In my last article, I gave you a quick tour of the different methods that the bad guys have to crack all your passwords. If it scared you half to death just a little bit, that means you were paying attention.
So what do you do about it? Panic? Curl up in the foetal position and weep? Unplug everything, move to a mountain cave and correspond only by flag semaphore and ceremonial drumming?
None of these are terrible ideas.
Unless you’ve got a business to run. Then it’s time to put on your grown up gumboots and get serious about strong passwords.
So what makes a password strong?
In the last article, I introduced you to brute force attacks, dictionary attacks, and how they can be used together.
Beating brute force attacks is relatively straightforward: choose a longer password that makes full use of lower case and capital letters, digits and symbols. 12 characters is a good start.
Beating a dictionary attack can also be straightforward: generate this password randomly.
The downside to that is probably obvious. Unless you’re using it all the time, a long, randomly generated password can be incredibly difficult to remember.
Combining uncommon words
If you do need to build your password from words, it helps to use several weird ones together.
That’s because the most common words can be contained in a relatively small dictionary file. And the smaller dictionary, the faster it is to run through all the possible combinations of words inside. Using less common words means the attacker needs a much longer dictionary file.
By itself, an uncommon word is still very crackable. It becomes strong when you have several of them together, with perhaps a few numbers and symbols as well.
To illustrate: a very common word like candy will likely appear in a 5,000 word dictionary file. It can be cracked in no time.
A much less common word like subcutaneous is going to require a much longer dictionary file, perhaps 50,000 words long. By itself, that’s still quite weak, because even a cheap password cracking rig can run through 50,000 combinations in next to no time.
In fact, even if your attacker had to run through a 1,000,000 word dictionary file, this is still “blink and you’ll miss it” stuff.
Now let’s see what happens if we use three words together.
Three very common words can be put together to build a password like iwantcandy. We can crack this with our 5,000 word dictionary file, but we need to run through 5,000 X 5,000 X 5,000 possible passwords, or 125 billion. This is starting to sound like a lot, but it might still take under a minute to crack.
What if we build a phrase from much less common words? Say, subcutaneousorbitalmiasma. If we’re using a 50,000 word dictionary file, that means 50,000 X 50,000 X 50,000 possible passwords, or 125 trillion. They’re going to need to leave the rig running overnight to get this.
We can take this further. By adding and substituting numbers, symbols and unusual capitalisations to such a password, we can push the time required to crack it out to years, decades, or even to a length of time beyond the age of the universe.
Password strength meters can be awful
You know how, when you go to sign up for an account somewhere and you have to pick a password, you often see a little meter that tells you how good your password is? Some of these aren’t too bad.
But others (like this one) measure only how long your password is and how many different kinds of characters you use. That’s useful against brute force attacks, but it tells you nothing about how you’d go against a dictionary attack
You can test this out yourself by typing something like P@55word or Password1. An unsophisticated strength estimator will notice the mix of capital and lower case letters, digits and symbols and then rate it as strong. In truth, it would probably be cracked in under 1000 guesses.
Meanwhile, a password like subcutaneousorbitalmiasma or might be rated as weak, because it contains only lower case letters. And yet, it’s literally billions of times stronger than P@55word.
You can compare this to our password strength estimator, powered by the zxcvbn algorithm developed by Dropbox. This doesn’t just look at the number and variety of characters you use, but the words and patterns you build out of them.
The zxcvbn algorithm isn’t perfect – it’s biased toward the English language, there are certain crackable patterns it isn’t wise to, such as words with missing first letters, and there’s no way for it to know whether you’re reusing a password stored insecurely.
Still, it’s a lot better than a password meter that just counts the number and variety of characters that you use.
Unique passwords that get updated
In the last article I discussed how it’s almost impossible to know for sure how securely your password is being stored by any given service. The only safe way to deal with this is to make them all unique.
Because the encryption on a password file effectively gets weaker against improvements in processor technology, it’s also a good idea to update them every 3 or 4 years.
Password managers are a big help
Ok, I know what you’re thinking. If you actually follow this properly, your passwords are going to be a lot more difficult to remember.
And you’re going to need dozens of them – every password has to be unique. Even if you’re registering an account on a website that you’re not sure you’ll ever log into again, it still has to be unique. And then at some point you’re going to have to change them all over again.
Let’s face it: this is a total pain in the neck. You’ve already got your actual work to do – isn’t that already enough to have to think about?
That’s why it’s nice to let software do it for you. With a password manager, every time you sign up for a website, you can generate a random 16 character string and have the software remember it for you across your devices.
It’s like that bit in The Simpsons where Moe turns one gun into five guns; you’re turning one strong password into as many strong passwords as you need.
I’m using LastPass, but there are a number of popular options. They all do a similar thing, and most of them will work across your devices.
Storing passwords safely
Ok, so now you’ve got super strong, uncrackable passwords. But what if the bad guys don’t need to crack it? What if it’s just lying around somewhere – on your workstation or on a server – where anyone can steal it?
Storing passwords on your computer
Web browsers can remember your login details for you. This is super convenient. Unfortunately, it’s also super insecure. It’s much better to use a password manager.
The passwords to your own network should be stored in an encrypted database, ideally using a modern hashing algorithm. This means that even if the database gets stolen, they’ll have a more difficult time cracking the passwords inside it. Ask your IT guy to set it up for you if you don’t know how.
Requiring passwords from your users
If you run a website, an app, or anything that your customers log into, you probably want to encourage your.
Probably the easiest way to handle this is by using the zxcvbn algorithm I mentioned before. It’s available on an open source licence, it’s super easy for your developer to just download the code and drop it in, and won’t burden your server because it runs in the user’s browser.
This won’t completely guarantee strong passwords. It’s just a damn sight more sophisticated than what most of us could come up with on our own.
Don’t tell me you’re too busy for this
Sure, stronger passwords require an amount of care and attention. But it’s nothing compared to this disruption of having your whole business derailed by a security incident.
And get this: if your turnover is over $3 million, or if you work in health or finance, you’re probably subject to the National Data Breaches scheme. That requires you to disclose when you get hacked – so your brand is at stake too.
The busier you are, the more important it is to get this right.