The Ugly: Composition of a Bad Password
Typically, when I speak to someone about passwords and how to improve them, the follow-up question to the instructional “do this” is inevitably “why?”; so we’re going to start there. Beginning with “why certain passwords are bad”, we’ll follow up in a few weeks with “how to improve your passwords now that you know they’re currently terrible”. This post will attempt to show you the world of passwords I see and the pitfalls many people fall into. I’ve broken these down into 4 main categories: Easy-to-guess, Personal, Reused, and Short.
The first category, and possibly the most well-known, consists of passwords that are easy to guess because of common human usage. These include some of my favorite examples: “password”, “opensesame”, “12345678”, “Spring2021”, etc. In fact, Xato’s article on the Top10k passwords used contains a list of painfully short and simplistic passwords that have been published in data hacks over the years (a link to the article is in the “Sources” below). Included in this first section would be single words that can be found in the dictionary.
If you feel especially smug about getting around IT’s rules for setting passwords at work, you likely fall into this category. These passwords lost their viability about 30 years ago… or roughly when 3.5-inch floppy disk capacity exceeded 1 mb storage. Passwords here are often cracked with wordlists that an attacker automates through scripts; “dictionary attacks” are just using a more structured pre-built list.
The second category of bad passwords are easy to guess because, with just basic background research, a targeted attack could compromise your password. Using your name, your birthday, home address, kids’ names, Social Security Number (seriously, this happens, and yes, it’s a terrible idea), or pets’ names make for especially weak passwords. The reason? Many of our accounts on social media haven’t been properly locked down. This means we passively leak intimate data about ourselves to the searchable internet (not just the ominous “Dark Web”). Though we often rely on our relative anonymity for protection, recent data breaches in the news should exhibit for us just how accessible our personal information can be to anyone who knows how to use google.
Still fresh in some of our minds is the data breach of Equifax in 2017 that saw highly intimate personal details (we call this “Personally Identifiable Information”, PII, in the industry) of more than half of all Americans exposed, just out there for anyone to find. And though it feels like old news now, the revelation of how much personal information Cambridge Analytica was harvesting under the auspices of the Facebook platform during the 2016 Presidential election extended beyond the typical DOB, mailing address, and email, into the more nebulous, but no less potent, domain of religious, political and philosophical inclinations.
There is a growing awareness of how our personal information is not as private as we wish it was AND how valuable our habits and preferences are to firms dealing in big data for an emerging tailored-consumerism market. Though there are certainly steps you can take to guard your online privacy, counting on it for protection from a targeted attack is futile. One thing I’ve learned with incisiveness is that one should never underestimate boredom and, as our world is so interconnected by the web, you have overwhelming amounts of personal boredom just outside your front door. Pro-Tip: Don’t count on someone else’s preoccupation and inexperience with Google to keep you safe from personalized attacks.
The third category of bad passwords are passwords that are reused. The more a password is reused, the more likely you are to lose track of all the places where you are using it. This leads you to put passive trust in the websites and/or devices that password is used on, expecting them to properly steward your security. Reused passwords are a boon to hackers. Because users employ these compromised passwords across multiple websites, they provide entries for attack in multiple places.
One recent example of this is the recent Disney+™ user breach. Shortly after the platform’s launch, thousands of user accounts were reportedly hacked. But, as far as we are aware, this was not the company’s fault. As there was no indication of compromise in Disney’s systems, the account compromise was likely the result of password reuse on other websites that had fallen victim to hacking.
In 2014, Russian hackers targeted specific individuals on Yahoo!™. Hackers easily stole these individuals’ information by accessing account recovery emails that had been saved with weak passwords. Armed with this information, hackers then targeted other internet accounts, both personal and professional, that were also owned by these individuals. By the time Yahoo!™ was acquired by Verizon™, a due diligence period revealed that the company had likely leaked three billion user accounts, including information such as names, phone numbers, e-mail addresses, birth dates, security question answers, and encrypted passwords.
Large scale breaches like this also show human patterns in thinking that make passwords predictable. A cybersecurity professional I know will scrap Pastebin[dot]com* for passwords from large data breaches and add them to his master wordlist (think of what I mentioned in #1 on steroids!) because he knows there’s always a good chance it will be reused somewhere. Don’t trust the next Yahoo! to keep your online bank account password safe.
