Risk
6/8/2012
02:42 PM
Connect Directly
RSS
E-Mail
50%
50%

7 Tips To Toughen Passwords

As this week's LinkedIn and eHarmony--and likely, Last.fm--breaches demonstrate, many website users continue to pick atrocious, easily cracked passwords. Are your passwords safe?

It's been a bad week for passwords.

So far, 6.5 million users of LinkedIn and 1.5 million eHarmony subscribers had their password hashes uploaded to a hacking forum on the InsidePro website, although security experts suspect that many more accounts may have been compromised.

Meanwhile, streaming music service Last.fm Thursday confirmed that it's "currently investigating the leak of some Last.fm user passwords." While it didn't detail how many of its 40 million users might be affected, security experts think about 17.3 million MD5 unsalted hashes were stolen, that 16.4 million have already been cracked, and that the breach may date from 2010 or 2011.

[ Mobile device security is proving a bigger challenge than many IT shops expected. Can IT Be Trusted With Personal Devices? ]

Needless to say, all three sites have recommended that every one of their users change their password on the site--just in case. But what's the best type of password to pick? Here are 7 best practices:

1. Pay Attention
The single biggest password security problem is apathy. While the LinkedIn and eHarmony password hash databases uploaded to the InsidePro password-hacking forum weren't respectively labeled as such, many security researchers quickly identified the likely social networks involved, owing to the sheer number of passwords that were literally "linkedin," "eharmony," "harmony," or some variation thereof.

What's the problem? Simply that those passwords--amongst many of the other choices--are extremely easy to crack. In the case of the 6.5 million leaked LinkedIn passwords, for example, "1,354,946 were recovered within a few hours time with HashCat / Jtr and publicly found wordlists on a customer grade laptop," according to security researcher Stefan Venken.

2. Use Unique Passwords
When it comes to creating passwords, "remember to use separate and unique passwords for each site. Password reuse is your enemy," said Roger Thompson, chief emerging threats researcher at ICSA Labs, via email. That's because when criminals obtain passwords, they often trade them with other people via underground bulletin boards, after which they'll test whether user credentials--username, password--for one site will work on another. Last year, for example, Sony had to lock about 93,000 user accounts after attackers used credentials stolen from other sites to attempt to log in to people's PlayStation Network, Sony Online Entertainment, and Sony Entertainment Network accounts.

3. Explore Life Beyond Letters
For stronger passwords, "use non alpha characters such as ?!$% in the password," Thompson also recommended. He also said that common passphrases, such as "I like BBQ" should be avoided, since they're easy to crack. But complex passphrases--for example, "a bunch of random words" strung together--do make for good passwords, he said.

4. Use Uncommon Patterns
Also try to not pick easily recognizable patterns. "Users should not rely on common patterns in an effort to improve password security," said Seth Hanford, the operations team lead for IntelliShield, which is part of Cisco, in a blog post. "For example, recent research has suggested that sets like possible day / month combinations (4 digits starting with '19' or '20,' or combinations which can be interpreted as day/month values like 0501) are particularly weak."

5. Lose The Biographical Details
Avoid using public details about yourself to build a password. "Don't use things that can be discovered about you, such as your hometown, or the name of your pet or spouse," said Thompson. Unfortunately, the same should go for password-reset questions, as presidential candidate Mitt Romney learned earlier this week when someone accessed his Hotmail and Dropbox accounts after resetting his password to one of their own choosing. They were able to do that by guessing his "favorite pet" password-reset challenge question, meaning the pet name used was evidently a matter of public record.

6. Love Longer Passwords
Use long passwords, as modern graphics cards make child's play of short passwords. "How fast can hackers crack passwords? The answer [is] '2 billion [combinations] per second' using the Radeon HD 7970 (the latest top-of-the-line graphics processor)," said Robert Graham, CEO of Errata Security, in a blog post. Since a five-letter password has 10 billion possible combinations, that means it can be cracked in five seconds. Compare that to six characters (500 seconds), seven letters (13 hours), and eight characters (57 days). Meanwhile, "if it's nine letters, it's too difficult to crack with brute force," he said, although there other ways to go about cracking passwords, or example by using rainbow tables.

