Steve Gibson, in Episode 366 of Security Now!, “Password Cracking Update: The Death of Clever,” presents the case for longer, random passwords saying that hackers know all the tricks humans use to create them. We all probably have suspected this, but it’s likely few of us have really given it much thought.
Steve made reference to “Why passwords have never been weaker—and crackers have never been stronger,” an Ars Technica blog post by Dan Goodin. After reading it, I’m convinced that most password creation tips just contribute to the overall hacker knowledge, especially if people are actually following them. Consider what Goodin says:
…a series of leaks over the past few years containing more than 100 million real-world passwords have provided crackers with important new insights about how people in different walks of life choose passwords on different sites or in different settings. The ever-growing list of leaked passwords allows programmers to write rules that make cracking algorithms faster and more accurate; password attacks have become cut-and-paste exercises that even script kiddies can perform with ease.
To wit, “…nearly all capital letters come at the beginning of a password; almost all numbers and punctuation show up at the end. [The online games service RockYou.com breach] also revealed a strong tendency to use first names followed by years, such as Julia1984 or Christopher1965,” Goodin says. Surely, you know someone (maybe even yourself, heaven forbid) who does this. That really narrows the search field.
Character substitution using numbers and symbols instead of the letters is also predictable. You might think that a 12-character passphrase like C@n’tGu3$$Me would be relatively secure, but it’s predictable: common words, first letter capitalized, common character substitutions.
Goodin’s post mentions a computer comprising eight AMD Radeon HD7970 GPU cards, running version 0.10 of a cracking utility called oclHashcat-lite that requires just 12 hours to brute force the entire keyspace for any eight-character password containing upper- or lower-case letters, digits or symbols (96 characters). With such tools available, not even a machine-generated random password 8 characters long is sufficient. The only solution is to make it longer. For each character you add, you multiply by 96 the time it takes to test for every possible combination: add 1 more character and you’re up to 12 x 96, or 1152 hours — 48 days; add 2 characters, you’re up to 4608 days, or a bit over 12.5 years.
To be completely unpredictable, you’ll need to use a password generator. Of course, this is going to produce passwords that you will find nearly impossible to remember, so you will need to find a good password manager to remember them for you. Here are the top five applications that have free or low-cost versions:
- KeePass(Windows/Mac/Linux/Mobile, Free)
- LastPass(Windows/Mac/Linux/Mobile, Basic: Free/Premium: $1/month)
- 1Password(Mac OS X/iPhone, Desktop: $39.95/iPhone:$14.95)
- RoboForm(Windows, Basic: Free/Pro: $29.95)
- SplashID (Windows/Mac/Mobile, Desktop: $19.95/Mobile:$9.95)
Time to go in and edit all of my “clever” passwords…