The fourth category of bad passwords are those that are short and/or simple. This is where math comes into play. When people find out I work in cybersecurity they sometimes ask, “how long should my passwords be?” Although there are differing opinions on this, I’ll put a stake in the ground at 14 characters for offline systems and 20 characters for services accessible via the internet. It is important to note those numbers assume you are employing the full printable ASCII table (everything you can see on your U.S. English keyboard). Most password requirements include an upper-case letter, a lower-case letter, and a digit. Couple that with a minimum standard eight-character password and you’re left with a password that could be cracked by an ordinary desktop computer, running free software in about 25 days (estimating the computer is checking 100 million/second) or by a specialized password cracking rig (think of a Bitcoin set-up, that costs around $5,000) in 11 minutes. Eleven minutes! How long do you think it would take someone to recoup the costs of that password cracker if they went after your online bank account? Now if you take that same number of characters and add the option of keyboard symbols, you end up with a password that takes 5.75 hours to crack with the same password cracking rig.
[SideNote: it should be mentioned that this calculation is based off of a truly randomized 8-character password. If a human came up with this, a smart attacker would employ attacks based off of common patterns gleaned from large password breaches, where human psychology can be placed under an incredible microscope: such as the MySpace phishing attack in 2006 that reaped about 34,000 passwords of which only 8.3% had a special character. There are plenty of studies out there that have identified patterns in human-generated passwords that have been listed at the end in the “Further Reading” section.]
Increasing complexity and length improves entropy on an exponential scale. This is what the famous “Password Strength” XKCD comic is referencing by recommending that instead of a short and complex password (which is often difficult to remember), users should adopt a simplistic but long password. Though in theory this is correct, since there is a clear pattern to the characters (dictionary words again!), this falls right back into category #1 (though considerably more developed than “qwerty”). But, in defense of xkcd, increasing length in excess of 20 characters (and please, don’t let my minimum constrict your aspirations: go all the way to 32 characters!) removes your password from the common down-range position of many 13 or less character passwords. At a certain point, attackers (who are looking for a sure-thing) who have access to the internals of the network that a password is used on or a leaked database will move on from wordlists to rainbow tables, which are made up of all the possible hashes for sets of parameters (e.g. 6-13 alpha-numeric characters OR 6-10 alpha-numeric + special characters). Many of the rainbow tables that I’ve come across (especially the free ones) top out at ~13 characters, which is partly where I derive the 14/20-character password recommendation from.
This list may be exhausting, but it is not exhaustive: there is much more that could be said about password pitfalls, but I’ve covered what I believe to be the most prevalent. If you’re a little bit overwhelmed and, maybe even a little scared, good: that was my intention. Fear precipitates action: hopefully to the point of changing bad habits. We’ll discuss in a few weeks what can be done to fix these habits that produce bad passwords in an easy and approachable way. Until then, Be Secure!
++++++++++++++++++++++++++++++++++++++++++++++
*Note: the replacement of the period before the top-level domain (ie .com, .gov, .org, .biz, etc) in the form of “[dot]” is a habit I have seen and respected on other Cybersecurity blogs and write-ups. My alteration of a URL in this way does not denote the url as harmful per-say, but rather an attempt to protect the reader from accidentally selecting an embedded hyperlink.
Further Reading:
Consumer Password Worst Practices. Imperva Application Defense Center (ADC), 2014. https://www.imperva.com/docs/gated/WP_Consumer_Password_Worst_Practices.pdf.
Hunt, Troy. “';--have i been pwned?” TroyHunt, December 4, 2013. https://haveibeenpwned.com/.
Krebs, Brian. “Don't Give Away Historic Details About Yourself.” KrebsonSecurity, April 2018. https://krebsonsecurity.com/2018/04/dont-give-away-historic-details-about-yourself/.
Mónica, Diogo. “Password Security: Why the Horse Battery Staple Is Not Correct.” Diogo Monica. Diogo Monica, September 8, 2018. https://diogomonica.com/2014/10/11/password-security-why-the-horse-battery-staple-is-not-correct/.
“NIST SP 800-63 Digital Identity Guidelines.” NIST SP 800-63. Accessed July 30, 2020. https://pages.nist.gov/800-63-3/.
