[ISN] Passwords: The Good, the Bad and the Ugly

From: InfoSec News (alerts@private)
Date: Tue Jan 09 2007 - 22:11:27 PST


By Nick Gibson
Builder AU 

Pick anyone in the world who uses a computer now and then and chances 
are they've had to think up a password somewhere along the line. Regular 
computer users will have stacked up quite a few, your work pc, Web mail, 
online banking, blogs, etc. It's no wonder that a lot of people get 
overwhelmed by the sheer weight of things to remember and forget why 
they've got the passwords in the first place.

It's not uncommon to see a Post-it note with a password written on it 
stuck to the top of the computer that it accesses, and when that happens 
it's easy to see that something has gone wrong somewhere down the line. 
For users, it's important to remember why passwords exist in the first 
place, and for administrators setting a password policy, who tend to err 
on the side of paranoia, it's important to remember that sometimes too 
much security is just as bad as none at all. To understand what makes a 
good password, we need to first look into how passwords get broken.

People trying to break your password will generally fall into one of two 
categories. The first will be professional cyber criminals, 
indiscriminately trying to gain access to accounts for their own gain. 
Maybe it's access to your bank account and your funds, maybe it's 
control of your computer so they can add it to their botnet, maybe it's 
an attempt to gain access to your work account for the purposes of 
industrial espionage, or maybe it's just some bored kid looking for 
something to vandalise.

Whatever the situation, the common factor is that they're not 
necessarily singling you out and you haven't necessarily done anything 
to draw their attention. You may just be one of a thousand hit, or one 
of a hundred thousand chosen at random on the Internet, and the only 
thing protecting you is the strength of your password.

The second group are people who have chosen to target you; either they 
know you or they have the means to find out. They may have chosen you 
for any of the reasons above, or through curiosity or spite. Many people 
choose passwords that relate to personal information, such as birthdays, 
addresses or family names -- thinking that either nobody knows these 
little facts, or that those who would know would never try to use them.

Most people aren't aware how much information ends up being available 
about them on the Internet, one way or another -- and with search 
engines getting better all the time, it's getting easier to find out 
more about people.

How are passwords broken?

There are a number of different ways in which passwords are broken. The 
oldest, and least sophisticated method is called the brute force attack. 
An attacker runs through every possible sequence in the set of possible 
passwords until they find the right one. While it's not clever, the 
advantage of the brute force attack is that given enough time it will 
always work. The key factor here is time, but to understand this, let's 
take an example: cracking a four digit PIN number.

Now in this case, there are four characters and each character has 10 
different options -- meaning that there are 10 ^ 4 possible 
combinations. Or 10,000 attempts to generate every possible password in 
the set, but since on average you only need to go through half the set 
to find a given password, a cracker will need only 5000 attempts per 
password, which a computer can run through in a matter of seconds.

That was a simplistic example, but let's take something a little more 
commonplace: six digit password, letters only and not case sensitive. 
This means that there are 26 options for each character, giving us 26 ^ 
6 or 308,915,776 different options. Now clearly this is going to take a 
lot longer, but it's still not going to be enough to discourage an 

At the 2005 Ontario Universities Computing Conference, Johnathan Graham 
claimed an optimised copy of a password cracker running on a 2.7Ghz G5 
Mac had managed to generate 900,000 encrypted passwords per second; a 
six letter password space could be entirely generated in only five 
minutes (presentation notes). An eight character password, using the 
full printable ASCII character set, including uppercase, lowercase, 
digits and punctuation, would take 200 years of constant computation to 
crack at this rate.

The second method is the dictionary attack. In this kind of attack the 
attacker has a big list of possible passwords, so that rather than 
having to try every possible combination of letters and numbers, they 
need only try combinations that are likely to be someones password, 
somewhere. Don't be fooled by the name into thinking that this list 
contains only words found in a common dictionary, although that will 
certainly be part of it.

