First published as an internal Cybersecurity Awareness e-mail, October 3, 2013. If you haven’t changed most of your passwords since Heartbleed, you are not doing your part for Cybersecurity!
Yep, we’re all still using passwords. Until something better comes along, let’s review the basics:
- Longer is better…each additional digit makes your password about 100 times harder to crack.
- Eight character passwords are trivial to crack; strive for 14 characters or more (for arcane technical reasons). Even if your system only requires 8 or 9 digits, most systems support 20 or more.
- Mixing up character sets (uppercase, lower, number, special character) is good, but hackers assume you are doing that anyway, so…see rule #1
- Try not to use common strings like your name, the year, dictionary words, or even dictionary words with number substitutions. Keyboard patterns (qwerty) are not so good either.
- Use different passwords for different categories of security: games, work, banking, sysadmin for example probably need different passwords per category if not for every individual logon
- Password “vaults” can be helpful managing a bunch of passwords, if your master password is really strong
- Change your passwords periodically…but every 90 days has some drawbacks, both from a usability perspective and for technical reasons (see below)
OK, here is the rationale behind some of the above advice. Remember, the way that password systems work is by taking your individual password, running it through a “one-way” algorithm, and storing the result locally. When you try to log in, the system runs the same algorithm on what you type, and compares it to the encrypted password under your username. If it matches, you’re in; if you’re off by even a single digit, the encrypted value is totally different from your stored value and your login fails. So, the first thing hackers try to do is grab that local file with all the encrypted passwords, preferably from the company server that has everyone’s password in it. When they get it, they can then work on their own machines in their own time to try and decrypt some of those passwords. A not very clever hacker can buy 3 GPU (gaming graphics processors) for $2,000 and try EVERY combination of 8 digits and fewer in…48 hours. If your password is 8 digits, they’ve got it. The same setup takes about 6 months to decrypt that file if the passwords are 9 digits long…see rule #1! Of course as compute power increases, these decryption times will continue to drop.
Changing your password helps, except for two things: in many systems that now means your last 25 passwords are on the system to prevent you from re-using them…providing lots of additional fodder for the hacker. And, people get lazy…in a recent audit of some Fortune 100 companies, almost 10% of passwords in October 2013 [statistics courtesy of KoreLogic] were of the form: Oct2013! or Oct%2013 or Oct.2013! which means that a hacker can come back this year with a very high probability of guessing those passwords in only a few tries. Worse yet, the patterns that people use are very predictable. If your rule is “at least 8 digits and at least one of each of the 4 character types” (upper, lower, number, special) penetration tests have shown that somewhere between 40% and 50% of all actually used compliant passwords conform to just 5 patterns, and the top 100 patterns predict the passwords of 85% of all users. That difficult decryption problem for the hacker just got a whole lot easier.
Bottom line: your password length is the most important protection, but you have to be smart even then. Try not to use predictable patterns, and when you change your password, try to change the structure as well as the specific characters. A good way to do this and still remember your password is to come up with a 12-20 character phrase you can remember, and then mess with it a little by doing some number substitutions or maybe dropping some letters to reduce the number of dictionary words. p4zzwrdsrurfrend!