Password Security (and Why You Should Be Trembling)

Password Security (and Why You Should Be Trembling)

Playstation 3.No doubt by now you know that Sony's Playstation network was hacked. The attackers got away with the user database, and probably with credit card information as well.

I'm going to get a little technical today and talk about passwords.

Most people use the same password for GMail as they do their bank login. This is bad. Let me explain why.

For many years, smart software developers have been "hashing" passwords. What this means is that when a user logs in, their password is run through a special one-way mathematical formula that makes it look like giberish, and that is compared to the previously giberish-ed version that they store. The plain text password is not stored at all, so theoretically nobody can get your actual password if they peek inside the database.

Be Very Afraid

Then along came the hackers. Using modern video cards, I can take a password database of giberish and compare plain text password against it to the tune of one billion passwords per second. That means for the average password system I can try every possible combination against the "hashed" password within about 60 hours. Most password will fall considerably sooner. How many of you were required to use a number in your password, so to comply you added a "one" to the end of your common word password? Thought so. So, I start cracking passwords with those. For instance "badminton1" is probably somebody's password somewhere. I just start with those but I go all the way through the more random things like "1D3kvLTz" and can still crack those within the 60 hours.

Why do I care? Because if someone steals the password database from Sony or a website forum (which probably has even LESS protections than Sony had) within 60 hours they could know my password. And if I reused that password anywhere they have a leg up and pretending to be me at my work, my GMail, my Hotmail and even my online banking.

Longer is Better

Above I mention 8 character passwords using lower case, upper case and numbers. Those are the most common passwords.

Longer passwords containing special characters like "{" or "%" are better.

The same system above that cracks those passwords within 60 hours when given an all-lower case password of 20 random characters length would theoretically take 631 billion years.

Now this does not mean that a password of "thisismypassworddood" is better than "1D3kvLTz". In fact, it's not. Due to human nature if I'm cracking passwords I'm going to try words from the dictionary before I try random characters. Sure it might take me 631 billion years but if your password is based entirely off the English language I'm definitely trying those combinations first. Within 40 hours I could probably try most common word built passwords of 20 characters in length.

What Can You Do?

So what can you as the user do? Use long passwords - as long as the system allows. For instance American Express will handle passwords up to only 12 characters in length. Your local bank might support 20 characters. Use the longest possible password for the system you are using.

Do not use any word from the dictionary. Yes, you might think that using ! instead of i makes it more secure, but everyone knows that so that's actually one of the first things the crackers look for. So "dingbat" and "d!ngbt" are actually about the same in security rating.

Randomly capitalize letters. Randomly throw in numbers. If the system supports special characters like percent, braces, at symbols use them. Use a random password generator like this Android app.

Do NOT reuse passwords. A good first step is to make sure your email and your bank passwords are completely different, but don't even reuse bank passwords between banks. If one bank gets compromised somehow you don't want ALL of your bank accounts or credit cards to be at risk.

Look for financial institutions that support a hardware based password device. Use Google's two factor authentication system.

I know this makes managing your passwords more painful. Get an app for your phone that encrypts your passwords for you. Use a browser plugin like Keepass to manage your passwords in your web browser.

What Can Software Developers Do?

Multi-hash. A password that takes me just 60 hours to crack when hashed one time can be better protected without the user making any effort.

Take that user's password, hash it. Hash it again. Do it 1024 times. That 60 hours turns into seven years to crack, even if the cracker knows all the password salts used.

Use good long random salts. Protect those salts as they are the password to the passwords.

Posted by Tony on May 16, 2011 | Network Security