Your Passwords Suck

So do mine.  What can you say?  Maybe I should write that, p@5SW0rdz?  It doesn’t matter.  We all use passwords.  It’s the simplest and most popular method systems and sites have to authenticate us.  

But let’s face it, passwords suck.  There are lots of problems with how we use passwords, and my aim today is to help sort some of those out. The main thing you need to know about passwords is that they are typically not used well enough to secure much of anything, because humans have certain mental patterns that are difficult to break out of.  One is that we will tend to choose, as “secret words” that we know we need to remember, things that have a particular meaning to us.  A child’s name, a wedding anniversary, a favorite sports team.  The advantage is that these things don’t change, so we can reliably remember them.  But that is also a huge disadvantage, especially since we make it easy for anyone to learn these things about us, via social media.

A common strategy used to attack password security is brute force: just guess all the possible passwords until you get a match.  Once an attacker knows your kids’ names, your milestone dates, your favorite teams or bands, the range of things they have to guess just got a lot smaller, so getting that match just got a lot easier.  

Almost as easy for an attacker, is when your passwords are not based on your life, but still are real words.  Now we have a refinement to brute-force guessing: the “dictionary attack”.  This can reduce finding a password using modern computing equipment to only seconds, instead of hours or days.  And it’s usable even if you take your favorite fruit, say, “pineapple”, and cleverly change it to “p1N3Appl3”.  Dictionary-attack software takes all those transformations into account, and it’s only slowed down by a few heartbeats.

There’s another habit we have as humans that makes life easier for criminals; we reuse passwords.  Having more occasions to type in a given password makes sure we are likelier to remember it, doesn’t it?  Well, all this means to a criminal is that once they figure it out for one site, they have it for everywhere we go.  Now, even as hard as it is to remember a single good password, here’s that mean old Safer Computing blogger telling you to make up a new and different one for every site.  This is ridiculous!  You can’t do this!  Heck, Safer Computing can’t!  Nobody can…. Nor should they.  

No, the human brain is not up to making or remembering good passwords.  Because p@5SW0rd is a pretty lousy one, and so is p1N3Appl3.  A good password is actually something like Kg52k$hm^YG@yuR%WD.  But I don’t want to type that, and I don’t want to have to remember it.  Lucky for me, I don’t have to.  There are a number of good password managers out there, which are systems that create, set and use good complex passwords for you, without giving you the headache of dealing with strings like Kg52k$hm^YG@yuR%WD.  The one I would recommend from my current tool kit is LastPass (https://www.lastpass.com/).  [Ed. Note May 2023: do NOT use LastPass.  --DCF] It integrates into your browser so you can let it automatically log into sites for you.  When you’re signing up for some new service, it (usually) detects that and offers to generate a gnarly unguessable password for you.  And if you load your current set of passwords into its database, it will offer to fix problems like weaker passwords and duplication.  All in all I have been happy enough with it to upgrade to the paid version for several years now.  But start with the free version, it’s got more than enough power for most folks.  If you want to try something else, try taking a look at 1Password (https://1password.com/) or for a stand-alone program instead of a web-based database, try KeePass2 (http://keepass.info/).  I have no affiliation to any of these products.  

Finally, let’s talk about ways to make your passwords less important (they suck, remember?).  The best way to do this is to add a second factor to your authentication on anything important.  If the password is the only thing you need to get into a service, then having that password compromised is a disaster.  But if getting in to, say, your GMail requires both a password and the code for GMail on the Authenticator app in your phone, then losing only one of those is much more like annoying rather than disastrous.  Any important website (email, social media, banking, stock trading, etc.) that offers two-factor authentication, you should absolutely accept that offer and set it up.  The second factor will often be tied to your phone, but that’s actually just about ideal.  You already have it, and it’s something you have that a crook who just guessed a password does not have.  This makes everyone safer (crooks excepted). If an important site you use does not offer two-factor authentication, ask them some questions: Why not?  When WILL they offer it?  and of course, How do I transfer my account to a competitor who DOES offer it?

This article was updated on 2023-05-12 10:07:10

CISO-in-a-Box

Infosec geekosaurus.  All opinions my own.

Information security since 2005.  IT... well into my second millenium.