Steinberg, Joseph. “New Technology Cracks 'Strong' Passwords -- What You Need To Know.” Forbes. Forbes Magazine, April 22, 2015. https://www.forbes.com/sites/josephsteinberg/2015/04/21/new-technology-cracks-long-complex-passwords-what-you-need-to-know/.
“Unmasked.” An Analysis of 10 Million Passwords. Accessed July 30, 2020. https://wpengine.com/unmasked/.
Sources:
Barrett, Brian. “The Likely Reason Disney+ Accounts Are Getting 'Hacked'.” Wired. Conde Nast, November 20, 2019. https://www.wired.com/story/disney-plus-hacks-credential-stuffing/.
“Brute-Force Attack.” Wikipedia. Wikimedia Foundation, July 21, 2020. https://en.wikipedia.org/wiki/Brute-force_attack.
Burnett, Mark. “10,000 Top Passwords.” Medium. XATO: Information Security by Mark Burnett, July 11, 2016. https://xato.net/10-000-top-passwords-6d6380716fe0.
Crawley, Kim. “Was Your New Disney Plus Account Stolen?” ThreatVector, March 5, 2020. https://threatvector.cylance.com/en_us/home/was-your-new-disney-plus-account-stolen.html
Cubrilovic, Nik. “RockYou Hack: From Bad To Worse.” TechCrunch. TechCrunch, December 15, 2009. https://techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/.
Dan Goodin - Sep 22, 2016 8:21 pm UTC, and in training jump to post NdYAG Smack-Fu Master. “Yahoo Says Half a Billion Accounts Breached by Nation-Sponsored Hackers.” Ars Technica, September 22, 2016. https://arstechnica.com/information-technology/2016/09/yahoo-says-half-a-billion-accounts-breached-by-nation-sponsored-hackers/.
“How Many Words Are There in the Engli...: Lexico.” Lexico Dictionaries | English. Lexico Dictionaries. Accessed July 30, 2020. https://en.oxforddictionaries.com/explore/how-many-words-are-there-in-the-english-language.
Ickler, Kent R. “How to Build a Password Cracker with NVidia GTX 1080TI & GTX 1070.” Black Hills Information Security, May 27, 2020. https://www.blackhillsinfosec.com/build-password-cracker-nvidia-gtx-1080ti-gtx-1070/.
Leyden, John. “RockYou Hack Reveals Easy-to-Crack Passwords.” • The Register. The Register, January 21, 2010. https://www.theregister.co.uk/2010/01/21/lame_passwords_exposed_by_rockyou_hack/.
List of Rainbow Tables, 2017. http://project-rainbowcrack.com/table.htm.
Munroe, Randall. “Password Reuse.” xkcd, September 13, 2010. https://xkcd.com/792/.
Munroe, Randall. “Password Strength.” xkcd, August 10, 2011. https://xkcd.com/936/.
Newman, Lily Hay. “Yahoo's 2013 Email Hack Actually Compromised Three Billion Accounts.” Wired. Conde Nast, October 22, 2017. https://www.wired.com/story/yahoo-breach-three-billion-accounts/.
“Password Cracking.” Wikipedia. Wikimedia Foundation, July 22, 2020. https://en.wikipedia.org/wiki/Password_cracking.
“Password Strength.” Wikipedia. Wikimedia Foundation, July 2, 2020. https://en.wikipedia.org/wiki/Password_strength.
Schneier, Bruce. “MySpace Passwords Aren't So Dumb.” Wired. Conde Nast, December 14, 2006. https://www.wired.com/2006/12/myspace-passwords-arent-so-dumb/?currentPage=all.
Sheppard, Simon. “Password Security and a Comparison of Password Managers.” Password Managers - SS64.com, 2016. https://ss64.com/docs/security.html.
Stempel, Jonathan. “Yahoo Says All Three Billion Accounts Hacked in 2013 Data Theft.” Reuters. Thomson Reuters, October 4, 2017. https://www.reuters.com/article/us-yahoo-cyber/yahoo-says-all-three-billion-accounts-hacked-in-2013-data-theft-idUSKCN1C82O1.
“Yahoo Security Notice December 14, 2016 | Account Help - SLN27925.” Yahoo! Yahoo!, 2016. https://help.yahoo.com/kb/account/SLN27925.html?guccounter=1.