Sophos Cloud Optix
Too many internet users are making poor decisions when choosing their passwords.
We’ve spoken time and time again about the importance of choosing hard-to-crack, unguessable, unique passwords that (provided the website you are using looks after its databases properly) will make life very difficult for password crackers.
And yet, people continue to use passwords that are – quite frankly – dumb, and then compound the problem by using the same simple password in multiple places.
Scandinavian security blogger Anders Nilsson spent a little time with the Pipal password analysing tool, running it against the 450,000 plaintext passwords snatched by hackers from Yahoo Voices.
And what he found doesn’t inspire much confidence that users are getting the message about password security.
Repeat after me.
"A password of 'password' isn't actually a password."
And neither is “123456” or “welcome” or “qwerty” going to prove anything of a challenge to a hacker.
The fact is that every time password lists are stolen and published on the internet, hackers add them to their own databases for their password crackers to try next time they want to break into an account or crack a hashed password.
Your passwords need to be unique, and hard-to-crack. That means not using dictionary words anymore, and not imagining that no-one else in the world has thought of “qwertyuiop” or “password1234”.
The typical response from the average internet user is “But how will I remember all these different, complicated passwords?”
Simple. Use a decent password management program.
There are a few to choose from, and some of them are even free. Software like 1Password, KeePass and LastPass can remember all your different passwords on your behalf, store them securely, and even generate complicated passwords for the next website you join.
Clearly the responsibility isn’t all in the court of the user, however.
Not only should websites take greater care about securing users’ information (for instance, not storing passwords in plain-text or as unsalted hashes), but they could also do more to ensure that users choose trickier passwords.
I’d like to see more websites check the passwords chosen by their new users, by running them against a database of commonly used passwords and a dictionary.
If the password users enter is too common, or an obvious sequence, or doesn’t obey sensible password rules about complexity or length, then it should be rejected and the user told to try again.
When websites tell you to change your password following a security breach, they should also tell you to choose a hard-to-crack, unique password. Otherwise, what’s to stop the new password being “abcdefg”?
It would be a safer world if websites policed the passwords that are submitted by users, and weak choices thrown out.
And it’s not just users who need to have strong passwords. The website’s staff need to have sensible, hard-to-crack passwords as well.
In early 2009, for instance, a hacker was able to break into Twitter accounts belonging to celebrities because he had broken into Twitter’s administrator’s console.
How did the hacker manage that?
The Twitter employee was using a password of “Happiness”.
Here’s a YouTube video I made a while back showing how to choose a hard-to-crack but easy-to-remember password. It also explains how password management software programs like 1Password, KeePass and LastPass can help you remember all your different passwords.
(Enjoy this video? Check out more on the SophosLabs YouTube channel.)
If you already know this about passwords – great! But be a good samaritan, and share the advice with your family and friends.
We need to get everyone to understand the importance of better password security.
Yes, even the “princesses” and “ninjas”.
Login form image, courtesy of Shutterstock.
Hi Graham, what's your thought on the XKCD view on password strength? http://xkcd.com/936/
A passphrase is generally better than a pass*word*, and provided that the words used in the phrase are not commonly associated and that the website you are using is not too limiting in how long a password you can choose.
(BTW, it's funny how some websites respond if you use "correcthorsebatterystaple" as your password. See http://tumblr.danielignacio.me/post/26662705082/x…
However, I'm not sure that passphrases scale if you're having to remember lots of different passphrases for lots of different websites. So you'll probably have to resort to password management software to do the remembering for you.
And if you're using password management software, why not use much more randomly generated passwords than a passphrase?
I like to recommend 1Password, KeePass etc.
I'm using Lastpass and all the documentation on it (and others) looks good, but is anyone reviewing these password systems? I'm sure that exploits will become possible as flaws are found or computers simply become more powerful.
I would like to challenge the idea that passphrase need password management tool to recall. I can actually recall more than 15 uniques passphrases, while I barely recall more than one nonsensical password.
The real flipside being the cheer size of passphrase. Since they have to make sense for my brain to recall them, they are mightly long, somewhere between 30 and 150 char. Which cause trouble lile having to check whether the site actually accept password that long, typing for 5 seconde for a password, typo being all the more irritating, etc …
Still, I don’t like password management tool, for a simple reason : I work on different computer. If I have to keep a cheat sheet of password on me, it kind of completely defeat the purpose.
ASCII includes 95 printable characters (including space), but all of these passwords can be gotten from the 26 character alphabet, or 52 if you include uppercase. Assuming 52, that's 53 quadrillion combinations in a relatively simple 8-character password, something which experts would consider weak.
