On Insecure Passwords and the Invitation to Being Creative

A Secutorial by IT Security Consultant Achim Pfister

Passwords are an omnipresent topic that accompanies us all on a daily basis: when we reach for our mobile phone at breakfast, type in the unlock code and read messages. Later, at work, when turning on the computer, we enter the hard disk password, followed by the login to the operating system. Opening the browser, the intranet is started and requests a password. During the lunch break, we pay with the debit card at the bakery and enter our PIN. In the evening, we may log in to a new online shop to do some convenient shopping from home, and enter a password again. Then we are forwarded to PayPal to make the payment and again we have to log in, this time using two-factor authentication before the payment can be completed. At the end of the year, for example, the electricity meter readings are to be recorded: Thus, we go online and log onto the customer portal of the electricity provider – using account name and password, done! At the beginning of the year, we often have to deal with insurance portals, and for some services, such as streaming services, we regularly use our passwords throughout the year.

In doing so, we humans face the same problems again and again: Is the chosen password secure? How can I remember it? How many times do I have to change it?

A Brief History of Passwords

Over the past thirty years, different recommendations have been made time and again, which have always had to adapt to the speed of computers and the cleverness of hackers. Passwords were still new territory for many users in the early days of the WWW. Many people first had to get used to the concept of remembering an account name and a password, which is why they often chose simple passwords and used them multiple times for various services.

However, it soon emerged that bank account passwords, business correspondence, and company data are very sensitive goods and users needed more support in managing and creating their passwords. It was 2002 when employees of the National Institute of Standards and Technology (NIST) made a crucial recommendation for password security: Passwords should consist of a random string of at least eight characters, including special characters, containing uppercase and lowercase letters, and they should change every 90 days.

Having to change passwords every 90 days by default, meant, according to SySS, that people did not randomize their passwords as much as NIST would have liked. As a result, the passwords for computers have remained simple or may even be easier to be guessed by hackers. Many users have been using the system in ways most convenient for them: If the web application or the corporate network dictates complexity, a password is chosen that is easy to remember and still complies with the password policy. Until a few years ago, “Stuttgart21” was very popular in Baden-Württemberg. Names of soccer clubs such as “Hannover96” in the northern part of Germany and “Schalke04” in Germany’s former industrial area, the “Ruhrpott”, are regularly found in passwords. If the company policy for Windows systems requires the password to be changed every 90 days, people also get quite creative: The current season along with the year is easy to remember and can be easily changed every three months. For a penetration test on a Windows network, the first password-guessing attempt would be “Winter2020” or “Winter2020! “, and would most likely be successful, at least if there was a sufficiently large number of accounts. An entry into the network would be achieved.

Attempting to change the number of special characters only contributes insignificantly to improving the situation. Few people will deviate from the cookie-cutter approach described above, just because, for example, suddenly two uppercase letters and two special characters are required. Instead, the first and last letter of the noun is often capitalized and one letter replaced by a corresponding special character: For example, “Winter2020” thus turns into “W!nter2020! ”. If the attacker is aware of the policy, the password-guessing attack will often be successful. Hackers have the appropriate tools, word lists and rules for this purpose, so that the process can be almost completely automated.

Other recommendations from recent years have been to use whole sentences, for example, from a song, a book or a poem: “We are the champions my friends/And we’ll keep on fighting till the end”, “He was an old man and he fished alone in a Gulf Stream boat,” or “In Xanadu did Kubla Khan/ A stately pleasure-dome decree” or “Something is rotten in the state of Denmark”. This commendable approach may seem promising at first glance to fend off simple guesses that try each character at any position. In addition, it seems to prevent so-called “dictionary attacks” that try every word at any position of the password. The sheer number of characters and words results in an immense number of combinations that would cause a 'headache' even for today's and probably future supercomputers.

As a result of this development, security researchers and IT security experts have been wondering whether these password phrases actually improve security and what possibilities are ultimately available to attack the “password set” system. In 2013, an article was published by ArsTechnica.com on how password phrases or sentences could nevertheless be cracked. Researcher Kevin Young faced exactly this problem of having a long list of encrypted passwords that failed common password lists or dictionary attacks. To find new words and combinations, he compiled a collection of several very large sources: 15,000 books of the free Project Gutenberg, the entire content of Wikipedia, YouTube comments, news websites, song lyrics, Facebook and other social media channels. Passwords such as “from genesis to revelation”, “in the beginning was the word” and “Password must be at least 8 characters” could also be cracked. Furthermore, the conversion of letters into corresponding numbers (E -> 3, I -> 1, T -> 7, etc.) is only a minor complexity change for computers and password crackers.

