Passwords: Bad "best practices"

So, you think that your password is secure? Let’s see: does it contain a mixture of uppercase/lowercase letters, punctuation marks and digits? Yes? Well, even in this case, your password might be still completely insecure. Read ahead why…

To understand the problem, we need first a little rehash of the basic password cracking techniques. The simplest algorithm would be to simply (1) enumerate all English words and names from a given dictionary and (2) check to see if this word matches as your password.

You might say – but in this context we are talking about other characters like punctuation marks and digits that are part of the password. What would an attacker do in this case? Simple – use a little psychology.

The problem is that most people feel that adding digits and other characters is just a burden. When the “password will expire today” dialog comes, they will be in a hurry to get a new password, maybe an easy-to-remember word, and then alter it in a few ways:    
1) First, the password needs to have a capital letter. Most people will naturally choose the first letter from our English word to be capitalized. So, a word like “flowers” becomes “Flowers”.
2) Second, the password needs to contain some digits. The password would look nicer (and easier to remember) when these digits are appended to the word. Even more, people are usually unimaginative here, and just append one digit, or in more complex cases, digit sequences like “123” or “01” or eventually their birthdate.
3) Third, we need some non-alphanumeric characters. Well, let’s see. If we replace an “s” with “$”, “a” with “@” or “o” with zero, then we get what we want, right? It is hard to resist the tentation to replace “s” with “$” at least (and not an “a” with “$”), and therefore getting a false sense of security. In some cases also using delimiter characters like “!” or “#” to separate the word from the digit sequence.

So, with the example above, the altered forms of the word “flowers” might be: “Fl0wer$” or “Flower$01” or “Fl0wers#123” and so on and so forth.

The problem with these alteration rules is that they are so predictable. All the attacker has to do is to take the same list of English words, and apply the rules above. He will probably get a longer list by, say a factor of 10-100 which is not that much.

In conclusion, it’s not that hard to enter into the minds of regular people, and neither in the minds of attackers. So, if you used any of these rules above, then stop using them. Instead, here are some rules to create strong passwords.

P.S. As for me? I just uuidgen.exe to create a random sequence of digits.

Comments (11)

  1. Hehe says:

    uuidgen is great idea. But problem is that most uuidgen users have their passwords written on a paper note and clipped to their displays = even less security.

    The only reasonable answer to password problem i have encountered in my career is passphrases.

  2. mikeb says:

    The problem with using something like uudgen is that it becomes near impossible to remember the password.  At least for someone as feeble-minded as me.

    Writing the password down is not necessarily  a bad thing to do.  As long as it’s physically secured well enough – an attacker can’t get to a written password remotely over the network (read Jesper Johannson’s thought on this:

    However, I don’t want the password that I use day-to-day from several locations to be one that I need to rely on a peice of paper to be able to enter.

  3. Bob says:

    I am all about passphrases as well. Remembering something like ‘Bob is the greatest!’ is pretty easy and would be difficult to dictionary hack unless they were specifically looking for passphrases, and the number of attempts would still be much greater than single words and ‘rules’ applied.

  4. AdiOltean says:

    Writing down on a piece of paper might be a good thing, but only for a very short time. For example, some would argue that a good practice (when you change your password) would be to

    1) write it first on a piece of paper

    2) After you think that this is a good password, change the old one with the new password

    3) Keep the piece of paper in a secure place for a few days until you memorize the password

    4) After you memorized the password, destroy the piece of paper

    The downside is that the password is written down for some time, which is a vulnerability.

  5. Franz Wong says:

    I just use one of the bookmarked URL for password. For instance, I get all the 3rd character after each ‘/’ and then combine them to be a password.