In a recent Security Now! podcast from Steve Gibson of GRC Research and Leo Leoporte of the TWiT network, they talked about a very interesting topic concerning password security. Basically, two words can sum up the entire talk: size matters! What Steve found was that a a long and randomly generated password consisting of all kinds of uppercase, lowercase, numbers and symbols doesn’t necessarily mean that it’s stronger than a more easily recognizable but same length password. How is this possible? Well, Steve calls this “password padding” and after listening to their podcast, you’ll wonder why you haven’t done it earlier.
This topic isn’t particular rocket science. If you ask a user to remember a ridiculously long and randomly generated password that absolutely makes no sense whatsoever, you’re asking for trouble. The user will either write down the password on a post-it note or forget it altogether. The result? The user will then most likely make up their own password that will be a lot easier to remember and also a lot easier to crack! With password padding, just about any user can create seemingly uncrackable passwords and one’s they will have no problem remembering at all. To understand why password padding is so important, you’ll need to understand two widely used methods of cracking passwords.
This attack is usually used first before attempting a brute force. Basically, an attacker will try hundreds and hundreds of the most used passwords (you can simply do a Google search for this list) in hopes that you’re using one of them. Remember how you’re always told to not choose a word in the dictionary as your password? Well, dictionary attacks are the reasons why and no, substituting the letter “A” with the @ symbol does not somehow make it stronger. Password crackers are not stupid. Their dictionary list will definitely include the same words with other variations as well. However, you’ll learn later why password padding can actually encourage users to use these well known dictionary words as their passwords and yet still be afforded the gift of it being nearly uncrackable.
This method uses every possible combination of letters, numbers and symbols to crack your password. For example, I could try using all lowercase letters in the alphabet starting with the letter “a”. If that doesn’t work, I’ll use “b” and so on until letter “z”. Once that phase is done, I’ll begin with “aa”, then “ab”, “ac” and so on and so on. Once that phase is done, I’ll incorporate uppercase letters only. If that doesn’t work, I’ll try every combination of uppercase and lower case. If that doesn’t work, I’ll move on with numbers and then symbols. As you can see, this is not the best way to go about cracking a password because it is very time intensive. You’re basically just using brute strength to hack the password. The problem with brute forcing though is that although it may take long, it’s bound to crack your password at some point. The question is, how long will it take before your password cracks (no pun intended)? By using password padding, you immediately eliminate any dictionary attacks performed against it. The real test is by putting that password under a brute force attack. When reading the rest of this article, brute force is the method you should keep in mind. Forget about dictionary attacks.
So What Happens?
Before an attacker can do anything to your password, they have to have something to work with first and foremost! Usually, this is a stolen hash file which is an encrypted form of your password. The attackers most likely have gotten this file due to breaching private networked computers at a company’s headquarter or some other means. What you need to know is that this blob of gibberish is a one way hash of your password and merely having this hash itself doesn’t somehow magically make the actual password appear to the attacker. Therefore, the attacker needs to guess the password itself. If the password matches the hash completely, then the attacker got the password right. Even if one letter is off, the hash can and will, look completely different than the original hash. I guess you can view the hash as a “validation” token. This leads to one other important factor of password cracking: the attacker have no way of knowing how close they are to truly cracking your password. There isn’t some feature in a password cracking software that magically tells the attacker if they are getting colder or warmer. For example, if your password is “hotdog123”, the attacker will not somehow get a clue that they are getting closer as they have just tried “hotdog12”. In other words, the attacker needs to get every character correct or its considered a failure. The attacker also have no way of telling how long or how complex your password is just by looking at the hash.
So, now that you’ve gotten a slight comprehension of this whole password cracking ordeal, you’re probably still wondering what’s the big deal? If the attacker must resolve to guessing my password one character at at time, wouldn’t it take a long time before they get it correct? Well, that depends on your password and based on Steve’s research, how long that password is and not how complex. If your password is undergoing a brute force attack, time is your best friend. Obviously, the longer it takes for the attacker to actually crack your password the better for you. However, there is one thing I failed to mention. A brute force cracking software coupled with a powerful computer machine can make millions if not billions of password guesses per second! Not minute, but per second! Good news however, is that this scenario is only possible if the attacker somehow got their hands on your password hash. In many cases, they will not and so they will have to revert to online password attempts. This method is a lot slower than an offline attack so even a relatively weak password should still keep your account from being broken into as long as you change them frequently (which I’m sure you never do). With online password guessing, you should also be afforded the protection given from the company itself. For example, I’m sure Google will get suspicious if someone is trying to guess your password by looking at the many failed attempts within such a short period of time. They would then suspend your account at that point to protect you. However, the point here is why take that chance? Why not create a super ultra secure password from the beginning and on that you will always remember as well?!
