The Stack Archive

The mnemonic war against ‘password1’

Tue 19 Aug 2014

Technology’s tendency to stabilise and centralise may be the least desirable outcome in the field of online security, where end-users at all levels are either creating weak passwords or decorating their monitors with good ones. Perhaps a little mnemonic training can improve security while business awaits new solutions…

Last week researchers at online security company Trustwave Infosec re-confirmed ‘password1’ as the top choice in a study of 626,718 hashed passwords collected by the security company whilst carrying out penetration tests during 2013-14. Nearly 54% of the hashes submitted to decryption within minutes, including evergreen top-ten favourites such as ‘Hello123’, ‘password’ and ‘Password123’.

The company’s threat intelligence manager Karl Sigler wrote that ‘A sequence of six lowercase letters followed by two numbers led 2013’s study at 10 per cent of cracked passwords’, and noted that in this respect the pattern remains unchanged from 2013. The list itself seems to belong in the late 1980s.

The fresh wave of recent revelations about industrial-scale password theft, most recently the Russian crime ring that stole 1.2 billion passwords ^[1], have revived laments that the password is dead ^[2] as a realistic method of online security. Yet whatever is mooted to replace it is perceived by libertarian activists as oppressive and sinister ^[3], by technological advocates and commercial research companies as a business opportunity (such as the eDNA scheme ^[4] touted by the geographically-inviting ‘Oxford BioChronometrics’) and by security research companies as a hollow threat to the constant churn of confusion and corporate alarm about internet security which maintains the value of their software products and white papers. If the password is dead, it left no will that can be found.

There are so many economic, practical and legislative impediments to any real change in the user/pass combo model of online security that the flurry of debate over the last week or so has polarised to a mere two possibilities for real improvement: the widespread adoption of automated password managers and/or the increased usage of pass-phrases instead of passwords.

The problems/s with Password Managers

Personal password sentinels such as 1Password ^[5], which offer locally-encrypted cross-platform solutions to password management and which do not store users’ passwords on their own servers, have to contend with a user-base so technologically inept that 10% of them are still using ‘password1’. The rest of them ‘secure’ their system-enforced passwords with Sellotape. Nearly all of them need to access secure information on a range of devices, some of which may be their personal property.

Mandating the use of Password Management software in a company requires not just investment in licences and the resources of a stretched IT department, but actual training for the end-user. It also raises secondary security implications for those companies which are enjoying the financial benefits of BYOD, since the company would be extending its security zone to non-company hardware.

An additional problem with password managers is the wide variety of input methods and accompanying restrictions which they have to contend with, combined with disparate password complexity policies across secure interfaces. Log-in forms can deny pasting, HTML injection or any other method than inserting the cursor and typing (despite the fact that this may reveal the password to keystroke-loggers and ‘side-channel’ attackers). They may also obfuscate the method of password entry via JavaScript, Flash or other local ‘black box’ methods which may make automation difficult. Sites may also provide unalterable passwords, secure or not, or perverse password-creation rules that are likely to force a frustrated user to create his or her own password for that site, which will then be accessed via a ‘master password’ in the Password Manager – and who will create one that the user can remember?

None of this really matters, however, since it is only the diversity among password standards and methods of implementation that is slowing the hackers down at all. Once you consolidate this confused system of approaches and methods, you give criminals a single heart to aim at, and a locus of attention for their currently-divided resources.

Yet the urge to centralise seems irresistible: for a cash-strapped coalition inheriting (and, ultimately, furthering) an appalling record of government IT development, it must have seemed ingenious and thrifty to propose that UK citizens access government services via their Facebook user logins in late 2012 – even though it had been considering blocking Facebook ^[6] as an anti-riot measure only one year earlier. A year later, the theft ^[7] of 318,000 Facebook user/pass combos in a 2m+ password heist combined with public criticism^[8] of the scheme’s privacy and security implications to dampen the government’s enthusiasm.

