Tuesday, April 12, 2011

The Only Secure Password Is the One You Can’t Remember


The Only Secure Password Is the One You Can’t RememberLet's assume you log onto a bunch of different websites; Facebook, Gmail, eBay, PayPal, probably some banking, maybe a few discussion forums, and probably much, much more. Consider a couple of questions:

  1. Do you always create unique passwords such that you never use the same one twice? Ever?
  2. Do your passwords always use different character types such as uppercase and lowercase letters, numbers and punctuation? Are they "strong"?

If you can't answer "yes" to both these questions, you've got yourself a problem. But the thing is, there is simply no way you can remember all your unique, strong passwords and the sooner you recognize this, the sooner you can embrace a more secure alternative.

Let me help demonstrate the problem; I'll show you what happens when you reuse or create weak passwords based on some real world examples which should really hit home. I'll also show you how to overcome these problems with a good password manager so it's not all bad news, unless you're trying to remember your passwords.

The tyranny of multiple accounts

Think about it; how many accounts do you have out there on the internet? 10? 20? 50? I identified 90 of mine recently and there are many more I've simply forgotten about. There is absolutely no way, even with only 10 accounts, you can create passwords that are strong, unique and memorable.

"...security is all about risk mitigation—you never actually become "secure", you merely decrease your risk."

What happens is that people revert to patterns including family names, pets, hobbies and all sorts of natural, somewhat predictable criteria. Patterns are a double-edged sword in that whilst they're memorable, they also predictable so even if the pattern might seem obscure, once it's known, well, you've got a bit of a problem.

Patterns and predictable words are bad, but what's even worse is password reuse. Because we simply end up with so many of the damn things, the problem of memorising them gets addressed by being repetitive. Easy? Yes. Secure? No way.

The problem with weak passwords

Firstly, what exactly is a weak password? Let me answer this in a roundabout way by focussing on strong passwords; a strong password is one which has a high degree of what we call entropy, or in simple terms, one that is as long and as random (in terms of both character types and sequence), as possible. As the entropy link explains:

People are notoriously remiss at achieving sufficient entropy to produce satisfactory passwords.

Let me demonstrate the problem with this based on a few recent events. Firstly we have Gawker who last December were the victims of an attack (Ed. note: You probably remember this) which lead to the disclosure of somewhere in the order of one million user accounts. Worse still, these accounts were posted online and readily accessible by anyone who wanted to take a look at who had signed up to the service and what their password was.

The interesting thing in the context of password strength is the prevalence of bad password choices. Take a look at these:

123456, password, 12345678, qwerty, abc123, 12345, monkey, 111111, consumer, letmein, 1234, dragon, trustno1, baseball, gizmodo, whatever, superman, 1234567, sunshine, iloveyou, fuckyou, starwars, shadow, princess, cheese

These 25 passwords were used a total of 13,411 times by people with Gawker accounts. The first one – 123456 – was used over two and a half thousand times alone.

Another very similar example was an attack last month on rootkit.com. Password analysis on the breached database showed these top 25 passwords:

123456, password, rootkit, 111111, 12345678, qwerty, 123456789, 123123, qwertyui, letmein, 12345, 1234, abc123, dvcfghyt, 0, r00tk1t, ìîñêâà, 1234567, 1234567890, 123, fuckyou, 11111111, master, aaaaaa, 1qaz2wsx

Look familiar? Worse still, you can easily see the corresponding username if you know where to look (I've deliberately blurred these but the originals aren't hard to find):

No comments:

Post a Comment

Google’s Keep note-taking app is getting a new feature courtesy of Android 14 that’s a huge time-saver, even if Samsung got there first

  There’s a certain balance that needs to be achieved with lock screen functionality. You can’t give away too much because of, well, securit...