November 27, 2012

Passwords: Trojan Horses of a Different Color

Passwords are dead. Bill Gates said it back in 2004 and many others have echoed that sentiment since then. Sadly, it's probably truer now than ever before, making us all a lot more vulnerable. Consider this:

  • Today, a seven-character password containing only numbers can be cracked almost instantly.
  • Add in upper- and lower-case letters, and that password can be broken in less than 10 hours.
  • Mix in special characters, and the password might survive eight days.
  • Then add a character, and your new eight-character password could hold out for from 10 seconds to as long as a couple centuries, depending on its content. (NIST, the National Institute of Standards and Technology, averages its survival at about 16 minutes.)

These stats apply to hackers' simplest brute-force methods, which test every combination of characters until they hit a password that works. But today's Hackerverse mob has even faster, more persuasive tricks and tools to make passwords spill their guts, including:

  • Automated lists of commonly used (dumb) passwords, like password, 123456, abc123, querty, monkey, iloveyou, trustno1, master, admin, mustang and adminpassword.
  • "Dictionary Guesser" programs that throw ordinary words (like football) at login screens in their native languages.
  • "Hybrid Guessers" that append strings like abc, 123, 01 and 02 to dictionary words.
  • Mass theft (and sometimes public release) of tens of millions of active passwords.  We've seen it happen recently with Zappos, Sony, Yahoo, Gmail, Hotmail, AOL, LinkedIn, eHarmony and others.
  • Throwing hacked or stolen passwords at other sites (which works because more than 60% of people unwisely use the same passwords on multiple sites).
  • Networked turbocharged hardware that collaborates to accelerate all of the above.

With these in the game, a nine-character password that at one time might have taken brute-force tools thousands of years to crack could now fall in minutes or hours. So how secure are the five- to eight-character alphanumeric passwords that 70% of us still use?
Strength Necessary, But Not Sufficient

Yes, passwords are dead (or at least dying) simply because they are ASCII strings.  And regardless of their strength, TechRepublic is calling 2012 "The Year of the Password Theft." Hackers are cracking, stealing and sharing passwords so fast, thefts this third-quarter are running 300% above 2011's numbers. Looked at another way, a recent survey of 583 U.S companies found that 90% of respondents' computers were hacked at least once during the past year. This situation will only degrade as hackers grow more creative and their tools increase in power.

So what can you do to protect your passwords and identity? Common wisdom says that passwords:

  • Should be at least 10 characters long (and preferably 12 to 16).
  • Should mix numbers, mixed-case letters and special characters.
  • Shouldn't contain personal data like names, addresses or birthdates, or words that can cave to Dictionary Guessers.
  • Shouldn't be simple variants of passwords you've used before, like mypassword01, mypassword02 and mypasssword03 (for if cyber thugs crack one version, they'll try others).

Some suggest that mnemonics may produce the strong passwords of tomorrow.  For example: the phrase "Give me liberty or give me death" would become Gmlogmd.  Passwords like these would be easy to remember and might even slow some of the hackers' fancier tools. But mnemonics are still ASCII strings that would fall to brute-force guessers and outright theft just as rapidly (or slowly) as other passwords of the same length and content. 

So password strength is rapidly becoming a weak barrier.

Users Not Helping

Beyond such tech issues, human factors aren't helping. People still:

  • Use short, weak and even well-known stupid codes like password, 123456, admin and monkey, which are easy to remember and even easier to crack.
  • Use simple variants of one password, which compromises all variants if any of them is guessed or stolen. (Your access-control systems should force users to change their passwords regularly, but simple variants of previous passwords shouldn't be allowed.)
  • Use the same password on multiple accounts including (dangerously) social networks.  (The reported average seems to be 6.5 passwords for every 25 accounts.) This makes it much easier to steal identities and trash peoples' e-lives when a password is stolen from any one of the user's accounts.
  • Share passwords with others.
  • Respond to phishing emails from "trusted" organizations like Facebook, claiming that they need to click a link to reset their password. (Users should do this only through their personal account pages, not through emailed requests.)

Some of these factors, (like the first two) can be tightened with security technology. But IT managers must also address those that can't (like the last three) with published policies and procedures for all data devices used in the organization.

Yes, strong passwords remain important.  But Web sites and ecommerce systems still use passwords more than any other type of access control.  So people must continue to use (or start using) very strong ones.

Serious Times

All industries need to pay attention to the password problem. But the Norton Cyber Crime Index has identified four sectors that have recently experienced the most password-based identity theft: computer hardware (31.6% of ID thefts), telecommunications (22.2%), software (17.6%), and government (12.4%).  IT departments in these industries (plus finance, which is always a target) should be especially concerned about how their systems assign and manage passwords.

It'll only get worse. Bill Gates may have warned us before we were ready to hear. But passwords' death knell is sounding even more strongly today. The password controls that make us feel safe now are growing more and more porous. They're becoming Trojan Horses outside (and inside) our walls. Horses of a different color. Horses of our own making.

Next month, we'll discuss some common IT procedures that may be making the situation worse, and about potentially stronger access controls that are being tested. See you then!



Lately, I’ve wondered whether the so-called “strong” passwords (like 71_8+#hjI*6Nb) are any more secure than “weak” ones of the same length (like adminpassword). With hackers using automated guessers like Cain and Abel, ElcomSoft, Hashcat, Hydra and John the Ripper, aren’t all passwords of the same length as statistically secure (or insecure) as each other?

