By Andy Kemshall
Houston, we have a problem. There is no such thing as an un-crackable password. In 1995, the US Computer Emergency Response Team (CERT) reported that approximately 80 percent of the security incidents they received were related to poorly chosen passwords. Seventeen years later and little has changed – and the problem might even be worse.
The issue for the majority of us is that passwords are the only ‘block’ between a criminal and our personal information – and they are used almost everywhere. Email? Password. Online shopping? Password. Is it the same as the one you use for your email? What about the other ten or twenty or fifty sites you have visited online this year?
While I strongly advocate that the commercial world needs to take more responsibility for protecting its customers, while we’re waiting there’s a lot that we can do to prevent our virtual identities being abused. So, draw closer and let me tell you how.
Before I tell you how to create a virtually un-crackable password, it is important to understand how passwords can be broken.
How is a Password Cracked?
One method is the dedicated individual who will trawl through a person’s life to glean snippets about them, all too often published on social network sites. Using things like a pet’s name, first school, maiden name etc. they will try to ‘guess’ what a password could be. Of course, a targeted attack like this is limited and, if I’m honest, really hard to prevent. However, I would advocate that you put as little personal information as possible online and, if you do use your pet’s name or children’s etc. you change your password immediately and don’t do it again.
The more likely scenario is a widespread brute force attack. This method entails criminals using a computer program to simulate keyboard typing.
Password crackers use two common techniques. A dictionary attack – the program uses the most common terms in major languages, the second goes through every possible character combination.
Crackers also make use of common password lists. Since many users tend to rely on a lot of the same passwords (“123456”, “qwerty”, “abc123” and, of course, “password”), these weak words or phrases are no match for cracker programs.
What is a strong password?
A fictitious word or phrase will take longer to crack. Add in numbers and symbols and you’re definitely on to a winner. That said, and just to really focus your mind, based on 100 million checks per second (which is achievable with automation) a truly random password would take the following to break: Password length Tries per second Time to break 4 100 million 0.16 seconds 6 100 million 11.4 Minutes 8 100 million 32 Days 10 100 million 365 years
So, the answer is simple – you need to create a truly random and complex password, of 10 characters or more for each of your online identities. Don’t forget that they must be different – if you use the same password for everything then crack one and you’ve cracked them all. And of course you’d have to remember them all, as we all know you mustn’t write passwords down!
Okay, perhaps simple is a bit of an overstatement. Research confirms that most people can remember four characters of a complex password very easily. The problem is, when this is extended to five and over, it dramatically falls off. Unfortunately hardly anyone is able to remember a complex password of six characters or more.
Should I give up?
While it might seem like a hopeless struggle, all is not lost. I have a cunning solution to your password dilemmas!
Before you start punching the air – I’m not going to let you off the hook and say just create a four character password. Instead I’m going to insist that it is 10 characters or longer – a mix of letters and numbers and, if the site allows, add in some symbols for good measure. Letters should include both upper and lower case, numbers should be more than just 1’s and 0’s and symbols can be anything as they’re tricky little devils.
Now, take your head out of your hands as here’s the clever bit.
Break your password down into two or more sections as this will make it easier to remember. It’s almost like embracing your own two factor authentication – something you know, and something you own.
One part remains static, by that I mean it doesn’t change, for each and every account you have – I suggest it’s this bit where you add the cleverness, i.e. symbols, numbers, upper and lowercase letters etc., for example D8*a. As this part of your password is only 4 characters it should be easy to remember. This is what I like to think of as ‘something I know’.
The second part should be relevant to the site you are creating the password for. So, for example, if it were for an online catalogue company you could add the phrase ‘lookingfab’ to the static element, for an auction site you could add ‘lucky7’, etc. – as long as it is something different for each site. It wouldn’t hurt if you made a note of these elements, perhaps in the notepad element of your phone, just make sure that it’s somewhere only you know about. So, this part is the ‘something I own’ be it a message in my notepad or stored elsewhere.
If you still need help with your password management, there are some clever programs that can help. These allow you to register the first element of your password – so the static complex element, and it creates and sends you (via SMS) the second part periodically i.e. when it needs to change. By saving the message you have a constant reminder.
While we’re waiting for the commercial world to wake up and start making it harder for criminals to steal our online credentials, in a way that doesn’t make it impossible for us to continue to interact with them, we have to take up the slack and protect ourselves. By applying this simple methodology to password creation means it will take a ‘cracking’ program at least a year to break our passwords, but we’ll always remember them! And, just in case an undesirable does try to break the code, then by changing one of the elements periodically we can always stay one step ahead of the fraudsters and their software. Now, doesn’t that make you feel empowered?
About the author
Andrew Kemshall is the Co-founder and Technical Director of SecurEnvoy. Before setting up SecurEnvoy which specialises in tokenless 2 factor authentication, Steven was worked for RSA as one of their original technical experts in Europe, clocking up over 15 years experience in user authentication. His particular specialty is two factor authentication in the fields of architecture, design and development of next generation authentication software.
About the company
SecurEnvoy is the trusted global leader of Tokenless® two-factor authentication. SecurEnvoy lead the way as pioneers of mobile phone based Tokenless® authentication. Their innovative approach to the
Tokenless® market now sees thousands of users benefitting from their solutions all over the world. With users deployed across five continents, their customers benefit from significant reduced time to deploy and a zero footprint approach means there is no remote software deployment and administrators enjoy the management tools allowing them to rapidly deploy up to 20,000 users per hour.