Another common mistake is to use a password that is composed of two parts. Many people use a comparatively difficult or secure password prefix that directly satisfies any complexity requirement, such as “sgpG13) -” and then append the respective service or application to which the password is to apply, such as “sgpG13) -facebook”, “sgpG13) -windows” and “sgpG13) -xing”. After a successful attack that captured the password and e-mail address, it is only a small step from a compromised Windows account to a compromised Facebook, XING or other account that uses a similar password.

Generate and Remember Passwords

So how can a password be generated that can be considered (comparatively) safe and recalled at the right time? The best passwords are those that neither follow a pattern nor can be found out by pure guessing. For example, take the string “mb2.r5ohf-0T”: In 2014, the satirical magazine “Der Postillon” (German) reported in a (false) report that this was the safest password in the world, since at no point “two characters of the same category are sequential”. Of course, there is no 'safest password', but it hits the core of the topic, because the password is as random and mixed as possible.

A password with a length of 12 characters consisting of such mixing and being encrypted using a current method is hard to guess even for today's cracking systems. If choosing 15 or more characters, one can be sure to be girt for the near future.

The obvious difficulty with such passwords is that they are poorly remembered unless they are entered frequently, or if there is no corresponding phrase or similar. One way now is to search for mixing and randomness not at character but at word level. The German Duden corpus, which contains a large collection of texts for analysis, counts approximately 18 million German words and word forms, with approximately 2,500 words already accounting for 75% of the corpus. A brief digression into mathematics: A password of five words and a vocabulary of 2,500 words has 2,500^5 combinations, which is approximately 10^17. A password with a length of nine characters and high complexity (approximately 70 characters) has approximately 10^16 possible candidates (70^9) and is therefore approximately the same. If you go one step further and increase the password length to six words, the number of combinations here is comparable to a password of eleven characters (both about 10^20). And how much easier it is to remember the phrase “I liked swimming elephant today” compared to “Jy32} nqao%s” is obvious. To make a guessing attack against passphrases even more complicated, other hurdles can be added, such as the use of dialect (“I luv havin like elephant swim lads and lasses”) or even minor deviations from correct spelling (“I likt swimming elephand today”). Drawing from the top 10,000 words (where “elephant” does not show up yet!), passwords of 6 words (10.000^6) are similarly strong as passwords of 13 characters of high complexity (70^13), both with approximately 10^24 possible compositions.

What needs to be pointed out here and what should not be forgotten are the quotes, passages, songs or other sources described above that can be found on the internet. Secure passwords should never consist of strings or phrases that already exist publically. Creativity is required here on the part of users in order to come up with strong passwords without the shortcomings described.

A Future Without Passwords?

Passwords will continue to accompany us in the 2020s and will remain an issue. If you want to know if a password has already been captured or an account been hacked, you can find help on sites like haveibeenpwned.com or dehashed.com. There is a collection of accounts and passwords that became known in previous data leaks. The English

Wikipedia article on data thefts of the last 15 years also provides interesting insights and impressions on this topic. For advanced readers and those interested, the article by Senior Expert IT Security Consultant Micha Borrmann on “Two-Factor Authentication with Full Disk Encryption” is also recommended suitable reading. Methods of multi-factor authentication such as FIDO, YubiKey, WebAuthn or countless apps for one-time passwords in the app stores of smartphones should also be mentioned at this point. Such second mechanisms help to ensure secure authentication even further. In the last 30 years, many important steps have been taken towards secure passwords, and many more are likely to follow.

DO NOT HESITATE TO GET IN TOUCH +49 (0)7071 - 40 78 56-0 or anfrage@syss.de | OUTSIDE REGULAR OFFICE Hours CALL +49 (0)7071 - 40 78 56-99

As a framework contract customer please dial the provided on-call service number

DO NOT HESITATE TO GET IN TOUCH +49 (0)7071 - 40 78 56-0 or anfrage@syss.de

OUTSIDE REGULAR OFFICE Hours CALL +49 (0)7071 - 40 78 56-99

As a framework contract customer please dial the provided on-call service number

GET IN TOUCH

+49 (0)7071 - 40 78 56-0 or anfrage@syss.de

OUTSIDE REGULAR OFFICE Hours

+49 (0)7071 - 40 78 56-99

As a framework contract customer please dial the provided on-call service number