Welcome to the 21st century where the average person has to remember more passwords than family member birthdays. Stop right now and think about just how many passwords you use on a daily basis:
- ATM pin(s)
- Credit card pin(s)
- Work computer(s)
- Home Computer(s)
- Email account(s)
- Online banking account(s)
- Online shopping store account(s)
The list just keeps growing. In the 21st Century we are what these passwords access so we need to choose really “good” ones. So what is a good password? The short answer is no one knows but you. That doesn’t stop everyone and their son, the computer wiz, from expressing their opinion of what a “good” password is; they just happen to be wrong. I know those are fighting words but stick with me and I’ll show you why.
Access logs – your identity’s credit report
To know what a good password is we must first understand how computer systems are designed to protect passwords. One word - logging. The first step of account access is authentication. This is the step where you present your ID and password to the system to gain access and this information is verified. For our purposes the ID is either the physical card you give the machine or a username you provide. The system checks to see if the password is correct and either lets you in or kicks you out. Either way a properly designed system logs access; the better ones even track multiple failures in a row and either alerts someone or locks out access. This is good right? When was the last time you even looked at your computer’s logs if ever … Does your bank or store advertise the fact they do? Do they at all? Logs are only as good as the amount they are reviewed. Think of them as a credit report, unless you take a peek every once in a while, the first time you detect trouble is too late.
I have people come up to me all the time saying they think they are hacked because they think people are accessing their computer. I could ask how they know, what tipped them off, is something missing, etc. I don’t. The first question I ask is did they review their logs. Only they know when they have accessed their computer because only they know the times and types of activity they didn’t do. If they didn’t log onto their computer at 3 AM and their computer says they did; they will catch it - I won’t. Is there a bunch of log-on failures in the logs? Is there a single one and they didn’t do it? Change your passwords now. Change ALL of them and for bytes sake don’t you use the same one everywhere. Believe it or not you will catch most issues this way without the techie house call required. Just remember this golden rule:
If you have a doubt, change your password NOW and reinstall your system from scratch.
It is easier and far cheaper than bringing in an expert to try and fix the problem. Do you really trust anyone getting paid less then $200 an hour to outsmart a hacker? Just because the Retailmart geek can’t find a problem doesn’t mean there isn’t one. The simple act of putting in that Windows or Linux CD and starting over can stop the best hacker in their tracks, or at least put them back at square one.
The computer crowbar
The Hollywood style of breaking into the computer protected system is a guessing game. We have all seen the sneaky thief/spy/hero/scantly clad woman using a special program to rapidly try password after password until the door opens. It is the computer equivalent of using a crowbar to break the window or pry the door open; it’s noisy and messy – but it works. To see why requires us to stop for a moment and think about what a password really is. A password is a string of letters, numbers, letters, etc. This makes the password a numbers game. How many guesses does it take to get to the center of that tootsie pop?
If you set your password to be “Fido,” how hard is it to guess? Let’s see, the password is 4 characters long so the math is N to the forth power where N is the number of possible letters per character. With 26 letters in the English language the formula becomes:
26 letters lower case + 26 letters upper case = 52 letters per character. (N = 52)
52 to the 4th power = 711,616 possible passwords.
Since the Hollywood program can guess a million passwords a second the scantly clad heroine opens the door in under one second. The simple way to make it harder to guess the password is to both increase the number of possible guesses per character and increase the number of characters in the password:
26 lower case letters +
26 upper case letters +
0-9 digits +
~!@#$%^&*()_+ symbols, 13 of them.
That's 26 + 26 + 10 + 13 = 75 combinations per character with an 8 or more character password meaning 1,001,129,150,390,625 combinations; our heroine may need to order lunch while she waits. The point of all this is that it is noisy. Every guess will be logged and the better systems will be paging geeks left and right or locking the account – If someone actually is looking at the logs. Are you?
