With several recent password breaches in the news – LinkedIn and Yahoo, for example – a lot more attention is being paid to protecting passwords. But in so much discussion, the basics of constructing a good password policy for your organization have been largely lost. WHAT MAKES A GOOD PASSWORD? A password is an example of something called a “knowledge-based authenticator”. The idea is that you can prove your identity using a password because only you know what it is. A good password has two key attributes:
- Easy for users to remember
- Hard for anyone else to guess or discover
But… Because of advances in technology that makes it much faster and easier for computers to guess passwords and research into the psychology of how people choose passwords (thanks to previous password breaches), “hard to guess or discover” has become a huge challenge. And because of that… Password policies often push for passwords of such complexity that they’re no longer easy to remember. “HARD TO GUESS” PASSWORDS There are two kinds of “guessing” we need to worry about:
- Dictionary attacks: guessing commonly-used passwords
- Brute-force attacks: guessing every possible password
Dictionary Attacks Security researchers have used information from previous large password breaches to learn a great deal about how users choose passwords. That knowledge has been codified into large “dictionaries” of common passwords and password parts. A dictionary attack can very rapidly recover a large percentage of passwords. For example, when the LinkedIn password hashes were leaked online, researchers were able to recover about 900,000 passwords in 4 hours using a single, inexpensive PC. So, part of making a password “hard to guess” is to choose passwords that are unlikely to be in an attack dictionary, or which are simple derivatives. For example, “password” is in the dictionary- attackers will quickly guess “P4ssw0rd”, “password!”, “pa55word” and the like. Brute-Force Attacks Brute-force attacks take a little longer to implement, but are quickly becoming easier and faster. A German researcher named Thomas Roth was able to guess every possible WPA-PSK (a system you probably use to protect your home wireless network) password in about 20 minutes, using less than $2 worth of compute time on Amazon EC2. So, part of “hard to guess” is choosing passwords that have enough entropy to make brute-force attacks too difficult. Each bit of entropy you add to a password doubles the amount of effort it takes to brute-force it. In my next post, stay tuned for tips on “Hard to Discover” passwords as well as how to fix bad passwords.