P@ssW0rd1! How Secure is Your Secure Password?

Security has preached the mantra of using secure passwords for years, but what constitutes a secure password? Some often point to the minimum password standards employed by companies (minimum of 8 characters, uses upper/lower case letters, numbers, and special characters) as being a strong password. While if done properly this can definitely produce a strong password, are many of us actually using this standard correctly? If not, the results can be just as insecure as using a password that doesn’t meet our minimum standards.

I recently attended a WhiteHat training session on secure application development that was delivered by secure coding expert Jim Manico.  During the training engagement Jim discussed some very interesting research on passwords that security provider KoreLogic had performed.  He even told our class about a $2k machine made up of several gaming processors that can guess an average of 20 billion passwords a second.  Korelogic’s research revolved mainly around human behavior and password typologies, or how we form our passwords.

Normally a password becomes more difficult to crack as we add length and complexity. For instance, normally an 11 character password with upper/lower case letters, numbers, and special characters would take almost 8,900 years to guess.  As complex password policies have been enforced around the world, a predictable pattern has started to evolve among user passwords.  The result has produced passwords that technically meet the password standard, but do little to provide security because they are so predictable in nature. For example, if I create a new password of P@ssw0rd1!, sure I have met the requirements of the policy, but my password topology is so common that it is easily guessed.  Korelogic was able to apply some of these common topology standards to a password cracking tool and ran it on one of those $2k machines mentioned above. The result was an 11 character strong password being cracked in about 4 hours as opposed to 8,900 years.

Korelogic’s presentation on the topic actually puts it this way:

“Complexity rules result in users choosing and placing their uppers, lowers, numbers, and specials in predictable ways:

● Capitalize the first letter(s) of words (WeakSauce)

● Numbers likely to be at the end, and to be a year (WeakSauce2014)

● Add specials to the end (WeakSauce2014!)

● Predictable character choice - '!' is the most common special character by a huge margin”

Korelogic also describes another common mistake that reduces the overall security of our passwords as:

“Password rotation results in users simply modifying their old passwords in predictable ways:”

● “Oct0b3r!” → “N0v3mb3r!”

● “Winter2013!” → “Spring2014!”

● “qWErt78()” → “wERty89)_”

In short, using a predictable pattern reduces the time it can take for a computer to guess your password. Luckily, I have some advice on how to create a strong password or passphrase that will keep your password safe:

·         Use more than 8 characters that are upper/lower case letters, numbers, and special characters.

·         Avoid using predictable password typologies like the ones above.

·         Avoid using plain dictionary words and supplementing characters for their common equivalent (Ex. @ for the letter a, $ for s, 1 or ! for I and L, and + for t, 3 for e, etc.).

·         Use a password manager that offers random password generators. That way you have strong password that you don’t need to remember because the password manager remembers it for you.

·         Use long passphrases with varying character types instead of words.

These simple tips should help ensure that your strong password really is strong.