If you still haven’t realized by now, I’ll repeat it: Size Matters! That’s the theory Steve Gibson preaches here. However, we all know creating long passwords is never easy. Just by adding one more character in your password, you’re making it that much harder for the attacker to correctly guess your password. Remember, when conducting a brute force attack on your password, the attacker must account for every single character and that includes uppercase and lowercase letters in the alphabet, the numbers 0-9 and the myriad of other special characters and symbols on your keyboard. If your password consists of one or more of each combination, the attacker will definitely give up and move on to a different victim. Of course, the attacker have no way of knowing how complex password is to begin with but I’m sure if he/she is making billions and billions of guess attempts on your password for over three or four months straight and still haven’t cracked it by then, they will move on (unless you’re a specially targeted victim).
OK, so here is the secret. Rather than creating a password that looks something like this:
Why not create something like this:
Which of the two would you rather prefer to memorize? I don’t know about you but I would definitely prefer the second one. Although it doesn’t look as complicated, it offers pretty much as strong of a protection as the first password. Remember what I’ve said earlier, time is your friend. Both passwords would take millions and even trillions of years to crack. Trillions! Do you even know how many zero’s are in a trillion?! I’ve said that brute forcing will eventually crack your password but if it takes that long, I’m pretty positive you wouldn’t live that long to even care.You’ll definitely want to head over to Steve Gibson’s Password Haystack webpage to see how long it will take for your password to be cracked by brute force.
$$---.."password"..---$$ !!<<--"password"-->>!! ---__---"password"---___--- ^_^("password")^_^
Concerning your actual password (not the padding), as long as you include at least just one of each character (uppercase, lowercase, digits 0-9), you should have a very secure password in the end and one that will take a very, very long time to crack. That’s the important part. You’re not making a password that is ultimately uncrackable. That’s probably not possible once an attacker attempts to brute force his way through. What you want is a password that takes a ridiculous amount of time before it can be cracked. By using password padding, the attacker will never know what you are up to. Remember what was said earlier in that the attacker can’t somehow get clues as to how your password is actually structured. They don’t know that you’ve padded your actual password with a unique scheme of symbols and characters (more on this below). Also, because your password is not a word found in any dictionary, you don’t have to worry about that type of attack at all.
Important Notes to Remember!
Old Attack Methods. While your new padded password is likely uncrackable anytime in the near future, it is still susceptible to old attack methods. For example, while your unique padding scheme may be impossible for the attacker to find out, your co-worker or anyone walking by your desk can easily peer over your shoulders as you type your password and learn of your scheme. If they know that you always like to use the same password over and over again, they can easily figure out what your “actual” password is once they get a hold of your padding scheme.
Compatibility. Some websites only allow you to have so many characters in your password. If your original padding scheme is too long, you’ll have to come up with an alternative. However, even more bad news is that some websites don’t even allow special characters/symbols in your password! It sucks but that’s the truth of it. Therefore, if you find yourself in these situations, I highly suggest you look into the LastPass service.
Keyloggers. You thought I would forget this didn’t you?! It’s imperative that you make sure your computer is free of any malware infections. If you have some type of keylogger or other form of password stealing viruses, no amount of cracking even needs to be done to obtain your password! This holds true when you had a weak password and it still holds true even after you have padded your password using the methods described earlier. A stolen password offers you no protection.
Be Wary of Phishing Scams. Why waste trillion and million of years to crack your password when the attackers can simply “ask” for it?! You need to be specially aware of phishing emails (or other forms of deception) that lures you into entering your password. For example, if you received a strange email from Facebook one day stating that your account is about to be disabled unless you can prove who you are by signing in via the link provided in that same email, I hope you realize that it’s a scam. This is the same as with emails claiming to be from your credit card company. Even if it so happens that you do actually have an account with that specific bank labeled in the email, don’t fall for it! In fact, don’t click on any links at all from these suspicious emails. When in doubt, call or email the company directly!
Popularity. If password padding becomes popular enough, attackers can start incorporating certain “most used” padding schemes when attempting a brute force. However, their success still remains very slim. To protect against this scenario, try to create one padding scheme in the beginning and another different padding at the end (assuming you are using the padding+password+padding model). Many users will most likely use the same padding for both the beginning and the end so if you mix it up a bit, it will ultimately be more frustrating for the attacker should they attempt to apply a “common padding scheme” when brute forcing your password. I don’t really see this scenario happening unless you are the victim of a specially targeted attack.