The computer lockpick
Of course the above example really only happens in Hollywood. The smart money is to realize that the password is only as good as the owner. People make passwords that they can remember and they tend to use the same one everywhere. For the next example we are going to need a volunteer from the audience. (the sound of crickets chirping) Let’s try again, for the next example we are going to create a fictitious computer user to pick on:
Name: Protagonist Simpleton
Address: 1234 Main Street, Anytown, Ohio, Flyover County.
College: MBA from Ohio State. He is a college football fan to the point of body paint.
Family: Wife Jane, son Billy, and dog Fido.
So this person’s native language is probably English, he likes football and tracks his collage’s team, and he is a family man. A good bet on this person’s password would be words and phrases dealing with these likes, dates of his wife or children, phone numbers, addresses etc. With a little work Googling this person we can build a pretty good list of password possibilities. Don’t forget his mom’s maiden name this nugget is golden – password resets will be a breeze. “I lost my VISA card and I’ve moved can I get you to send me a new one? Sure! What’s your mother’s maiden name?” The point is we have reduced the trillions of guesses down to a few hundred thousand. Jeeze, running the entire English dictionary of words takes less than a second on a modern computer.
The computer pickpocket
By now it should be very obvious why log reviews are important. This next break-in example doesn’t leave any traces … For you to use the password the computer system must know it. That is pretty obvious right? Well, if the system knows your password it must be storing it somewhere and that means that the bad guys can just steal it. A good system will store the password in a form that is not usable in and of itself and it will protect this store of passwords; however, it still makes for a very tempting target. What this does is make your password only as good as the password and controls of the outsourced system administrator or call center employee making $5 a day in India, China, or other 3rd world hell hole. It’s a good thing you use a unique password on every account.
If you are using the Internet to access your account then that password just was sent out for all to see and capture. Hope the system was good enough to secure that transmission. If not the most likely case is the bad guy still has to do the crowbar or lockpick trick on the stolen passwords. The difference is that since they already have the file of encrypted or password hashes I.e. passwords in unusable form they can guess against this file and not leave any log entries to see. The first time they use your password is when they have guessed it correctly in the file.
The savvy citizen
How do you protect against this? Beyond only doing business with companies who have a clue and don’t outsource their security beyond the reach of your countries laws to follow; make your password hard enough to take awhile to guess. The game we all play is the rabbit and the tortoise and we are the rabbit. Each time we change our password we are sprinting ahead of the tortoise with the distance being how hard we made our password. Like the rabbit in the fable, we are resting on the side of the race course while the tortoise keeps on plodding along. The bad guys are guessing away all day and night slowly creeping up on the right password. Using our above example of 8 characters and 1 million guesses per second; it will take AT MOST 31 years to get the password. It isn’t IF the tortoise will catch up – it’s a matter of WHEN. In real life using publicly available programs an 8 character password is guaranteed to be guessed in less than 2 months. So like the rabbit we will loose the race unless we wake up and sprint ahead some more.
As the rabbit, our goal is to stay ahead of the tortoise. We can do that by controlling two things; the distance we sprint each time and how often we sprint. If a public tool can guess the password in 2 months the bad guys can do it in a month. If we use an 8 character password with numbers, letters, capitalization, AND symbols; then we need to sprint ahead by making a new one every month for every account! That’s a lot of sprinting and I’m getting tired of remembering that many new passwords every month. If you look at the math above and plot it the result is an exponential curve with each additional character making the password exponentially harder. I’m not going to graph this myself because the guesses per second are based on the bad guy’s tool and only they know what they are using. Just remember the general principle of longer passwords allow for longer duration between changes.
Does this mean everyone needs to remember dozens of constantly changing hard to remember gobbly gook that isn’t a word? No. The dictionary is made up of a list of single words, by putting words together into a single sentence then you have a very long easy to remember passphrase. The passphrase “Jane Simpleton is the love of my life!” is IMHO easier to remember and much harder to guess than “!h3r32D4y.” Both passwords are completely worthless if they are never changed.
So what is a good password?
A good password is one that you can remember without writing down. A good password is one that you change as often as your current one requires – The longer the password the longer between changes. A good password is one you trust – when in doubt change it!