PCI Compliant Web Hosting and Managed Service Provider
Hosting Solutions since 1995

Weak passwords and open doors

Author: ; Published: Mar 21, 2012; Category: Customer Support, Managed Hosting, PCI Compliance, Security, WordPress; Tags: , ; 9 Comments

If you are reading this article, you’ve probably had your share of headaches as to how to create a password for a given application that is easy to remember; and, at the same time hard for hackers to crack open or otherwise break in.

 

Prior to today, my recommendation for creating secure passwords was to browse https://www.random.org/passwords/?num=20&len=12&format=html&rnd=new, and pick a random password.

The problem with this method is that it forces you to memorize something very foreign to you or to have a method to help you remember the password.

 

If you are a security nut, then you might be using a secure, encrypted, method to track passwords per application / device. 

But what about others who do care about security, but are experts in other areas (just not security)?  Paper notes here and there, sticky notes here and there… a disaster for internal security (a fellow disgruntled employee, the cleaning person, etc.) waiting to happen.

I would like to share a thought process recently shared in the WordPress LinkedIn group concerning security.  Dan Knauss was kind enough to share https://xkcd.com/936/ (see the screen shot below).

[captionpix imgsrc=”http://www.dynamicnet.net/wp-content/uploads/2012/03/password_strength.png” captiontext=”Using four random common words combined for a password is easy to remember, and hard to break” imgalt=”Using four random common words combined for a password is easy to remember, and hard to break” width=”500″ align=”center” margintop=”15″ marginbottom=”15″ theme=”photo”]

The concept is that you would pick four words that you can combine and find easy to remember to form your password.

Now, the caution points I would share from a security expert point  is as follows:

The combination should be at least 12 wide (i.e. all the letters combined are at least 12 characters wide).
Since social engineering (i.e. the process of a hacker getting to know you personally either directly or indirectly — which today can just be accessing your LinkedIn profile, FaceBook page, and so on) is still widely used, the four words you pick should not be words that someone who reads what you publish (write) or verbalize can easily guess.

For example, I know someone who makes it very well know their favorite color is purple and they love horses.  While most hacking today is random (making everyone a potential target), if someone where to purposely target my friend, they have two words — purple and horse(s) — they can use to test breaking in.

Use an application like SplashID, Password Keeper, or the like which can securely store and encrypt your passwords.  Be careful of where the actual data is stored.

Contact us if you have any questions.

Peter Abraham
Former CEO of Dynamic Net, Inc. Will be transitioning to a new career in the near future.
Peter Abraham

@

Peter Abraham

9 Responses to “Weak passwords and open doors”

  1. Great post, and something I would’ve never thought of. I like that you took into account the human element – the need to be able to remember it. That’s often overlooked in advice from security experts.

  2. Ken Dawes says:

    Thanks for the password thought process! Good stuff!

    Of course it does get a little more complicated with many places requiring at least one capital and one lowercase letter, at least one digit and at least one character like ^(!><, etc…

    But easy enough if you can make it something that can stick in your mind!

  3. I’ve blogged in the aftermath of XKCD 936, which created quite a stir in the world of password research:
    http://securitynirvana.blogspot.com/2011/08/xkcd-936-discussion-continues.html

    Entropy calculations alone should really not be used for measuring password strength. I’ve got 24 characters in my full name, including a special character only found in Norway/Sweden language. Add spaces to that, and the entropy looks good. But it is still my name used as my password, and shouldn’t really be considered a wise choice of password?

    My own research from corporate environments shows that 1-2% of us actually use our personal first or last name as whole or part of our password at work. And that’s just for starters.

    As for your recommendations on password managers, I will STRONGLY advice you to read the press release + whitepaper (see link in press release) from Elcomsoft available here:
    http://www.elcomsoft.com/news/498.html

    Best regards,
    Per Thorsheim

  4. Giorgi says:

    I used a similar sgartety for a time, but with a more coarse grained password selection (sites which had my credit card, vs. site which didn’t).I’ve recently moved to a more complete solution:Have a salt password e.g. 4fxb43fgFor each website, create a new password combining the salt with the domain name. e.g. 4fxb43fggmail, 4fxb43fgfacebookThis makes it easy to recall/generate, while ensuring a unique password for each site. In the case of password change requirements, I just add an incrementing integer to the end.

