Password Strategies – Part One

19. March 2013 Security 12

Allow me to introduce Bob Williams, he is 49 years of age born in 1964, lives in New York but was born in France and he is a Taurus.
Two dogs named Hank and Frank, he uses a Mac Pro, loves orange juice and of course he loves his wife Shannon.

Just a few random facts, which are completely made up by the way, which we’ll use as a standard. Bob Williams will most likely use passwords such as:
• bob1964 – for his Mac
• hankandfrank – for his Facebook
• france2newyork – for his office computer
• OJforlife – for his email
• iloveshannon – for his online banking

After reading about all these hackers lately and malware being on the rise he went in and changed his password to make them much more difficult to guess:
•B0bWilli4ms64
• Hank&Frank
• Fr4nce2NewY0rk
• OJ4Life!
• i<3Shannon

If anyone is to figure this out it will take them billions of guesses, many many years of trying and unlimited access to my computer. This will never happen so i’m safe!
Sorry Bob, you’re wrong.

Like Bob, many people pick passwords that are easy to remember and therefore have specific personal information in them. Pet names, dates, locations, spouses etc.
Of course! Passwords are useless if you can’t remember them so they need this information in them. Lately online services have been asking their users to incorporate other things into their passwords. You’ll have stumbled upon something like this at least once: “Your passwords needs at least 6 characters, one capital letter and one number”.
While this used to make passwords more secure this is not necessarily the case anymore. Why? Because most people are implementing these new requirements in the same way.

At least 10 (or more) characters:
Most people will use the information above and add a number to it. If Bob had to have picked a 6 character password he would have chosen “BobW64”. As most people, he would have just picked the first 4 characters of his name, wife’s or dog’s name and slap a number behind it. A lot of people follow this pattern and patterns, if enough people do it, are a cracker’s aid to deciphering your password.

Capital letter:
Most people will always put the capital letter first and/or at the beginning of every word (BobWilliams64). The fact that most people do this will make guessing the password easier, if a capital letter is required it is almost always the first character.

A Number:
The required number in a password is almost always at the very end for most folks. You’d be surprised how many people still use “password1” as their main password. Combine this pattern with user information like birth year, apartment number, wedding year etc and a cracker is well on his way to narrowing the search for your password.

These are just samples that are very simplified but i hope you get the gist of it, people use different passwords but almost all of them follow the same patterns. Now you might be thinking that even with this information there are still millions of possible letter, number and symbol combinations and you are correct. Here’s the thing though, that password cracker is not a guy hiding in a dark basement with a stack of dictionaries and a notepad. It is someone with a very powerful computer that, when used properly, can perform billions of guesses per second. Yes you read it right. Billions.

By using enormous word lists containing almost every dictionary on the planet and combining those with lists of known passwords (you may have read about facebook and twitter being hacked, those hacked passwords were all published online), most crackers don’t even need to use brute force (crunch all possible number, letter and symbol combinations), they can just compare your password key against those word files until a match is found. If you are one of the people that uses “Password1” as a password, it would take the average computer less than half a second to find it.

I can not give you the ultimate key to a crack-free password, there is no such thing. But you can most certainly make it very hard or near impossible for someone to crack yours.
Some guidelines:
• No names, at all.
• No dates or years.
• None of the above spelled backwards.
• Don’t use common substitutes where the o becomes a zero, the a becomes a 4 etc.
• At least eight (preferably ten) characters. Complexity is good but length is also very important.
• Put capital letters and numbers at ranDom places, not just the beginning.

I’m sure there are more good tips but this is a good start. If your password do not currently meet any of these requirements please stop reading now and go fix it. Don’t worry, this post is not going anywhere, it’ll still be here when you come back.

Now that you have changed your passwords you are most likely left with sticky notes containing all your new passwords (don’t ever write your passwords down please) because if you used the above mentioned guidelines, your passwords contain a lot of random stuff that is not easy to remember. This is where you might want to research a good password manager. I use 1Password for both my phone and my Mac but there are many of them out there, do some research and pick a good one if you need it.

Like i said, there is no password that can’t be cracked given enough time and resources. That’s why it is important to change your password regularly. Not every day but i’d say at least once a month, more often for passwords that protect really important stuff such as your online banking or your computer. This way, even once your password is cracked, by the time a hacker tries to use it, you will have moved on to another password.
Try to not recycle password or develop patterns. It will be tricky but it will keep you much safer if done properly.

There is plenty more to say on this subject that’s why i named this Part One. Until i write a follow-up post, get started on changing your passwords 🙂

I got around to writing a follow-up a lot faster than i thought i would, here it is.


12 thoughts on “Password Strategies – Part One”

Leave a Reply

Your email address will not be published. Required fields are marked *

*