The first Thursday of May has been designated as World Password Day by the Registrar of National Day Calendar^[1]. Passwords are an important part of keeping information and systems secure and the Registrar of National Day Calendar is advocating for good security practice when maintaining, updating, and securing passwords. We all interact with computers, mobile phones, ATMs, and other network connected devices. Passwords are the often first security entry point encountered by a system with public access, serving as a mechanism by which a device, system, or network authenticates that the user, software, or service is allowed to connect to a system or device.

Authentication is a defined by the National Institute of Standards and Technology (NIST) as “the process of establishing confidence in user identities electronically presented to an information system”.^[2] Authentication can be achieved using several different mechanisms, including biometric scanning, smart cards, tokens, PINS, or passwords used together with a user name or login information. A password, in theory, should only be known by the specific user who uses the password as authentication. The password must match the value that is saved by the system in order to successfully achieve authentication.

Saved passwords are typically obscured by a technique called hashing. Hashing is an encryption technique where alpha-numeric data is converted to numeric data using a specific, one-way, mathematical algorithm. The term “one-way” means that once hashed, it is mathematically infeasible to recreate the original password from the hashed password. There are additional methods that can be used with hashing, such as salting a password – combining or appending additional data to the password prior to it being hashed – which decreases the likelihood of reversing the hashing process to get to the original password to practically zero. Therefore, obtaining an original un-hashed password is more likely to result in authentication success for a “hacker”, often referred to a ‘bad actor’, than capturing a hashed password or password file.

One can often hear people complain about the overhead of good password security, such as the requirement often imposed by an employer IT department to periodically change an employee’s network password; the limitation of the number of repeat password combinations which may be used when changing a password; the requirements for the length, use of capitalization, alpha-numeric as well as special characters; and the practice of using different passwords to log into different systems or devices. We interact with so many systems that password best practice can create the condition where an individual has more passwords than even the best memory can recall. Is it really that necessary to impose so much complexity into something as simple as password management? Isn’t it like keys on a key chain, where more keys does not necessarily mean my car or home is safer? How easy is it really to discover or guess a password?

Let’s take a look at a few basic methods of password cracking typically used by bad actors. The first and most traditional method of brute force password cracking is called a dictionary attack. This method is based on the fact that many people use common words or other easily identifiable text or numbers when creating a password. It is common for passwords to contain our family member or pet’s names, our birthdays, a phone number or address, or other common sequences of letters or numbers. Historically, the most common passwords or password fragments which are used include “123456”, “password”, “qwerty”, and “abc123”. Bad actors can, with very little information about a person or system, often discover a password through randomly guessing combinations or words and numbers and their success rate of guessing is about 25%.^[3]

Software-based password cracking is another method commonly used by bad actors. Software-based password crackers are typically used to perform brute-force password cracking against a specific operating system or architecture where the password length and structure are often known.^[4] Software-based password crackers can also be used quite successfully to revert to human readable text an acquired hashed password table for a system. The strength in software-based password cracking lies in the ability to perform a very large number of password generation/hashing/comparison functions yielding a high likelihood of success. Today, password cracking software is readily available for download from the Internet and is often free, thus any curious bad actor need only search and find the right software cracking tool for the system they wish to access.

The simplicity of the above methods supports the need for good password creation, protection, and management. Let’s look at three recommended best practices for passwords that, while not guaranteeing your password will never be cracked, can certainly increase the overall security of the products, systems, software, and networks with which you interact:

1. Password strength – As we discussed above, the ability for a password to be easily guessed is a function of its complexity or password strength. Strong passwords should not contain common text, known dictionary password combinations, or information easily discovered or known by bad actors. In addition, passwords should be as long as allowable for the system for which the password is intended. The time to crack a 5 character password is about 10 seconds, however the time to crack a 10 character password is 4 years using modern password crackers. Thus, the first best practice to limiting authorization through password cracking is to create your passwords using strong password rules. Today, many software and systems require user password to meet certain conditions for password strength such as length, use of capitalization, and use of special alpha-numeric characters.
2. Changing passwords on a periodic basis – The practice of periodically changing passwords is recommended to help assure minimal password exposure. If your password, PIN, or other authentication information has been discovered or stolen, access to any information or system where the password is valid continues until the password is changed. Often, bad actors will use stolen authentication credentials to snoop on a network or system; a bad actor will continue to authenticate on a system to perform network scanning, to search for other critical data such as administrator credentials, or information stores that may be a part of a larger goal. Bad actors often maintain very low level visibility when performing this type of reconnaissance on a system and thus a valid login and password combination enables their continued information gathering. When you change a password, you change authentication credentials and in turn, end the ability for a bad actor to perform activities which may result in further exploitation.
3. Password diversity – With a strong password and periodic changes, you have a good chance at protecting networks and systems with which you interact. However, what happens if your password is compromised? Often, the next action of a bad actor is to attempt to use your password on other systems that you access. If a password is reused across several systems, then a known good password provides a broad level of authentication opportunity and in turn increases the overall security risk. For example, if you use your (strong) work password to access your home computer and your work network is compromised, this leaves your home network at risk as well. Alternatively, if your email password is the same as your banking password, an email password discovery can cause a high security risk to your financial resources as well as to your banking network. In the end, having several or even unique strong passwords that are periodically updated is the best way to keep all your information and systems secure from unauthorized access.

The above recommendations are only a start in improving security through the use of good password management. For more information about additional techniques, including multi-factor authentication, please see the World Password Day site at www.passwordday.org.

^[1] World Password Day. (2018). Retrieved from: http://nationaldaycalendar.com/world-password-day-first-thursday-in-may/

^[2] NIST Special Publication 800-63-3, Digital Identity Guidelines. (June, 2017). National Institute of Standards and Technology, Gaithersburg MD, 20899.

^[3] Stallings, William, Brown, Lawrie. (2015). Computer Security, Principles and Practice, Third Edition. Pearson Education, Inc.

^[4] William Mitchell. Password Cracking. Retrieved from: http://web.cs.du.edu/~mitchell/forensics/information/pass_crack.html