This is part 2 of Strong Passwords of the Security for a New Year series.
Security for a New Year Part I: Strong Passwords – Part 1
In part 1 of strong passwords, I discussed the use of character sets and character spaces and how they impact the overall strength of the password. I primarily discussed how the use of a longer password is significantly harder to brute force than that of a shorter one regardless of how many character sets are used. Typically longer passwords expand beyond the use of single words, and as a result they are referred to in many places as passphrases. Personally, since they serve the exact same purpose as far as authentication is concerned, I use the term password to refer to both single and multi-word passwords. The term passphrase; however, may help you expand your view on what a password can consist of. While most people may use a single word as their password, a password can also consist of several related or unrelated words, or even a complete sentence. This can be a great way to significantly increase the length of your password.
I will be covering two primary topics in part 2 of strong passwords. The first topic is how to design a high entropy password that can withstand even the most sophisticated dictionary attacks. The second topic will be how to significantly increase the character space of your password to where a brute force attack would be impossible with the current state and direction of technology.
The thing that must be fully realized to create a high entropy password is that it cannot consist of any actual words. For most people, they use a password that consists of someone’s name, something they like, or something they think is clever. The problem with using any of these things is that they are typically easy to figure out, or they are readily available in one of millions of dictionary files available on the Internet. Before I go into any further detail I would like to provide a list of the top 25 passwords of 2014 according to Gizmodo (a tech site) These passwords were compiled based off of the many stolen and hacked accounts that occurred in 2014.
- 123456 (Unchanged)
- password (Unchanged)
- 12345 (Up 17)
- 12345678 (Down 1)
- qwerty (Down 1)
- 123456789 (Unchanged)
- 1234 (Up 9)
- baseball (New)
- dragon (New)
- football (New)
- 1234567 (Down 4)
- monkey (Up 5)
- letmein (Up 1)
- abc123 (Down 9)
- 111111 (Down 8)
- mustang (New)
- access (New)
- shadow (Unchanged)
- master (New)
- michael (New)
- superman (New)
- 696969 (New)
- 123123 (Down 12)
- batman (New)
- trustno1 (Down 1)
I simply cannot stress it enough, if your password for any account is on this list, then you should change it immediately! These passwords are almost guaranteed to be the first ones attempted for breaking into accounts.
Some individuals who are multilingual may use words from a language other than English as their password. The problem with this is that while it may decrease the chances of your password being compromised, if they are real words then guaranteed there is a dictionary file on the Internet containing them. Again we arrive at the same conclusion, it cannot consist of actual words.
Many individuals may think that using something clever such as ‘to be or not to be’ (minus the quotes) as a password would be a strong enough password. While the character space of this password is significantly long, there are also dictionary files containing massive lists of popular quotations and phrases available, and as a result, this could still easily be cracked. Furthermore, the use of symbol and number substitution for letters (commonly referred to as 1337) does not provide any greater security, as there are lists available containing common uses of these as well.
This does not mean that a password cannot be based off of actual words, it just should not contain any. When choosing the words to base your password on, you should consider how easily these words could be connected to you. For example, your spouse and children’s names should never be used, as these can easily be connected to you. Additionally this excludes your favorite sports team, your religion, favorite television shows, favorite brand of clothing, pet’s name, favorite make or model of vehicle, or even your brand of coffee. The list goes on and on. Subsequently, you should not base it on anything you blatantly dislike either. For example, if you are a die-hard Chevy person, basing you password off of Ford is not a good idea either. Through the advent of social media, anything that can relate to you in anyway is not a good idea for password basis because this information is likely easily attainable. What is even worse, is that there are scripts and programs that easily enable an attacker to compile their own dictionary file of passwords you may use based on the information they obtain about you.
Before I continue any further, I would like to share one of many wonderful comics from XKCD regarding security. XKCD is a web comic which focuses on many geek and science related topics.
While this may seem like a very easy solution, there are also issues with this approach, but I will cover that in further depth later.
So to start our design for a high entropy password we need two unrelated words that cannot be connected to you in anyway. For our example we will use a sport to which, in our example, you feel completely impartial to. The sport we have chosen is tennis. Now we need something completely unrelated to tennis and not connected to you to combine this with. For this example we will use a type of animal, a camel. So currently our password consists of tenniscamel. Well aside from being two unrelated words, they are entirely lower-case. So lets randomly pick a couple letters to capitalize. We now have TeNNiscAmeL. The next issue we encounter is that there are no numbers in this password. So lets pick two random numbers to which you feel completely indifferent about. For our example I am choosing 7 and 2. The typical response to adding numbers to a password is to add them at the beginning, in between words, or at the end. We want to do something out of the ordinary, so we will do this Te2NNiscA7meL. In addition to adding numbers in this way, we did not do substitution, and we also succeeded in converting both words from actual words into nonsense. To add an additional layer of security we should add some symbols. We should add these at random and use at least two of them. Our password after this step looks like this: Te2N?NiscA(m)eL and I actually used three total symbols.