The English language has hundreds of thousands of words in its history, but a high-school educated person may have a vocabulary of 10-12,000 words. Of those, they may be able to use 10% as simple, memorable words like those in "correcthorsebatterystaple". Assuming a dictionary of 1,100 words, that's 1 quadrillion combinations in a 4-word password.
It's a big assumption to assume that a cracker would choose to use a passphrase attack. However, were passphrases to become the vogue, the crackers would adapt and be pleased to find that the passphrase would be quite weaker than a simple 8-character alphabetic password against brute-force or rainbow attacks.
You're better off finding something that expands your source domain or doesn't use so few elements from it.
That's also what bugs me every time I see people reference that xkcd comic. It's bad advice, but nobody bothers to do the math.
1. I want what you're smoking if you think that any more than 0.1% of your userbase will use a 8 character pseudorandom alphanumeric password in real life. The vast majority of users will use <word><number>. Maybe some will swap some letters with numbers or symbols in a completely predictable way thinking it substantially increases security.
2. Why abritrarily limit the words someone can recall to 10% of their vocabulary. I would think it would be virtually 100%, given that by definition, someone's vocabulary is the collection of words that they know. In fact, you would probably even remember how to spell more words than you know the definitions to. You seem to have done it to just make your point, given that without limiting them to 10%, you'd end up with a source domain of 10,000 quadrillion combinations, a much stronger result than the 8 alphanumeric characters (which is precisely what the comic implies).
3. The math is in the comic. Those little squares represent the size of the source domain.
Add an arbitrary symbol (such as periods, plus signs, underscores, dashes, etc.) between the words and you have just increased the difficulty of hacking the passwords significantly without making it any harder to remember. Throw in a number somewhere and I doubt if anyone will hack it anytime soon.
The good thing about the xkcd advice is that it generates very long passwords – which quickly become immune to brute force attacks. They try all the minimum length combinations, then length n+1, …, and move on to a softer target when they get to 11 or 12 characters.
The problem with the xkcd advice is that it combines common dictionary words. Depending on dictionary size, this can yield crackable passwords.
However , if you throw in numbers that are meaningful to you but random to a cracker – you can have extremely strong but easy-to-remember values like "summer 63 rain". You can improve things with punctuation and special symbols.
Finally, an easy way to have unique passwords for every site is to add the name of the website that you're logging into to your passphrase: "summer 63 rain yahoo". It's not as good as using a database and random password generator, but it's better than using the same password everywhere.
>Depending on dictionary size, this can yield crackable passwords.
I don't think you understand the math. The XKCD comic makes the statement that adding symbols, numbers and using an uncommon dictionary word doesn't do anywhere near as much for your password strength than just using 4 pseudorandom common words. Any attacker who can crack a passphrase composed of 4 common dictionary words, can easily crack a password composed of an uncommon dictionary word with a few symbols and numbers thrown in. Most password cracking software will automatically try common substitutions or numeric prefixes/suffixes.
>However , if you throw in numbers that are meaningful to you but random to a cracker – you can have extremely strong but easy-to-remember values like "summer 63 rain".
That password is not extremely strong. Saying it is is irresponsible at best. Given that 'summer rain' is a common term (ie. not pseudorandom) and a 2 digit number adds less than 7 bits of complexity.
>Finally, an easy way to have unique passwords for every site is to add the name of the website that you're logging into to your passphrase: "summer 63 rain yahoo"
And what happens if the password list gets published (like the yahoo list did)? Someone can see your login name and a password of 'summer 63 rain yahoo' and they want to guess your gmail password. What do you think they're going to try? You give attackers far too little credit!
I agree that you shouldn't choose words like "summer rain" that have a common association.
XKCD is assuming the words are chosen randomly from a dictionary size of 2^11 or 2048 words. If you use a random number generator to pick your words from a dictionary of common words, then this is a reasonable assumption and produces 2^44 or over 1.7 x 10^13 possible passwords. If you add a symbol between the words, that adds a few more bits of entropy an throws off hackers from guessing your algorithm. The 2^44 assumes that the attacker knows your password algorithm, which is unlikely. If they don't know your algorithm they are working at brute-forcing a password that's about 25 characters long or about 95^25 (=2.8×10^49) possibilities.
I'd venture a guess that most passwords actually in use for protecting national security are weaker than those generated by the XKCD method. As Jonathon pointed out, most hackers will go for the easy targets first and not bother with anything over 10 characters anyway, so most people don't need 2^44 level of security.
