Password Security

April 27, 2008 at 4:06 am (Computers) (, , , )

Studies of production computer systems have for decades consistently shown that about 40% of all user-chosen passwords are readily guessed.

  • Many users do not change the default password that comes with many computer security systems. Lists of default passwords are available on the Internet.[1]
  • A password might be guessable if a user chooses an easily-discovered piece of personal information as a password (such as a student ID number, a boy- or girlfriend’s name, a birthday, a telephone number, or a license plate number). Personal data about individuals are now available from various sources, many on-line, and can often be obtained by someone using social engineering techniques, such as posing as an opinion surveyor.
  • A password is vulnerable if it can be found in a list. Dictionaries (often in computer-readable form) are available for many languages, and there exist lists of commonly-chosen passwords. In tests on live systems, dictionary attacks are so routinely successful that software implementing this kind of attack is available for many systems.
  • A too short password, perhaps chosen for ease of typing, is vulnerable if an attacker can obtain the cryptographic hash of the password. Computers are now fast enough to try all alphabetic passwords shorter than 7 characters, for example.

A weak password would be one that was short or was a default, or which could be rapidly guessed by searching a subset of all possible passwords such as words in the dictionary, proper names, words based on the user name or common variations on these themes. A strong password would be sufficiently long, random, or otherwise producible only by the user who chose it, so that ‘guessing’ for it will require too long a time. The length of time deemed to be ‘too long’ will vary with the attacker, with the attacker’s resources, with the ease with which a password can be tried, and with the importance of the password to the attacker. So a student’s password might not be worth more than a few seconds of computer time, whilst a password controlling access to a large bank’s electronic money transfer system might be worth many weeks of computer time.

‘Weak’ and ’strong’ have meaning only with regard to specific password systems. The necessary quality of the password depends on how well the password system limits attempts to guess a user’s password, whether by a person who knows the user well, or a computer trying millions of possibilities. In a cryptgraphic context, the terms can have considerable precision. For example, passwords generally are not suitable for use as encryption keys. But note that even a ’strong’ password may still be stolen, tricked, or extorted from a user, collected from a keyboard logger, overheard by tapping some communications medium, or copied from a Post-It note or Rolodex.

Examples of weak passwords include admin, 1234, susan, password, rover and 12/3/75; which might be easily guessed (the last being likely to be a personally significant date readily discoverable with a little research), and would certainly be found with an automated dictionary search attack in a system that permitted such action. Examples of stronger passwords would be tastywheeT34, partei@34!, and #23kLLflux. These passwords are longer and use combinations of lower and upper case letters, digits and symbols. They are unlikely to be in any password cracking word list and are sufficiently long to make direct brute force search impractical in some systems. Note that some systems do not allow symbols like #, @ and ! in passwords and they may be hard to find on some country-specific keyboards. In such cases, adding another letter or number or two may offer equivalent security. Also note that, having been published in this article as password examples, these are no longer good choices: examples from publicly accessible discussions about passwords are obviously good candidates for inclusion in a dictionary to be used for a dictionary attack. However, beware that even strong-looking passwords, and especially human-chosen passwords, are not equivalent to a strong encryption key, and should generally not be used as such. Passphrases and password-authenticated key agreement methods have been used to address this limitation.

The strongest method for generating passwords is to select sufficient characters at random, but such passwords are generally the most difficult to remember – those passwords are generated by the online password generator. Some users develop mnemonic phrases that have the random letters as the initial of each word. Another way to make random passwords more memorable is to use random words or syllables instead of random letters.

Personal mnemonics are sometimes recommended, that is, things that are memorable to you, but not to others, for example, the password Iw13wIfvE, a difficult to remember string, derives from “I was 13 when I first visited England”, possibly easily remembered. However, if your first experience of England is important to you, it may be possible to guess this password from knowledge of you, and then this would not be a sensible password choice.

As of October 2005, employees of the UK Government are advised to use passwords of the following form: consonant, vowel, consonant, consonant, vowel, consanant, number, number (for example pinray45). Apparantly upper and lower case do not matter, and this form is called an Environ password.

via: http://www.passwordgenerator.eu/passwordsecurity.php

Permalink 1 Comment