As a regular reader of this blog, you’ll know we’re sticklers for good passwords. And if this is your first visit, welcome to the show!
To be completely honest, a username and password is actually not an ideal way to secure a system. Usernames are almost always easily guessable, and passwords usually are too. But, for a lot of systems, that is what we have, so it’s important to pick good strong passwords to protect your information.
Before we dive into good password rules, I’d like to look at how passwords get compromised in the first place, so you’ll know what we’re up against.
Generally speaking, there are 4 ways that your super secret password becomes, well, not so secret:
- Your password is really easy to guess
- One of the websites you use experiences a breach (and you use that password everywhere!)
- Someone is able to use a “Forgot My Password” function to reset your password
- You get tricked into telling someone your password
Easy to Guess?
Just about everyone knows that your password shouldn’t be obvious. Hilariously bad examples exist like “password”, “123456”, and “password1” (you know, to make it complex). I know I sound like the stuffy old security guy when I say that, but it’s not something I just think, I know that those passwords are used all the time. How could I possibly know, you ask? Well, lots and lots or websites suffer breaches every year, and lots of those websites do a really crumby job of taking care of your password, and then the attacker usually ends up posting them for everyone to see, so security nuts like me get to chart these things. In 2013, “123456” was the MOST POPULAR password in use, followed by “password”. Not kidding:
You also shouldn’t use your username as you password. It sounds silly, but it happens. Not too long ago we were performing a security audit on a web application, and one of the concerns the client had was over their ability to detect password guessing activity. We scripted up some automated login actions, fed it a list of 2000 common usernames, and tried logging in with either “password” or the exact same word as the username. To the client’s surprise (not ours) about 130 of the accounts used the same word for their username and their password. Another 35 or so used “password”. It took us about 30 minutes. Seriously. Don’t use your username as your password.
One of your favorite websites is breached! (Gasp!)
OK, so let’s say you’ve figured out a super awesome password. It has numbers, capital letters, special characters, the works. It’s 15 characters long, and no one would ever guess it. Awesome, nice job.
So you take your super awesome password, and register on a site that sends you coupons for things like spray tans and dog spas (hey, no judgement here).
Turns out that the oddly orange dog loving entrepreneurs aren’t good at securing their website, and someone steals the user database and posts it for the world to see. The usernames and the passwords are stored in cleartext, which means they look just like you type them. It has your email address, and your password, right there, plain as day. Your super awesome password is no longer secret, super, or awesome. If you used this password on everything (Facebook, LinkedIn, your email account, your bank), it’s just a matter of time before someone bothers to try it.
Now let’s say that a few months later, another website you use suffers a breach, only they do something called hashing. A hash is a one-way math function, that takes in your password and spits out a stream of numbers and letters. Think of it like a meat grinder. You put a steak in one end, and ground beef comes out the other side.
In this case, the “grinder” always spits out the same hash value when you enter the same password, so instead of storing your actual password, they compare the hashed results of the password you just entered, and the hashed results they have on file. And just like a meat grinder, there is no way to reverse the process. (How many times have you seen someone put a steak together from ground beef? Exactly.)
Attackers know this, and so have built these enormous tables called Rainbow Tables, where they take huge lists of potential passwords, perform the same hashing function, then use those tables to compare the hash values they just stole from the web site. There are some things that you can do to make that harder, but lots of websites just get to the hashing part, and not further.
So the moral of this story is to use different passwords for different sites. That way, if the above scenario unfolds, you only have one site to worry about, instead of your entire online identity.
Forgot your password?
You see these same questions every time you register on a site. Mother’s maiden name? City you were born in? Maid of Honor at your wedding? These are the questions you get asked when you want to reset your password. And this is great, since you are now using separate passwords for all of your sites (right?) its possible from time to time you may need assistance getting into one of these.
Some sites handle the password reset issue well, some not so much. Most sites will ask you a question, then send you a temporary code to your registered email address, which is good. Even if someone guesses the answer, they still need access to your email. Other sites will ask a security question, then let you reset the password right there if you get the right answer. Those are dangerous, so you need to make sure the answers to those questions can’t be discovered in 2 minutes or looking at your Facebook profile.
OK, let’s pick a good password!
Now that we’ve seen the different ways that passwords can be compromised, let’s look at what makes a good password.
We know it shouldn’t be easy to guess, so regular words are out. And since the attackers can use those Rainbow Tables to compare possible passwords, we need to use a password that is pretty long and has lots of different characters in it.
Some rules to use:
- Make sure your password is at least 10 characters long
- Use capital and lower case letters
- Use a number (or several)
- Use some punctuation (!@#$%^&*)
If you follow the above rules, an attacker would need a rainbow table roughly 100 pedabytes to ensure they have your password hash in their table. If you drop one of those out though, it reduces fast. Let’s say you only use letters and numbers. That drops the rainbow table to 13 pedabytes. Still huge, but not nearly as huge as before. Let’s say you use a shorter password, like 7 characters. Even if you follow the other rules, we’re down to about 250 gigabytes, much more manageable. Let’s not make it manageable. Every additional character you put in your password makes it exponentially harder for the attacker.