.
There’s more, however. See, we’re assuming that whoever is trying to break your password is using an ordinary desktop computer. If they’re serious, however, it’s not uncommon to find hackers that use custom-built hardware. It’s recently been shown that high-end GPUs (Graphics Processing Units) are better at performing thing kind of password-breaking operation than ordinary CPUs. A high-end GPU costs about $500, and a custom rig might incorporate as many as twenty-five GPUs, all working in parallel. The result, however, is a machine that costs less than a decent used car—and can crack a mind-boggling 350 billion passwords per second. That’s enough to take your complex eight-character password and rip it to shreds in six minutes flat.
There’s one last reason that short complex passwords are pretty much gone the way of the dodo in terms of security. Let’s go back to the previous examples of password-cracking hardware. This is the part, by the way, where I have to admit I lied to you a little.
See, that estimate of 100 million guesses per minute for a desktop, and 350 billion for custom hardware, only holds true if your password happens to be hashed with an older algorithm. Don’t get any ideas that you’re safe now—it’s quite common for companies to use hashing algorithms like MD5 or SHA-1, which have both been obsolete since the early 2000’s. An ordinary modern desktop will eat MD5 for breakfast. If hackers try to brute-force a modern algorithm such as SHA-512, however, even the most advanced machine will be slowed down to less than half a million guesses per second. That’s enough to keep your password safe for years, in theory.
In practice, however, your password is going to get caught out a lot sooner than that. Why? It all comes back around to the dictionary method.
See, humans are sadly predictable. Let’s go back to the example of 1B4seba11! Even with the complexity added by the extra cases, numbers, and special characters, this is going to be an easy password for a computer to guess. First of all, the password is laid out in a predictable manner, if you’re a human. For most people, it makes sense to put special characters at the end of a word, so a password-cracker will prioritize testing combinations that have special characters in that location. Second of all, substituting the number four for the letter a, and replacing I’s and L’s with the number one is a pretty common practice, so the cracking program is going to look for combinations with a lot of ones and fours in them. The factor that damns this password completely, however, is that it is based on a real word from the dictionary. Not only is it a real word from the dictionary, it’s based on a real word that people use for their passwords quite often, using extremely common modulations. Any well-designed password cracker probably has the exact phrase “1B4seba11!” as one of the first few million guesses that it makes—and the same goes for any dictionary word.
Now the “Complex” Passwords Don’t Work, What Else is Left?
Using a simple password may as well be pointless, and even really complicated passwords are kind of a mess. This stems from the fact that humans are fairly predictable—we use passwords that involve words that are in the dictionary, follow rules of grammar and spelling, and contain predictable patterns of letters and numbers. What do we do about this? Do we give up and let the hackers win?
No! I promised at the beginning of this article that you’d be able to secure all of your data by remembering just one or two passwords, and by golly I’m not a liar.
Here’s the trick: Your passwords have to include randomness.
If your password is over 20 characters long, and contains no predictable alphanumeric sequences or phrasing, even something like a supercomputing supercluster will take centuries to guess it.
Here’s an example. I went to the GRC website, and took a 22-character selection (that’s all you need) from a randomly-generated 256-bit string. This string right here: Q7PkgND6amgQ2nrx2Ej8vV
Then, I went to my favorite password checker, zxcvbn, which estimates how long it would take for various password-breakers to break your password.
As you can see, anyone trying to break that password, even using a very fast computer, would have to be prepared to wait a very, very long time.
Of course, there’s a big obvious problem with that password: any passphrase that is impossible for a computer to break is also impossible for a human to remember. I mean, if it is possible for you to remember multiple high-entropy passwords like Q7PkgND6amgQ2nrx2Ej8vV for every service you use, stop reading this article right now. You win at passwords, and at life.
For the rest of us, there’s a cheat. Find a password manager such as LastPass. LastPass will automatically remember and retrieve long, difficult-to-remember passwords like Q7PkgND6amgQ2nrx2Ej8vV, and all you’ll have to worry about is remembering a single master password, plus probably a similar password for your email. Every time you need to choose a new password, go to GRC, highlight 22 characters from the 256-bit strings they generate, and put those in LastPass as the password you’re using for the service. Simple, right?
There’s one last thing. LastPass still requires a master password, and you want that to be something that’s as complicated as Q7PkgND6amgQ2nrx2Ej8vV, but something that a human can actually memorize.
The solution to this problem is a system called DiceWare. This is actually very simple, and it works on the theory that you can use a long string of non-gibberish English words to generate a password—as long as those words aren’t in any sensible order. For example, if I asked you to pick out a random phrase, you might think of, “TheQuickBrownFoxJumpsOverTheLazyDog.” The problem with this is that it’s a well-known phrase in an order that makes sense, and a computer will probably nab that pretty fast. DiceWare, however, requires users to roll dice (like the name says) in order to generate a five-digit number that corresponds with a random word in the English dictionary. Do this a few times, and you’ll have a comprehensible phrase that’s still unsolvable with big computers. You can do this manually, or online. Using the online DiceWare generator here, I generated the passphrase “satyr wacke enrico igloo delia,” which is relatively easy to remember but will still take centuries for even the fastest computer to break.
So, there you have it. Use LastPass to remember your passwords, use snippets of 256-bit keys for your LastPass passwords, and use a DiceWare password as the only secure password that you have to actually keep in your head. Using this method, your password should be secure against most modern computers—but just remember that computers are only going to get faster.
Zxcvbn Password Checker: https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html
GRC Password Generator: https://www.grc.com/passwords.htm
DiceWare Password Generator: http://rumkin.com/tools/password/diceware.php
Bruce Schneier on Password Security: https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html