“I needed a password eight characters long so I picked Snow White and the Seven Dwarves.“
Password security and the need for strong passwords (as required by the University Password Policy) is being promoted at the moment, for a variety of reasons. Not least is that a number of security incidents relating to weak passwords have come to light over the last few months. Passwords are tedious to generate, difficult to remember, and not even a particularly good solution to the problem of authentication, but unfortunately we are somewhat stuck with them. And despite the best efforts of those trying to provide single sign on solutions, the number of passwords we have seems to be increasing. Whilst we are concerned mainly with the security of University accounts, these tips also apply to your own private account passwords. Everyone keeps banging on about the need for strong passwords, but why ?
Why Strong Passwords ?
The short answer is that weak passwords can be “guessed” by people whose business is compromising accounts. Not by actually guessing what a password is but by using automated tools for cracking passwords. There are two ways of “guessing” passwords with automated tools.
- By obtaining a “password hash”, an attacker can run through a list of candidate passwords and comparing the generated hash with that they obtained. If a candidate password generates a hash that matches a password hash obtained in some way, then the password is known. Password hashes can often be obtained by capturing network packets containing a login between a user and an application with weak security (and there are lots).
- By running through a list of candidate passwords and attempting to use an authenticated service, an attacker may be able to determine which are valid passwords.
When people hear about this, they often assume that the list of candidate passwords is quite small because they can imagine how hard it would be to run through a list of candidate passwords. Actually it is surprisingly easy, and relatively fast. Especially considering how poor many passwords are. Attackers also operate with unusual dictionaries specially tuned for finding words used in passwords. Whilst it is possible that the word in your password is not in an attacker’s dictionary, it is unwise to assume that it is not there. Having seen some attackers dictionaries, I can tell you that you will be quite surprised just how many words (and in languages other than English) appear in such dictionaries. In addition, many of the simple transformations that have been historically used to make words less obvious – such as changing vowels for digits (“p3ssw0rd”) – are well known to the attackers, and password cracking software usually makes some attempt to try those transformations. In summary, almost any simple password based around a word (whatever kind of word!) can be counted as a weak password that an attacker can obtain relatively easily. Strong passwords are essential.
How To Remember Passwords
The standard advice for passwords is to remember them and not write them down. Generating strong and memorable passwords is a bit of an art (but certainly possible), but remembering dozens of even memorable strong passwords is not something that comes easily to many people. Not even me! Writing down passwords can be done safely if it is done properly. The classic mistake of writing down a password on a postit note and sticking to the underside of your keyboard is not the right method. The right method is to use an application (such as KeePass) which records passwords in a strongly encrypted file.
Don’t Share Passwords
This phrase has two meanings … Firstly account passwords should not be shared with other people. This inculdes but is not limited to :-
- Don’t email them when you are asked to.
- Don’t fill in a web form asking for your password if you received the link in an email (no matter how legitimate it looks).
- Don’t tell people what your password is when asked. No matter who asks.
- Avoid entering your password where people may be overlooking you. This may seem excessively paranoid when you are entering your password in your office, but it is not so paranoid when you are entering your password in a crowded cyber café.
Secondly, it is also inadvisable to share your passwords across multiple different systems. Your banking passwords should not be the same as your social networking passwords, which in turn should not be the same as your work password. This limits the amount of damage that can be caused by one password being compromised.
So How Do I Generate A Strong Password ?
There are many, many different pages suggesting how you might generate a strong password. There are even cartoons :- (Source: XKCD) Whatever method you use, you need a method that works for you. However our suggestion is a variation on the method suggested above :-
- Pick three to four words of at least three letters in length.
- Capitalise one of the letters in some of the words … and the first letter is not a good choice.
- String the words together with a random punctuation symbol (“-“, “=”, “+”, “@”, “#”, etc.). There is no need to use different symbols; just pick a favourite symbol.
This leads to the kind of password that meets policy criteria (which more usually encourages passwords such as “zup12#$$9zz”), is easier to remember, and most importantly of all is strong. Some examples of the kind of password this generates include :-
These all look long and difficult to type; however in practice they are much easier than they look, and can be surprisingly quick to type.
Pingback: Potential For LinkedIn Account Compromise » IS Security Blog
Pingback: Have You Changed Your Password Recently? | Security Blog