Users do need to be more aware of how to create a secure password. But website owners also need to do more to improve their security. A certain leading British Supermarket only allows alpha numeric passwords. No special characters, nothing too complicated and one can't help but wonder why they do this? Is because they are too lazy to implement it correctly or is to make it easy for them to crack the password to gain access to the data that is held in the account?
Too true. Many sites I use have restrictions on characters, size, that make decent passwords difficult. I can only presume that some of this is the result of poor choices by their security vendors.
Alphanumeric passwords (no puctionation) can be useful if your are using a keyboard with an unfamiliar layout, or worse a computer configured with a keymap that does not match the physical layout of the keyboard attached.
On many occasions I have been attempting to remotely administer servers in other countries, where the server is configured for a local keyboard layout, but I am using a UK one. It is bad enough trying to type source code when you get a different punctuation char to what you expect every time you type one. With passwords it is worse as you can easily get locked out from to many wrong tries, when you carefully type the password but the remote system sees something different.
For that reason, I am not keen on password rules that require punctuation, if there is any chance that you might log in remotely
IMO those stats look good for people picking at least halfway decent passwords, only 2 or so percent are listed in those horribly weak passwords, from this sample.
I find it funny that a couple of my banking accounts don't allow passwords with much complexity. It plainly states; only letters and numbers, no complex characters.
I think websites need to require stronger passwords. That would make it more difficult on the users, but that's better than making it easier on the hackers.
Personally I like to throw in the odd swear word into my passwords, if the site doesn't allow the swear words then I question why it's being looked at and/or stored in plain text.
Wow…I never thought of that, but it's an idea that suits my sensibilities, both for its humorous essence and the fact that it catches the sites that might be examining something they have no business examining.
To be sure, certain requirements make sense, such as requiring the password to contain a minimum number of characters, and both upper case and lower case letters plus numerals and special characters. Such requirements have a practical basis (they increase the entropy of the password).
Nevertheless, my own Phucquez Them If They Can't Take A Joke™ psycho-emotional programing recoils in indignation at any site that would be so presumptuous as to impose their own prudish sensibilities on any password I might choose to use.
So what good does it do to have a difficult to crack password when the companies that you log into don't have adequate protection.
Yeah, it's O(0) to crack a password stored in plaintext. 🙂
"secure" is the worst password I've seen. On a production, public-facing server with RDP enabled lol.
It is a wonder!
We use Office 365 Cloud services. It forces the users to change passwords regularly. But after the change has happened you can change to pw back to the original??
How secure is that?
You should check out the podcast we produced where we discuss some of the corporate myths around passwords, including the compulsory reset policy ever 'x' months..
http://nakedsecurity.sophos.com/2012/03/11/bustin…
MY passwords are random and I have never had a issue and I change my passwords regularly. I try to change them at least once a month it only takes a second and I feel safer for doing it.
Did you hear about the person who changed their password to ''incorrect'' so that when they forget , the computer will say ''your password is incorrect"…
Absolutely agree with the stupidity of some of the Yahoo.mail passwords. But the question is not only about how the passwords are constructed. I have Yahoo account from 1994. I never changed my password until this year when I changed my password… 4 times. Simply Yahoo is sliding down by all means. The safety of all account data simply is just virtual. For the last 2 years I started receiving e-mails form address… exactly like my address. I sent a message to Yahoo administrators and they said: Sorry, can't help.
Any suggestions on a good free or cheap password manager compatible with Android?
Keepass has a free android version.
keepassdroid can share your desktop password database by means of Google Drive or Dropbox or other cloud service. Free, open source.
I like mSecure. My Android, PC, MBP, and my wife’s iPhone all have mSecure. The database file syncs through a Dropbox share. Nice interface for all platforms.
I also had to change my Yahoo mail password 4 times this year.The 4th change is when I decided to delete my Yahoo mail account & haven't even considered getting it back.
Password management. Until someone cracks the DB, I’m relying on Mozilla.
At least the passwords were hashed…better than 2 of the recruiting websites which I’ve recently used…passwords saved as plain text with max. 20 characters…security!
But more ontopic: What’s the problem with an easy to remind an unique password? Either I need it nearly daily, then I’ll also remember complicated passwords, or I don’t need it so often, then I can use the “forgot my password” option. How often do I need my Amazon account per year? 3 times maybe? Why should I have to remember that password? I just let it reset every time and mash the keyboard to set a new password. Nobody will get in there if even I can’t remember the password (and it’s long enough, for sure).
But some organisations who should know better limit password options. One big UK telecom/Internet provider limits the password length to between 8 -12 characters and you cannot use symbol characters such as ( or ) or / or or + or Ω, etc. So that limits the level of security you can create with carefully chosen passwords. A bit silly really as they provide internet clients with hardware that needs a good password to safeguard the WiFi, but they deliberately restrict your options. Not good!