From password to passphrase

Assuming that no mass-investment will take place towards multi-factor login procedures such as SQRL ^[9] (which finally claims to have found a worthwhile use for QR codes) or in biometric technology (still hampered by fears of biometric dismemberment ^[10] despite cautious denial^[11] by the Biometrics Institute and the fact that Apple’s own fingerprint-ID system does not work ^[12] on ‘dead’ digits), we are left with Trustwave’s conclusion that the wide adoption of passphrases over passwords presents the best opportunity to give the existing system a little extra life – faced as it is with a well-motivated cracking community which is inventive, industrious and armed with ever more powerful GPU clusters to aim at your hashes.

Karl Sigler of Trustwave notes that a single GPU would take only 3.75 days to crack the deeply unmemorable ‘N^a&$1nG’, and 17.74 years to unravel the hash for the far friendlier ‘GoodLuckGuessingThisPassword’. Unfortunately the latter password would fail a broad swathe of online password security requirements, since it lacks numbers and/or non-alphanumeric characters (such as ‘$’ or ‘*’). Additionally the capital letters at the start of each English word act as a delimiter as obvious to a hacker as the ‘space’ character which most password criteria ban.

Even so, each additional character in a password/phrase adds an order of magnitude to the problem of decryption, at least for automated tools at this time. So it would seem that lengthy passphrases are worth pursuing – if the secure system in question will allow it by abandoning low maximum-character lengths for passwords, and if end-users will begin to adopt a more imaginative approach to mnemonics than combining their cat’s name with their own numeric year of birth.

Inventing methods, not passwords

The problem with even discussing techniques of password generation on the internet is that they are…on the internet. Therefore any suggestions I may include here are only to illustrate a point – namely that since we are obviously never going to abandon the small group of objects, people, places or dates which are immediately memorable to us when creating a password, we might consider combining elements of those factors into a more inventive mnemonic technique. Crucially, it must be a method of our own invention.

At the very least, for instance, we could mitigate the cardinal sin of lowercase + number (the most frequently used pattern identified by Trustwave), by deciding to write out the number longhand, turning the appalling ‘katie1991’ into the passphrase ‘katienineteenninetyone’ – from nine to 22 characters without altering the mnemonic, and from seven hours’ estimated cracking-time to 2 quadrillion years, if you are willing to trust the How Secure Is My Password strength estimator ^[13]. There are patterns in there for current and future cracking algorithms to plunder, and including a plausible birth-year in any form is unwise, but it is an improvement.

For sites requiring uppercase letters and a numeric character, one could invent the rule – usable in this and all future passwords you will create – to capitalise only the first letter of a passphrase, and, if required, to add a simple ‘1’ to it, resulting in ‘Katienineteenninetyone1’. The alteration in the opening and closing characters add little or no security, but the password is still memorable, the added security of the password’s length is untouched and the rules governing its creation are simple, reusable and recoverable.

If birth-years must remain, resolve now that they will never appear in an identifiable form in your passwords again: for instance, you could multiply your own birth-date by that of your partner and then that of your first-born, a logical progression. Thus, if your birth-date is 10th of August 1991, that of your partner is 3rd of March 1989 and that of your daughter is 14th January 2011, the resulting number is 46372061152489 (100891 x 30389 x 140111 = 46372061152489), turning your password from ‘katie1991’ (7 hours) to ‘katie46372061152489’ – two trillion years to crack, with a calculator as your makeshift two-factor authentication device, since the number is too long to memorise. If the need for a calculator is too burdensome, compromise by fusing the plain-text years together (‘katie199119892011’ – 2 billion years).

Numbers are more susceptible to brute-force attack than letters, since they can refer to only 10 possible character spaces vs. 26 for alphabetic characters, so why not combine the mathematical method with its alphabetic equivalent? This might result (assuming that your name is Katie, your partner’s name is Joseph and your daughter’s name is Lauren) in a password of ‘katiejosephlauren46372061152489’ – 13 nonillion years to crack, and composed of the most readily-accessible mnemonic elements available to you.

More advanced mnemonic techniques can render even counterintuitive system-generated passwords memorable, but there seems to be no will to address the problem via training, and little acknowledgement that the resolution of the problem may be other than technological in nature. Policy is clearly not enough, as anyone who has ever witnessed a password-encrusted monitor will attest.