Password Encyclopedia: How it works, how can you make it usable and Secure
Companies spend millions of dollars on their security, with high end Security System, Firewalls, etc, but they still get hacked, the reason lies in the password of the high authority users in the company.
How to hack a password
The work involved in hacking passwords is very simple. There are 5 proven ways to do so:
- Asking: Amazingly the most common way to gain access to someone’s password is simply to ask for it (often in relation with something else). People often tell their passwords to colleagues, friends and family. Having a complex password policy isn’t going to change this.
- Guessing: This is the second most common method to access a person’s account. It turns out that most people choose a password that is easy to remember, and the easiest ones are those that are related to you as a person. Passwords like: your last name, your wife’s name, the name of your cat, the date of birth, your favorite flower etc. are all pretty common. This problem can only be solved by choosing a password with no relation to you as a person.
- Brute force attack: Very simple to do. A hacker simply attempts to sign-in using different passwords one at the time. If you password is “sun”, he will attempt to sign-in using “aaa, aab, aac, aad … sul, sum, sun (MATCH)“. The only thing that stops a brute force attack is higher complexity and longer passwords (which is why IT people want you to use just that).
- Common word attacks: A simple form of brute-force attacks, where the hacker attempt to sign-in using a list of common words. Instead of trying different combination of letters, the hacker tries different words e.g. “sum, summer, summit, sump, sun (MATCH)“.
- Dictionary attacks: Same concept as common word attacks – the only difference is that the hacker now uses the full dictionary of words (there are about 500,000 words in the English language).
When is a password secure?
- Brute-force: 3 minutes
- Common Word: 3 minutes
- Dictionary: 1 hour 20 minutes
- a password that can be hacked in 1 minute is far too risky
- 10 minutes – still risky
- 1 hour – still not good enough
- 1 day – Now we are speaking!. The probability that a person will have a program running just to hack your account for an entire day is very little. Still, it is plausible.
- 1 month – this is something that only a dedicated attacker would do.
- 1 year – now we are moving from practical risk to theoretical risk. If you are NASA or CIA then it is unacceptable. For the rest of us, well – you do not have that kind of enemies, nor is your company data that interesting.
- 10 years – Now we are talking purely theoretical.
- A lifetime: 100 years – this is really the limit for most people. Who cares about their password being hacked after they have died? Still it is nice to know that you use a password that is “secure for life”
Making usable and secure passwords
Nope, it just means that a 6 character password isn’t going to work. None can remember a password like “J4fS<2″, which evidently mean that it will be written on a post-it note.
- 1,163,859 years using a brute-force method
- 2,537 years using a common word attack
- 39,637,240 years using a dictionary attack
- Add a time-delay between sign-in attempts. Instead of allowing people to sign-in again and again and again. Add a 5 second delay between each attempt.It is short enough to not be noticeable (it takes longer than 5 seconds to realize that you have tried a wrong password, and to type in a new one). And, it forces the hacker to only be able make sign-in requests 1 every 5 seconds (instead of 100 times per second).
- Add a penalty period if a person has typed a wrong password more than – say – 10 times – of something like 1 hour. Again, this seriously disrupts the hacking script from working effectively.
See I told you Passwords can be makde usable and secure at the same time
Some FAQ’s here, few of them are a Bit technical via baekdal
Q: What about the problem that many sites store people’s passwords in clear text?
A: What about it? It has nothing to do with this. How a password is stored in a database is a server problem, something that must be solved a server level. No level of complexity by the user can solve this problem.
Every server admin has the responsibility to store people’s passwords in a secure and encrypted way.
Q: Most password can be cracked using rainbow tables (or similar), will a higher complexity not solve that?
A: Yes and no.
Let me briefly explain what this is. The way hackers hack passwords today is to look it up in password tables. This was how people’s password was hacked in the Gawker incident.
Basically, the hacker will take the encrypted password like this one: 4d5257e5acc7fcac2f5dcd66c4e78f9a and simply go to this site (among many) and paste it in. The site will then return the actual password (which in this case is “mickey”). They are simply looking it up in a database.
