For more than 40 years, the IT industry has been fighting the password battle and losing. The recent celebrity...
iCloud hack is just one of many high-profile examples of our failure. So how can something so seemingly simple, like a password, be so difficult?
The problem with password security is that it is so simple, that it is actually paradoxically hard. In security, the most dangerous thing in the world is what you think you know, because then you don't question your knowledge. If you ask a typical IT security professional if they understand passwords, the vast majority will respond with a confident and emphatic "Yes." But if that were really true, why are password-related breaches so prevalent?
We are not discussing technical issues of protecting passwords in storage. Rather, we are discussing the human part of the equation. People continue to choose bad passwords. Case in point, the most common password of 2013 was "123456", second place went to the word "password", and in third place, "12345678". And yes, the venerable favorites of "iloveyou", "letmein", "abc123", and "princess" make the list of common passwords every year, as well. (The list of common passwords can be found here).
So why are users putting such little thought into their passwords? It happens, in part, because people (celebrities included), don't think anyone will go after their account. It is the old, "it won't happen to me" mentality. But it also happens because our message to users on passwords is often flawed.
One of the biggest mistakes the IT security industry continues to make is pushing users to implement extremely complex passwords without providing realistic guidance on what that truly means. If we make it too difficult for users to remember a password, "123456" is the end result. In the rare event the user does create a complex password, it will often be too short and used on all of their sites -- at home and at work -- including electronic purchases and online banking. That means a compromise at any one site can lead to potentially devastating consequences.
Debunking complex passwords
The term "complex password" is perhaps the most misunderstood term in the IT industry and the cause of many of today's password problems. Too often, "complex password" is interchangeable with "impossible to remember." We must come to the understanding that complexity is only a small part of the equation. It is not simply a question of complexity, but of unpredictability (password entropy is a helpful measurement of password predictability). That is the key to a good password.
An unpredictable password can be easy for a user to remember. Using a combination of uppercase, lowercase, numbers and special characters (classic complexity rules) is fine -- so long as we don't focus solely on those rules. For example, take the string, "Iwentfishing4timeslastmonth?". This password (or, more accurately, passphrase) is easy to remember and easy to type. It is not predictable, yet it is a "complex password" in that it contains the upper/lower/number/special characters that we always recommend.
Any short sentence or saying that is easy for the user to remember will work. Take that saying and add just a touch of the complexity rules and suddenly you have an extremely strong password that will not be found in a hacker's dictionary and can only be broken via brute force. The "Iwentfishing4timeslastmonth?" example above would take about 76.43 million trillion trillion centuries to brute force, even at a rate of one hundred trillion guesses per second, according to Gibson Research Corporation's brute-force password calculator. That's a strong passphrase.
Users can take a few strings of this nature and develop a formula that makes sense to them for modifying the string on different sites. For example, a Facebook password might add "FB" and the user's graduation year to become "FB89Iwentfishing4timeslastmonth?" and so on. I would suggest a more complex formula than the one in this simple example, but the concept is there. Using this method, the user can now have a very strong, easy-to-remember, easy-to-type, and different password on every site they visit. Is this perfect security? Of course it isn't. But does it beat the password "123456" being used on 30 different sites? Yes it does.
Another trick is to create a unique username when possible. While many sites require a user's email address as the username, some financial institutions will allow for the creation of distinctive usernames. If the user has his or her email address as the username at every site (especially with the same password), and that information is compromised at any one site, then tracking down the user's other sites becomes simple. Putting a unique username on any site dealing with money is a good idea, as is using a different passphrase string on these critical sites.
As a security community, we must do a good job of getting our message across to the users about how to create good passwords. We must get users to understand "123456" is not a viable password and that impossible-to-remember passwords are not necessary either. Being successful with this message means we must come to a better understanding of unpredictable passwords ourselves. Only then can we hope to explain the message to our users.
About the author:
Keith Palmgren is a Certified SANS instructor and runs his own consulting company, NetIP Inc. in San Antonio. Keith has 30 years of experience in the IT security field and holds the CISSP, GSEC, GSLC, GCIH, GCED, GISF, CEH, Security+, Network+, A+, and CTT+ certifications.
Learn how to reduce user resistance to creating strong passwords.
Expert Michael Cobb analyzes the value of password-strength meters.