I have used KeePass since 2005 and each of my password required sites has a randomly generated KP password stored locally. The only complex password I need to remember is the KeePass password itself.
My only concern is that the web-site has poor security but if someone hacks that site they will simply get that one unique password I have for it, all of my passwords are worlds apart from each other. Password paranoia is one paranoia worth having.
The thing that bugs me is when I find out that my password for a site is being stored in such a way that they can tell me what it is if I forget it. This means that they are not using a one-way encryption algorithm (duh) or storing it in plain text (double duh).
As for changing passwords frequently, I read that there really isn't evidence to support the necessity for that because compromised passwords are usually used very quickly after being obtained. It seems to me that frequent password changing is only effective if compromised passwords are retained for some time before being used and of course if passwords are changed often, they often are written down allowing coworkers or others to find them. What do you folks on the Sophos team think?
I actually have a way to make a secure password that is memorable without resorting to acronyms: choose two unrelated dictionary words, add a number in the middle and replace letters with symbols, then add some symbols on the end.
e.g Roman, Forest -> Roman3Forest -> Roman3F0r£st%_ or R0m&n3F0r3$t^!
Then you only have to remember two words and a number, then some symbols.
Did you really just advocate for more of a mommy world? You want ALL websites to enforce strong passwords. How about protecting us from all bad food, or who we date, or jail us for jaywalking, or…it is a very long list of examples.
I suspect you, like me, frequently use cheap, expendable, temporary passwords in many situations where security is not an issue. It is very frustrating to be force-fed when there is no point.
Advocating password managers is great. A big brother or mommy state, not so much. It is easy to see benefits looking from an isolated perspective, but it is not a solution, or lead to quality of life if everyone like you, operating in their micro segment of life were to reach the same conclusions–In my opinion. Have you traveled enough to shake your head when you are show one more time how to fasten a seat-belt?
Teaching people about using longer passwords would be positive. Many people think short, but tricky passwords are needed. You are in a good position to enlighten and still let people think, learn, and live.
My bank only allows alphanumeric characters which I think is rediculous. My passwords are all 30 characters long and are made of random mixed alphanumeric and special characters. So when my bank tells me the maximum lengthis 12 characters and it can only be alphanumeric I have to question the professionalism of the employees.
I really wish people would stop looking at passwords as a form of security. They aren't.
A password of "dgadDAAF323vcfq#@%$fdfasd34" is just as weak as "password".
Why do I say that? All it takes is a simple key logger, a man in the middle, or some other form of interception and your massive, 26 character password with capitals, numbers and symbols just got hacked.
I want companies to start moving away from relying on passwords. Use two-faction authentication (Like my Blizzard Authenticator, or my Google Authenticator). The sooner companies stop asking me for passwords, the safer I'll feel.
@bomyne – you are simply wrong.
Graham – my method is that I think up a common theme between multiple websites (say, Baseball Teams for an example) and then attach a personal “PIN” of a few numbers followed by a few symbols (or interspersed number, symbol, usw.)
It’s easier to remember the password cause I only have to remember the PIN and what the theme is for this specific month of passwords. Every month I change the theme and make a new PIN.
@bomyne,
You are absolutely correct. Companies that try and make you chose a complex password are in denial. If you had 2 factor authentication you can use 1234 as your password and still be more secure then those ridiculously complex passwords that you can never remember. What good is a complex password when you have to reset it every time you use the website because you can't remember it? I can understand not using common words and you know if you still use common words you can ad a few capitals or a number or character like "*" or "(" and it's very secure.
I don't need a company to force me to use the complex passwords they want me to use. I want to be able to use 1 password for all my sites. I've never been hacked, I've never had my password compromised. Companies are putting all these false security walls to websites yet you can use your credit card at Home Depot or worse yet some kid at the doctors office uses your social security number to open up a credit card and start ordering things right away. So much for HIPAA when we have to provide our social security number to our doctors office.
You can't get to your credit card website yet once or twice a year you hear about the website being compromised. I have a PS3 and they made me go through hoops so I can use my credit card "in the name of security" yet peoples freakin accounts were compromised. Over a year ago. How stupid is that? We can't use your credit card number because you are using a PO Box because it's not secure? What logic is that?
Where I used to work (about 15 years ago), we ran Hewlett-Packard Chemstation software to analyze samples. Everyone new to user id was hp and the password was chem (or maybe vice-versa), since that was the original password installed. That was before everyone went crazy trying to hack others' accounts.