  5. Giorgi, thank you for sharing your approach. Do you try to have a minimum width (i.e. x wide)?

  6. http://i-sight.com/corporate-security/cracking-the-code-on-password-protection/ covers some interesting statistics on cracking passwords.

    Time it takes a hacker’s computer to randomly guess your password:

    Length: 6 characters – Lowercase only: 10 minutes,
    Lowercase and Uppercase: 10 hours,
    Lowercase, Uppercase, Nos. & Symbols: 18 days

    Length: 7 characters – Lowercase: 4 hours,
    Lowercase and Uppercase: 23 days,
    Lowercase, Uppercase, Nos. & Symbols: 4 years

    Length: 8 characters – Lowercase: 4 days,
    Lowercase and Uppercase: 3 years,
    Lowercase, Uppercase, Nos. & Symbols: 463 years

    Length: 9 characters – Lowercase: 4 months,
    Lowercase and Uppercase: 178 years,
    Lowercase, Uppercase, Nos. & Symbols: 44,530 years

  7. Mark Vang says:

    I remember reading this when it came out and I disagree. This method is great when you are only talking about one password but most of us manage multiple passwords. I think this method might encourage some folks to come up with a single password for multi-account use which is an extremely bad idea.

    Would you really find it “easy to remember” when you have a different one for 20-30+ websites? Or would you become hopelessly confused about which passphrase went to what site/account?

    Use a password manager like KeyPass. It it multi-platform (use KeyPassX for Linux), easy to use, easy to back up and the database is encrypted.

    I suggest that you use your simple passphrase to secure KeyPass, then let it generate complex passwords for every site you access.

  8. First and foremost, Thank you for your reply. I appreciate your thoughtful insights and point of view.

    I agree with you that any target (device, application, etc.) should have a unique password.

    I also agree with you it is possible for someone to think to themselves that through the 3 to 5 common worth method they might use the same password on 2 to many targets.

    Yet, the same can be said if you used https://www.random.org/passwords/?num=25&len=12&format=html&rnd=new and just picked one and used the one you picked on 2 to many targets.

    Would I be correct we both want to educate users to do the right thing?

    Would you agree that if a person is stuck in their ways, it is easier to move them 1 degree than 180?

    What I found fascinating about the password thought process of using thee to four common, often dictionary-based, words was that you do have people who have problems remembering passwords.

    The analysis done by Sucuri Security and others showed the most common passwords where password, password123, abc, abc123, and so on.

    Would security not be improved, at least beyond a single percentage point, if we could educate the people who have that thought process to use the method described in this article?

    Then by your comments and other educational means get them to be aware of one password (key) per target?

    As always, Mark, thank you for your input (I don’t view it as arguing; but as sharing a valid point of view).

    Thank you.

  9. Mark Vang says:

    Peter,

    I agree with everything you’ve put out and this comment in particular:

    “Would you agree that if a person is stuck in their ways, it is easier to move them 1 degree than 180?”

    At the end of the day… even if the user were applying the same high-entropy passphrase to many accounts, as long as that kept them from using pass123 for everything that would be a net gain in security.

    I think that the original article did establish a reference point that a sysadmin could use to approach users to suggest better security practices for their user accounts on a specific system. (Put something in comic form instead of a memo and more folks will go along with it.)

    In my own experience I use a high-entropy passphrase to secure my password vault which uses complex passwords generated by utility built into the software. I am more likely to loose an account to a social engineering attack on the service provider rather then a brute force hack.

    In one humorous incident, I encrypted a memory stick with a passphrase that “I would never forget” and then forgot it two days later. So there is some inherent danger in relying on mental tricks to remember passwords, since our brains are the ultimate tricksters!

    A previous client of mine argued that his (short and easy to guess) multi-site passphrase was secure because one word was in German. I guess he didn’t realize that there are German hackers too and that a dictionary attack wouldn’t just be limited to English words. Maybe I should have shown him the XKCD post instead?

    I always enjoy the informative blog posts, keep up the good work!

    – Mark

Leave a Comment


+ nine = 15