The way to solve this is to make the password so complex that it is unlikely to be in any database. More complexity = better encryption security.
However, this is not a user problem!!!
You do not ask the user to create a more complex password. You make the password more complex on the server.
Here is a simple example.
Let’s say that the user decides to use the password “mickey”, which is completely insecure.
You then add a one-way complexity algorithm to it, effectively turning it into:
Which you then encrypt, and run trough another one-way complexity algorithm – ending up with this:
This is then what you store in your database on the server. The user can choose whatever password they like. It is your job as a server admin to make sure that it is encrypted correctly.
Q: Many websites do not allow spaces in password, what then?
A: True, but again that is a server problem, not a user problem. Fix the damn server!
Q: If I cannot write “this is fun” because of the spaces, can I not just write “thisisfun”?
A: Absolutely not! The reason why “this is fun” is 10 times more secure, is simply because it is much longer (11 characters). By removing the spaces, you reduce the length and the complexity substantially. The spaces are effectively special characters, which in itself makes the password much more secure.
Use “this-is-fun” instead.
Q: If “this is fun” is 10 times more secure, wouldn’t it increase security to write it as “Thi3-Is-5un”? … That would be just as easy to remember.
A: You are kidding right?
Yes it would be much more secure, but the whole point of this is to reduce complexity. People do not like being kicked in the groin every morning.
There is absolutely no reason for adding that complexity in the first place. It takes 2,537 years to hack “this is fun”
Q: But modern computers can hack password much faster than they used to…
A: Yes and no. You need direct access to the database file or the server to hack something faster. If you got that level of access, you do not actually need the password. You can just look up the data directly.
What I am talking about in the article is hacking into remote systems (like web apps). I tested this with Google and I was not able to send more than 25 password request per second to their servers.
And even if you could hack it faster, “this is fun” is still more secure. Just because something is faster doesn’t mean the math behind it changes.
Q: Even so, a BOT net could do it, right?
A: Read that part about adding delays in the article.
Q: “Well, I still prefer long and complex passwords. My previous one, for example, had mixed case letters, numbers, symbols, and spaces, and were 32 characters long. But I still could remember it easily, by using the name and ID number of an obscure science-fiction character from an uncommon book combined with a made up language.”
A: Please, go away…
Q: When I test “this is fun” it shows up as weak in most password testers.
A: Yes, this is simply because most password testing tools are completely useless. They measure complexity, not security.
One example. If you head over to The Password Meter, they will tell you that “this is fun” only scores 19% = very weak, while “J4fS<2″ scores 60% = strong.
But, this has nothing to do with security. They specifically look for the presence of uppercase letters, numbers and symbols, which they then give a rank using a completely insane algorithm.
These guys are only measuring complexity. It is an utterly useless tool.
Mathematically, “this is fun” is 10 times more secure.
This is one of the big reasons why I hate when IT people talk about password security. They favor complexity over actual security.
Q: A 3 word password could be hacked a lot faster with a smaller dictionary
A: Yes, it could. But how would the hacker know what words to put in the smaller dictionary? How would what words people use? Take “this is fun” – and let instead use a dictionary with only the 500 top english words. It wouldn’t work. “this” and “is” are in it, but not “fun”.
It wouldn’t match.
But then people go on to suggest this…
Q: But a hacker could hack the two first words using a 500 word dictionary, and the last word using the common word dictionary.
A: You are kidding, right?
I think you have been watching too many Hollywood movies. In Hollywood, passwords are hacked one digit at the time. Meaning the system would return true or false information based on partial matches.
This is not how the real world works. You cannot match a password based on a partial matches. “This * *” is not the same as “this is fun”. It would return it as FALSE. You have to match all three words, all at once.
Q: So, are you saying we should use “this is fun” as our password?
A: No, I’m saying that you should use a 3+ word pass phrase as your password. Something that isn’t linked directly to you or your immediate interests. So don’t choose the names of your three kids.
Choose something like “green is wicked”, “summer hammocks are fun” or “floppily floors flop”