Brackets can be a great way to add symbols to a password, and at the same time make it easier to remember. You can use them to easily separate parts of words at the syllable level, or even based on an odd character, such as a vowel or repeating letters. So now we have a password that is almost entirely guaranteed to not be in a dictionary file, especially one designed specifically for you. Additionally, we also have a relatively high character space of fifteen. The only real issue with a password like this is that it may be hard to remember.
The password in the previous example if used frequently over time could be remembered, but it would likely need to be written down some place until then. While I will go into further discussion of password documentation in part 3, there is nothing wrong with writing a password down and carrying it in your wallet or purse, or even better, keeping it in a safe. The important thing to note if you do this is not to have the password anywhere on your desk, or have other information such as the username or website on the same piece of paper.
Remember, this was just one example, you could make it easier to remember by doing the previous methods differently. The important thing is that your password, when finished, meets all of the following:
- It uses both upper-case and lower-case letters, and the upper-case letters are not solely the first letter of each word
- It uses numbers, but not just by using them for letter substitution
- It uses at least one symbol preferably more
- The numbers and symbols are scattered and not just at the beginning or end of the password
- The base word or words are not remotely close to their original form
With time and practice you will easily be able to do this to all of your passwords. Remember the primary goal of entropy in passwords is to defeat the use of dictionary attacks. You also want to make a password that if someone knew everything about you, they still would not be able to guess the password. Ultimately, you want to leave the attacker with no other choice than to use a brute force attack.
This leads us into our second topic in part 2 of strong passwords. The easiest way to create a large character space in our passwords is a method called haystacking. This method was conceived by the Gibson Research Corporation. They refer to your password as a needle hidden in a haystack, and their haystacking method consists of padding your password with a single type of character to add to its overall length. This method is very simple, and as a result I will not go very in depth over its use. For more detailed information I recommend clicking the link and reading their entire article, but keep in mind their primary focus is on brute force defense.
To use haystacking on the password we created earlier, we need to choose a symbol. For this example, I will use the same symbol used in Gibson’s article a period. Our password has a current character length of fifteen and if we want to increase that to twenty-four we need to add nine characters to it. Our password now looks like this: Te2N?Nis………cA(m)eL
I chose to simply add the padding in the middle, and while we have added nine identical characters to our password, it still meets all of the entropy requirements. I would like to add that you should probably not use the period. It is highly likely that this method will start ending up in dictionary files and you should create your own system for padding passwords.
YOU should invent your own **personal padding policy**. You could put some padding in front, and/or interspersed through the phrase, and/or add some more to the end. You could put some characters at the beginning, padding in the middle, and more characters at the end. And also mix-up the padding characters by using simple memorable character pictures like “<->” or “[*]” or “^-^” . . . but do invent your own!
— Gibson Research Corporation
Earlier when I had shared the comic from XKCD, I mentioned that while very creative, and potentially quite effective, this practice was likely still a bad idea. The reason for this is because the words are still in their original form. While as a whole, the password is virtually impenetrable to brute force attacks unless the attacker knows that you strictly used lower-case letters, this method for password creation is susceptible to dictionary attacks. Since this comic was published, it is likely that there have been extremely large dictionary files composed of random words together in strings of two-five words. However, courtesy of Bart Busschots, there is a wonderful little tool out now that combines the character space of Randall Munroe’s, Creator of XKCD, method for long passwords, with the Gibson haystacking method. The tool can be found here https://xkpasswd.net/s/. I have only recently discovered it, and while I have not investigated the code behind it to ensure the passwords it generates are not matching a simple pattern, it appears to generate some extremely strong passwords. While these are somewhat harder to remember than correcthorsebatterystaple it is still more feasible than remembering a truly randomly generated password. As an example, below are three passwords I just generated from there.
In part 3 of strong passwords I will go into detail about documenting your passwords, using password generation software, and maintaining a list of high entropy and high character space passwords.
In closing, I hope that the methods described here help you create passwords that are both long and seemingly random. The goal is to protect your accounts, and hopefully I have provided you with a means to do just that. Again, I look forward to any comments regarding this.
This topic was originally posted on 1-14-2013, but was expanded and refreshed to still be valid in 2015.