Your typical password cracker will have several dictionaries, ranging 
from a short list of only the most common passwords, up to a 
comprehensive dictionary containing obscure words, names, places, 
phrases and common misspellings. Oftentimes a cracker will use this 
dictionary with itself to generate a list of concatenated words, 
including the addition of digits and punctuation. A password cracker's 
largest dictionary may run into the 10s of gigabytes, and may run for 

The last method is the simplest -- trying passwords manually is the sort 
of attempt your little brother might try. Normally this is a negligible 
threat -- few attackers have the patience to sit and type out 10 
thousand different passwords. The danger here is when the attacker 
already has the password, even sticking to low tech approaches there are 
plenty of ways an attacker can get the password of a careless user. The 
easiest is to just read the password, either on the traditional Post-it 
note, or on the list of usernames and passwords to company accounts 
stuck to the side of the secretarys desk -- if you put your password in 
plain sight then you're trusting everyone who steps into your office to 
respect your privacy.

Another common trick to look out for is the fake e-mail asking you to 
"verify" your account by sending your username and password through 
e-mail -- in fact delivering it right to the attacker who's trying to 
compromise your account. The success of this scam has led many online 
sites that use password verification to place warnings to inform users 
that they will never request a password through e-mail.

How do you create a good password?

Now that we've identified the who and the how, we can start to think 
about what makes a good password. Clearly the best password is the one 
that provides the most defence against password attacks. For brute force 
attacks, the key factor is the size of the key space, that is, the 
amount of passwords that are possible. The more characters that make up 
a password, the better, and the more characters that a password can be 
made up of, the better.

For a dictionary attack, the important thing is that the password is as 
random as possible, so that it is unlikely to turn up in any generated 
dictionary of likely passwords -- avoid passwords that contain 
dictionary words, names, places and even dates. For the last type of 
attack its important to make it memorable enough so that you're not 
tempted to write it down anywhere. This is the big problem with 
passwords, keeping it memorable enough so that you can keep it in your 
brain, but complex and random enough to not be easily generated by an 

One popular method is generating an acronym, pick some phrase you'll 
remember and take the first letter of each word, throw in some 
punctuation and you've got something that's easy for you to remember, 
but looks completely random to someone who doesn't know how the password 
was created. For example, say you're a Bob Dylan fan, you're terrible at 
remembering passwords, but you know all the words to Highway 61 
Revisited -- you take the first letter of each word in the first line 
("God said to Abraham: "Kill me a son") add the name of the song and end 
up with a password that looks like GstAKmash61r.

Thats a 12 character password with lower and upper case letters, as well 
as digits that looks pretty indistinguishable from any other string of 
characters to anyone who doesn't know where it came from. This makes the 
method you used your effective password, since it's all you need to 
regenerate the password. Even if you don't happen to know all the lyrics 
to your song, you can stick them to your cubicle wall and no one will 
think anything of it.


The Good
* The more possible things your password can be, the harder it is to 
  brute force -- so be creative: use a mix of letters, numbers and 
* Change your password from time to time. While this doesn't make any 
  single password more secure, it can decrease the damage done should 
  someone get a hold of it and means that old password information gives 
  an attacker nothing.
* Use memory tricks such as acronyms or mnemonics to help you remember a 
  complicated password.
* Use different passwords for different accounts. You wouldn't use your 
  PIN number as your video store password, would you? So avoid having 
  the same password for Web mail and Internet banking.
* Break your password up into sections and have a different rule for 
  each, this will help make a more random looking password.

The Bad
* Don't assume that because you've done nothing to draw the eye of a 
  password cracker you're safe; most password cracking attempts are made 
  by people who neither know or care anything about you.
* Don't use words that exist in any dictionary in any language anywhere 
  in the world.
* Don't use names, even if they're uncommon.
* Common misspellings, or replacing letters with numbers that look 
  similar, eg. 1 for L or 0 for O gives you a negligible increase in 
  password strength.
* Don't leave your password as the default, lists of default passwords 
  for a whole range of systems are commonly available on the Internet.
* Don't use sequences of characters that appear in a run on the 
  keyboard, such as qwerty or asdf.

The Ugly

The top 10 passwords found in a UK study, as published on the blog 
Modern Life Is Rubbish are as follows. If you see your password here, or 
something similar, you might want to think about a change:

   1. 123
   2. password
   3. liverpool
   4. letmein
   5. 123456
   6. qwerty
   7. charlie
   8. monkey
   9. arsenal
  10. thomas

Copyright 2007 CNET Networks, Inc. All rights reserved.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Tue Jan 09 2007 - 22:19:01 PST