Why all the big hubub about passwords?

1/5/12 - 45,000 Facebook passwords compromised

2/13/12 - Millions of passwords compromised from Microsoft India's site

6/6/12 - Six million passwords were stolen from LinkedIn website, compromising these users.

6/6/12 - 1.5 million passwords were compromised of dating site, eHarmony

11/14/12 - Millions of Skype passwords compromised

11/21/12 - One password stolen, causing the state of South Carolina to "lose" tax details for over 700,000 businesses statewide

5/12/12 - Stolen password allows a compromise of 1.1 Million users' data with Nationwide Insurance

And Experian has apparently had 80+ known security breaches of passwords, causing an ongoing investigation into all three major credit reporting companies.

These are a mere fraction of the ongoing attacks worldwide to online accounts. And these are just a tiny bit of the successful ones. Passwords are big business for the unethical computer geek. 

And the weakest link? YOU.

That's right - the weakest part of any security system is the users, both administrative and end-user alike. Don't take this an an insult; take it as a lesson you need to learn, and implement NOW. You see, there's a special type of computer attack, called "Social Engineering". And the interesting part is that it doesn't actually have to use a computer at all, though it often does, as we'll see later.

The movie-myth version of a hacker (actually properly known as a "cracker") sitting in front of a keyboard, typing furiously for hours to break into a Gibson computer and bring down the company is generally erroneous. But the Hackers movie has two things right: the weak password ("God"), and when Zero Cool/Crash Override calls the security guard and gets the number to the dial-up modem.

Whoops.

Social Engineering is defined on Wikipedia as:

"...the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims."

In other words, they trick you into giving up some vital piece of information, often your password, or details to figure it out. Or they get you to reveal private details like your username. They might call you, email you, or text you.

In the movie, Crash Override tricks the guard into giving up a vital piece of information, allowing him to take over the TV network.

Okay, so that's Social Engineering. What about the title of this post (Passwords)?

See, passwords are often the only thing that separates crackers from getting into your account. Once that's gained, it's way too easy. 

So, you need a strong password. But what's considered "strong"? Basically, if any part of the password is found in the dictionary, it's a bad password. But you can't have a random string of characters and expect to remember it (well, most people can't, anyway). So you need a password that's hard to guess - even if the cracker has access to a 25-GPU Cluster that can make 63 billion guesses per second.

That's why it's important to make a STRONG password, not just an "okay" one.

What makes a strong password?

Generally, it's not complexity (though that's still a factor). It's LENGTH. Many systems still require only six character minimum. Some require eight. With today's technology, that's not nearly enough. Aim for TWELVE if you can. Maybe more. While most systems do have a maximum amount of characters, this number is very high (like 45+ characters), so you rarely need to worry about having too much.

The general requirements for complexity are that you need three out of the following four categories:

• Upper case letters (A-Z)
• Lower case letters (a-z)
• Numbers (0-9)
• Special Characters (@, #, !, &, *, and so on...)

You should have all four of these categories, even if your system doesn't require it. Also, don't make semi-obvious replacements (using @ for "a", as an example). 

What other items should I avoid when making a password?

Well, avoid keyboard patterns. I work as a desktop technician, and there was one point we had to gather every field users' passwords. Since they don't handle highly sensitive data, this wasn't a major issue, but we got to see what types of passwords are being used. Here are some examples:

• Password4
• Password9
• Password99
• P@ssword1
• <usersname>1
• <companysname>1
• <dogsname>1
• Poiuytrewq1
• pl,okmijn

So they get from absurdly simple (and UNBELIEVABLY easy to crack), to relatively easy-to-find information (user name, company's name, pet's name), to...wait...what are those last two? They appear sufficiently random, don't they?

Nope. Look at any US keyboard, and check those keys in the order given. See any patterns emerging? We saw a lot of this, and people think they're being clever. The problem is that crackers are generally more so.

So let's avoid easily-guessable patterns and standard words as password bases, mkay?

Okay, so what can we do to get a strong, but memorable password?

First off, forget the word "password". Try to think in terms of "passphrase". In fact, many Linux systems are already thinking in this capacity.

Instead of a word, try thinking of a nonsense phrase. An example is "Correct horse battery staple". That's from a now-famous strip on XKCD, talking about how what seems to be a complex password might not be. It also shows how to make something nonsensical and somehow easy to remember. Throw in a number or special character, and now it's relatively impossible to crack (I say "relatively", because no password is truly impossible to crack - it just takes a LOT longer). 

So if I choose a nonsense phrase as my password (er...sorry, passphrase), why do I need to change it periodically?

Well, this is a two-part deal. 

First, if a cracker gets access to your account and you don't know, changing your password will immediately cut them off of access. This is generally not a big issue, as most crackers won't sit around silently, allowing you to retain your access. They'll dive in, get their information, cause whatever damage they want, and get out. But the process is still sound.

The second part has to do with how long it takes to crack a password. Remember that XKCD comic? They said it could take 550 years at 1000 guesses per second. But with advanced technology, crackers have significantly reduced that time to months or weeks - perhaps even less.

So if your systems password database is stolen, the encryption takes a while to crack, but not forever. If you change your password after the database is stolen, but before it is cracked, the cracker has just wasted a large amount of his/her time, and gotten nowhere. 

But with that huge 25-GPU machine you mentioned earlier, doesn't that make all this pointless?

Yes...and no. As I mentioned, passwords are often the only line of defense for your account - but they don't have to be. We can enable (on many, but not all, sites) 2-Factor Authentication. But that's a topic for the next post.