For comparison's sake, Venken's analysis of the breached LinkedIn passwords found that eight-character passwords were most common (33%), followed by six characters (21%), seven characters (16%), nine characters (15%), 10 characters (9%), and 11 characters (4%). Security experts have noted that since LinkedIn's user base is largely professional, and thus used to following IT password rules, they likely picked stronger--including longer--passwords than the average website user.

7. Use Password Managers
Perhaps the single best technique for creating secure passwords is to choose "random, long strings (>12 characters) managed by a secure password manager," said Hanford. Added bonus: Password managers typically include built-in strong and random password generators, thus eliminating the guesswork. Even better, many will synchronize your password lists across every PC, smartphone, or tablet that you own.

Which password manager should you use? LifeHacker offers one roundup. But beware: A study of iOS password managers, released earlier this year by researchers at Black Hat Europe, found that out of 13 studied applications, only one correctly implemented strong crypto. In the wake of that research, however, many of the developers named in the report said they'd be fixing how their applications use crypto.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Anne-MarieL355
50%
50%
Anne-MarieL355,
User Rank: Apprentice
12/7/2013 | 3:48:20 PM
Best advice i've ever heard on passwords....
Found very simple advice here.  This article says length beats complexity every time and is easier for you to remember: http://devnull1.blogspot.ca/2013/12/your-password-is-no-good.html 
jleon570
50%
50%
jleon570,
User Rank: Apprentice
6/18/2012 | 10:01:50 PM
re: 7 Tips To Toughen Passwords
It seems to me that the biggest problem is the lack of security at the account host (aka LinkedIn, Google, eHarmony, Wells Fargo, Amex, etc). Yes, it is a bad thing if stupid ol' me uses the same "12345" for all my accounts from my eTrade account to my luggage. BUT, when the hacker community gets MY password, they have only MY password. As much as any technophobe would poke fun at me for my individual lack of security, the top 5 executives at LinkedIn, eHarmony, Last.fm, et al, need to be a proportionally larger laughing stock (because they're proportionally more stupid). In the web code I've been writing for at least the last 10 years, salting passwords has been universal, and (sadly) none of my sites hold a candle to LinkedIn in terms of subscribers or tech resources.

The entire internet development community needs to create and be generally aware of password protection standards, and web sites need a way to show the users that the site operators know those standards and to which level of protection they aspire. That way, I could tell my readers to stay away from banking sites that don't comply with say, "at least Password Protection Standards level 4 or higher, and 5 or higher is even better." I tell my readers that if the web site can send your actual password by e-mail if you forgot it, then every employee and business partner of that company already has your password. That would be "Password Protection Standards Level 0". So that morons like those at LinkedIn might be better aware, Level 1 would be an unsalted one-way hash or use of a weak hashing function (like MD5). Level 2 requires salted hashes using an unbroken and at least 160-bit one-way hash function. Level 3 requires salted hashes with a minimum of 48-bit salt using an unbroken and at least 224-bit one-way hash. Level 4, 5, 6, who knows. Maybe there should be other hash function requirements like resistance to collision attacks or preimage attacks, etc. But this protection would define only how well the passwords are stored and is meaningful only in the event that the password list is stolen.

The should be other descriptions of how the site protects its users, like: password entry is only allowed over a secure connection, password change enforcement, password length and diversity enforcement.

My password in MY possession is MY responsibility. My password in YOUR possession is YOUR responsibility.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
6/13/2012 | 10:00:01 AM
re: 7 Tips To Toughen Passwords
Rock Star, you're entirely correct that websites need to do a better job of protecting their passwords, and two-factor is a great idea. So is using password encryption algorithms, versus cryptographic algorithms such as MD5 that are now widely used. Unfortunately, there's no magic wand ... with luck, the LinkedIn (et al) breaches will lead more companies to proactively invest, to help avoid any damage to their reputation when/if their password database gets knocked over. But from a consumer/user standpoint, using stronger passwords will at least slow attackers down, and making sure they're unique will prevent hopscotch-style password cracking attempts.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
6/13/2012 | 9:45:46 AM
re: 7 Tips To Toughen Passwords
Hi Osmore, thanks for your comment. If there could be any single piece of advice that this author would propose, it would be: Use a password manager. No, it won't protect you if a site gets its password database stolen and cracked. But it does give you a practical, affordable way to generate and manage unique, strong passwords for the over 100 websites you use. That way, if your LinkedIn password does get published, it's a one-off. Inconvenient, but no one will be able to use it to access your Gmail account.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
6/11/2012 | 11:22:58 PM
re: 7 Tips To Toughen Passwords
Should do away with passwords altogether and use biometric access instead.
ANON1237925156805
50%
50%
ANON1237925156805,
User Rank: Apprentice
6/11/2012 | 9:02:57 PM
re: 7 Tips To Toughen Passwords
That's interesting because I was thinking of posting this very thing. It doesn't much matter how convoluted the algorithm you use to generate passwords: If they are 8 characters or fewer there's enough brute strength to hack them. It may take two days for yours as opposed to 1/2 hr for someone else's but the result is the same.

