Time to Change Your Passwords This month starts my sixth year writing this column. Each year I have written at least one column on creating secure passwords. I often try to do this in January. This year we revisit the topic as a part of my privacy series with an eye toward explaining how passwords are cracked and why creating strong passwords and changing them periodically is important.
First let's review the rules I wrote way back in March of 2015: 1. Passwords should be 13 characters or longer 2. Passwords should be a mix of numbers, upper- and lowercase letters, and symbols or special characters 3. Passwords should be unique to each place they are used 4. Passwords should be changed regularly 5. Passwords must be easily remembered The number 13 in rule 1 has been revised from the original 12 to reflect speed improvements in hardware and software used to crack passwords over the past 5 years.
Hashes and Hacking The security of your passwords depends on both what you do and the security of the site where the password is stored. Passwords should always be stored as a slow hash. A hash is a mathematical formula that creates a number, called a hash value or hash, from a stream of data. The formula is designed so the hash is unlikely to match a hash that might be created from another stream of data. It is not possible to recreate the original data from the hash making hashes useful for identifying data without revealing the original data. For example, if a stored hash matches the hash created using a specific formula, user ID, and password, then credentials are a confirmed match. The best way to create a hash for passwords is to use a slow hash algorithm designed to take a lot of time on a computer. The hashing process is slowed down by iteratively rehashing the hash result many times. This rehashing is commonly repeated 20,000 to 50,000 times. These large numbers are needed because graphic processing units (GPUs) in modern computers and modern hashing techniques are getting faster. Typically, the iterations are increased every few years to keep the process slow. Longer passwords and the mix of numbers, upper- and lowercase letters, and special characters also increase the time required to guess the correct password.
But that is not the end of the story. Unfortunately, not every site uses a slow hash of the passwords/credentials. Some choose to use fast hashing formulas (typically out of ignorance) or encryption. Because these are not designed to be slow, modern computers can brute force these passwords and do it very quickly. Also, keys used for encryption can be compromised. There have even been a few sites that have been caught not protecting passwords at all.
Cracking The brute force approach to cracking password is to try hashing every possible combination of letters, numbers, and special characters until a hash matches the hash of a password. Most password crackers don't start by using brute force; instead they start with lists of passwords that people have already cracked. Typically, the first list is a fairly short list of the most commonly used passwords. The cracker may eventually use a master list of over 10 million previously hacked passwords. They also use word dictionaries and then try numbers and/or symbols in front of and behind the words and try common substitutions of characters like zero for the letter “O” or 3 for the letter “E.” This is all done before brute force is even attempted and often results in cracking more than 60% of the passwords in a large password database within hours or days.
Don't Repeat So let's say you use a single password for every site on the web and one of the sites doesn't store passwords securely. The hacker will try to use the same login ID and password on other sites like Gmail or Facebook to see if the same credentials work there. This is why rule 3 requires different passwords for each and every site. So you have a different good secure password for each site, but a site is hacked. The site owner may not even know they were hacked. Your password isn't cracked for the many months because it is a good one, but eventually it is cracked. This is why passwords should be changed periodically and the need for rule 4. I suggest passwords should all be changed at least once a year. Finally, rule 5; "easily remembered." If you can't remember your password then you must go through password recovery, which is often the weakest link in a credential system. You may decide to use a password management system, but I always find that I can't access them just when I need them most.
Creating Strong Passwords The technique I use to create good passwords is to create rules for generating the passwords. Your rules should be different than the ones I use here, but this is a good example; • Pick a phrase you will remember—I will use "I'd like to be, under the sea" from the Beatles song “Octopus’s Garden.” • Create a rule to pick letters from this phrase—Rule: Pick the first letter of each word, or "iltbuts" • Create a rule to upper case letters—Rule: Upper case every third letter—"ilTbuTs • Pick a number at least 2 digits long that changes each year—Rule: Years since the attack on Pearl Harbor: 2020-1941 = 79 • Rule: Append the $ as the special character if allowed—ilTbuTs79$ • Rule: Use the first 2 and the last 2 characters of the website name and capitalize the first letter of the site name—so for amazon.com then use "Amon" • Combine these to make your new password: ilTbuTs79$Amon
Of course, you can mix, match, and reorder the rules as you please to make sure your passwords are unique. Next month we will have more discussion on protecting your information.