That may be true in a limited mathematical sense. But in your example, a simple brute-force tool that starts its tests with strings beginning with numbers and progresses from them into strings beginning with letters could theoretically catch your first “strong” password sooner than the second “weak” one. However, hackers have other ways to capture, steal or phish passwords away from us more subtly and rapidly than through brute-force methods alone.

First, kudos on an excellent recap of what's wrong with most passwords used today and why. A couple of questions:

You describe the speed of brute-force cracking, but isn't that making an assumption about availability of a password hash to crack? For example, to crack an iPhone passcode, you need physical possession of the phone (or remote access to the phone via SSH).

You mention mnemonics -- "For example the phrase Give me liberty or give me death would become Gmlogmd." What about using the entire phrase (adjusted to deter dictionary attack)? Isn't "Giv me liberty -or- giv me death!" long and complex enough to deter brute force and dictionary attack while being easy enough to remember?

Ultimately, I find the human factors you cited to be an achilles heel for passwords. As long as credentials are something that can be written down, easily shared, and readily obtained via phishing, these will continue to be extremely difficult weaknesses to mitigate.

In the 40+ years that I have worked with computers I have always believed that "invalid signon" responses should never be sent immediately. The software doing the validation should wait before sending the reject. This would slow down brute force guessing. A human being would not notice a short delay in the day of the 300 baud modem and they would probably not notice it today. With the speed of the internet and the ability to use multiple connections simultaneously, there would also have to be some sophistication to detect and reject connection attempts from the same source during the invalid signon delay.

Hey Thanks Lisa! Yes, those stats are based on brute-force attempts against a traditional PC-based login screen. And mobile devices certainly add a layer of difficulty to hackers' jobs. But the poor Wired writer that I described in my previous column certainly shows that evil doers don't have to possess a mobile device to hack into it. Any centralized Web site that it normally logs into can serve as an access portal.

And your mnemonic example would indeed be stronger, though a bit harder to remember... which was the original point in favor of the mnemonic. "Let's see... Which words did I truncate, and where did those darned dashes go?" But again, it's simply another ASCII string... just longer than the less secure "Gmlogmd". So it too could possibly fall as quickly (or slowly) as any other mixed ASCII string of the same length.

Yes, sadly, the human factor will always be security's greatest weakness!

And thanks again for the great thoughts!

Talk of such cracking speeds generates Fear, Uncertainty, and Doubt! And while such estimates are certainly accurate/reasonable, they also assume that the hacker has access to the encrypted password to compare against. So today, more than ever, the strength of a password also needs to account for the security of the password file itself.

Lest it seem otherwise, I'm not suggesting that passwords are fine for all applications, but they do remain adequate for sites/applications that maintain reasonable levels of overall security... including encrypted password storage. And if they don't maintain such levels, I suspect the sites have bigger issues to deal with.

Thanks so much Elmer... Those are neat suggestions. If anyone would like to test and report back, please post an update here!

Most sites I use lock you out after several incorrect attempts. Then you have to wait 24 hours or have an administrator reset your password. How do your brute force methods overcome even weak passwords given that limitation?

Very good points, Mitch. You are touching on something I'll mention again in my December column. Password files should indeed be encrypted in the system itself to make it tougher for intruders to guess (or grab) them. But this isn't always done. In particular, some Open Source password management systems apparently store user passwords as plain text, which should never be done!

Thanks Dave for bringing up still another "best practice" that should be done, because it would help to slow cracking attempts. But it isn't as widespread in my experience. Part of the reason for the "looseness" I've seen at many sites I use may be that the classic Three-Strikes-and-You're-Out protocol is sometimes perceived as a terrible inconvenience for the growing number of users who forget their passwords. So some IT people I know have actually loosened (or even eliminated) this barrier. But as you point out, it's still a good idea!

Additionally, many places restrict the length of passwords and the characters they can contain, making it difficult to generate really strong passwords. A bank card I have permits only four numbers?!?!?!

I had the very same experience with online access to one of my bank accounts, and switched banks. Their restrictions endangered both me and them. Not wise in this day and age!

I find that many complex passwords are compromised because lazy users refuse to memorize them. Instead, they write them down and place them within reach of the keyboard. As a result, a combination of biometrics (fingerprint scanning) and passwords seems to offer a more secure solution.

See my blog entry from a couple of years back about a very useful password tool you can carry with you or even use online for password tracking. A password reminder to carry with you:

Very true, but sadly, the extra cost of biometric scanners seems to have dissuaded many users. In more than 15 years working closely with a variety of IT departments, I've encountered only one biometric access-control implementation. And it was for the CEO's private notebook. Nobody else in the firm had it!

Fascinating, Troy! This is remarkably similar to the "Book Ciphers" that have been used for centuries. (They're also apparently called "Arnold Ciphers" because Benedict Arnold used Book Ciphers during the Revolutionary War.) In my case, even these cards might have trouble coping with my nightmarish cloud of secure (and different) passwords for my accounts. This good practice boosts my security, but it would also require me to assemble, label, and carry an entire deck of cards! And while these cards would make it easier to remember my passwords, the fact remains that the resulting passwords are still alphanumeric, and just as susceptible to hacking, phishing and theft. See the next installment of this column for more thoughts on that...and thanks for the interesting suggestion, Troy. It just might help others!

Get E-News and Notices via Email




I accept Webtorials' Terms and Conditions.

Featured Sponsor Microsites

Recent Tweets



Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Please encourage colleagues to download their own copy after registering at  Continuing past this point indicates your acceptance of our terms of use as specified at Terms of Use.

Webtorial® is a registered servicemark of Distributed Networking Associates. The Webtorial logo is a servicemark of Distributed Networking Associates. Copyright 1999-2015, Distributed Networking Associates, Inc.