For Password Security the Advice Remains the Same
Passwords are what allow access to computers and systems; they are pretty much a necessary iterant to all users. They are the first line of defense in protecting systems and users. They are half of what is called the credentials. The first half is user identification, followed by authentication, the password. How to construct a good password is a matter of discussion, and in this case, the best way to define a good password is to define what it is not.
A good example of what is not a good password is common words, advice we have all heard, like “password.” Even using conjunctions with your company name is not a good idea Solarwinds123 was the password for the hack into Solarwinds, which affected many thousands of Federal Government systems. However, SolarWinds has recently determined that the password was for a third-party vendor application. It was not for access into the SolarWinds IT Systems and had nothing to do with the attack or breach of the company’s IT systems; it was still a password.
Nevertheless, humans construct passwords or use a password manager; the discussions center around what makes for a good password, how long to keep a password, how many you need, etc. Even a password manager must have standards. A good way to look at this is to examine passwords that have been used before. This can be easy because so many passwords have been stolen and published.
In password construction, the top 20 or 50 always seem to be the same, even across nationalities. They include: password, 123456, abc123, QWERTY, Admin, etc. As most of us know, these not-so-clever password variations have been around for a long time. The question is why people still use them; most likely, it is because they are easy, and most importantly, there are no system administration password standards that force stronger passwords. This is a management issue. In addition, to the common list of lame passwords, there is the issue of password overload. This is the increasing number of passwords people need, so to make it simple, people use the same password for many functions, the same one for online banking and Amazon. Another interesting fact is that passwords tend to be specific to user culture. English speakers will use English letters, numbers, and common special characters, as Spanish speakers will use Spanish letters with accents, numbers, etc. Each group will be slightly different, with a defined character set of 72-100 characters. The Hive password cracking study used a 650-character set to establish the timelines to crack a password. That means your password will take much less time to crack if you are not taking advantage of these 650 characters, including Cyrillic, Symbols, and Latin Extensions. In addition, people use common names; a mild generalization is that men tend to use sports teams and athletes in their passwords. Women tend to use children, grandchildren, and pet names in their passwords. How could you guess what words to use? Go to their Facebook page. Age is also a factor in password construction people older than 60 tend to use the same password for many functions. The summary is obvious, do not use the expected list of well-known passwords; use a unique password for every account, and use multifactor authentication (MFA) for every account you can. For Google, less than 20% of users use MFA, meaning you will be more secure by turning on MFA than the other 80%. Last is complexity the more complex, the better, and the longer, the better. There are limits to complexity, as complexity is constrained by culture and knowledge. For example, it is unlikely that readers of this will begin adding Cyrillic characters to their passwords.
As mentioned, the Hive study is a deep dive into addressing the advantages of password length and complexity to password cracking time. The analysis was based on the assumption that a hacker had managed to steal a list of user identifications and their associated hashed passwords. The hacker has the user ID, but passwords are hashed, a standard means to protect the confidentiality of the password. The MD5 hash takes the plain text (letters and numbers) password and generates a hash of 32 hexadecimal digits. To log in, the hacker will need the user ID and the plain text password that generated the hash. Since the hacker cannot undo the stolen hash, the challenge is finding the correct combination of plain text characters and numbers that, when entered as the password, will be hashed and match the hash stored in the database. Of course, there are many software applications dedicated to this process. The first thing that will happen is that the hacker will run known or compromised password hashes to see if there is a match. If the user has used the same password before, this increases the chances of success. Another factor is the hashing software can be targeted to the user based on culture, gender, and other factors. These factors take advantage of the most likely characters used, such as words and special characters.
Essentially increasing password complexity and length is defense, it is about increasing the time it takes to match the stolen hash value. There is an observation in the study is that the time to crack a password decreases as processing power increases in individual systems and in the cloud. The argument is that at some point in time, the advances in computing power will make traditional passwords obsolete. However, at the same time new hashing algorithms, salts, and other technology used to protect passwords will make passwords tougher to crack for a long time. For now, the advice is the same as it has been, use long and complex character sets, use MFA, and use different passwords for each account.