We need to move to passphrases. Passphrases needn't be unbearably cryptic as long as they are not trivial (e.g. "all cows eat grass" or "the password is swordfish"). One can string together words that are meaningful to them but not obvious to others.

Voila. It's memorized. To personalize for each site that has critical data, embed an abbreviation (not the full name) related to the site. For example, Facebook might have an fb in it or an ook. That's not risky in the context of a longer passphrase.

By all means punctuate your passphrase in an unpredictable way and/or throw in a cap if you like but only if you'll easily remember them.

The math for this is well documented. Longer string, MUCH harder to crack and more opportunity to create something that's easy to remember without being written down. End of story.

Why then do so many sites restrict password size to 8 characters? Why did Amex of all places reduced its max allowable password length from 8 to 6 a few years ago???!!!! Why do so many sites disallow spaces when by lengthening a passphrase they make it harder to crack it?

We need a new paradigm here, not more cryptic short passwords.
Eric_Brown
50%
50%
Eric_Brown,
User Rank: Apprentice
6/11/2012 | 12:55:13 PM
re: 7 Tips To Toughen Passwords
I have to argue with you, the biggest single security problem is articles like this one. I have to laugh by the fact that million articles about password strength and password managers the minute there are reports of passwords being stolen. HELLOG«™ anyone out there, the strength of your password or having it locked-up in Fort Knox does not mean anything when it is stolen from the source! You need to be talking about other steps like the need to implement some form of 2FA (two-factor authentication) were you can telesign into your account to protect you if your password were to be stolen. If they were to try to use the G«£stolenG«• password and were not on the computer, smartphone or tablet you have designated trusted, they would still need the one-time PIN code which is delivered to YOUR phone via SMS or Voice.
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/9/2012 | 9:33:40 PM
re: 7 Tips To Toughen Passwords
Personally, I think the best thing to do is prioritize. Like Osmore is saying, there are a lot of sites that require passwords (such as this one). But this account probably isn't as important to you in terms of personal information etc. as your Facebook or email. So maybe come up with complex but memorable passwords for the important stuff and weaker passwords for the sites that are less important.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
thecalitree
50%
50%
thecalitree,
User Rank: Apprentice
6/9/2012 | 8:52:22 PM
re: 7 Tips To Toughen Passwords
If you really want to know how to choose a correct password, look at this comic.

http://xkcd.com/936/

I literally just registered to post this.

The author of the comics is a physicist/computer scientist from what I can tell. Seems legit.

ComScience
50%
50%
ComScience,
User Rank: Apprentice
6/9/2012 | 8:50:52 PM
re: 7 Tips To Toughen Passwords
"The best possible encryption" means a level of complexity, licensing and processing that is too expensive for most websites. You are probably thinking about military grade encryption?

Using MD5 is a standard encryption process, salted hashes should have been implemented and would have made the decryption much more difficult. See the wikipedia article for more information.

What the hackers did is convert the hashed password back into the text password using various processes including rainbow tables.

A simple explanation is if I make a password of "2Paramount109"and convert it to an MD5 hash, I get a 16 byte string of Hexadecimal characters that are the same no matter what MD5 conversion I use.

If I now have a list of MD5 hashes, I can see which ones match a table of pre-converted passwords. These huge tables of pre-converted passwords are called rainbow tables and can be generated using software at home, or purchased online.

They didn't actually try different login / password combinations on the live website, which could have locked them out of the website.

References:

http://en.wikipedia.org/wiki/M...

Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.