Panda Security has issued a press release warning users of the myths around secure passwords and that the way they are creating their passwords makes it easier for hackers to guess them.
The release looks at the way websites advise users on what is a good or bad password and it raises an interesting point that should have users scrambling to make widespread changes to their passwords. The problem here is that by advising users to use a mix of capital letters, lower case letters, numbers and symbols (not everyone supports symbols), sites have inadvertently made passwords less rather than more secure.
What does this mean?
If you are confused by that, let’s look at what it going one. Using the set of data above a user is likely to do the following with their password:
- Original: ThisIsMyPassword
- New: Th1%I5MyPa55w0rd
- Or: Th1%-I5-My-Pa55w0rd
They have replaced the vowels with numbers and symbols using what is generally known as Leet or L33t speak. What they have also done is leave the first letter in each word capitalised. They also use the hyphen as a word separator. This means that the automated programmes the hackers use can begin to look at hyphens, then work on the capital letters and after than do a simple word search.
More worrying is that in systems that require regular password changes and prevent you making simple letter changes to a password, this approach defeats the system. Changing vowels for numbers and then changing some of those for symbols means that a user can effectively keep recycling their password. The result is that once a hacker knows a password they can begin to try variations of that password.
A predictability database
What makes this even more worrying is the amount of data, including user names and passwords that are circulating on the dark web. It is possible to assemble a large database of names and passwords then run a simple program to create the variations of that password using simple substitution. The net result is that hackers are running rings around users and the so called secure password options on the web.
Panda Security reports that this is what they are seeing. In the release they say: “..the experts have used a program – similar to the one used by the criminals – to analyze over 10 million passwords. They’ve done this to compile a list of the easiest passwords for criminals to guess.
“The result is a ‘predictability index’ that they tested on another 32 million passwords to verify its effectiveness. According to the results, the least common passwords were the most secure. This means that it is important to have a long password that includes symbols as opposed to just upper and lower case letters.”
How to make passwords more secure?
Solving this is simply a matter of using common sense and according to the experts making your passwords less predictable and longer. For example,:
- Mix up where the capital letters are. Don’t start words with a capital letter, randomly use them inside your password.
- If you are going to use a word separator don’t use the hyphen all the time. Use a range of symbols to separate words and even run some words together without a separator.
- Extend the length of the password to be a passphrase. This means that hackers have to expend more compute power to crack the password.
For example passwords could be:
It will always be an arms race between users and hackers. The introduction of multi-factor security is taking too long and in many cases fails. For example, Twitter won’t allow those who manage more than one account to use the same telephone number to secure the accounts. Ironically this would make the data they then sell to advertisers more secure
Another option is to look at the use of biometrics. Barclay’s Bank have been experimenting with this for their business customers. The advances in biometric readers mean that they are no longer fooled by warm sausages or fingers cut off dead bodies despite the mainstream media still focusing on that as a solution.
For some time now users have been told to use a pass phrase rather than a password. The problem is that too many systems on the web, such as those use by airlines and retailers, are incapable of dealing with long passwords and many don’t even allow the use of symbols.
It is time for an update to the utilities that rate the security level of a password so that common mistakes like these are eliminated. Corporate password systems need to be able to detect where users are just using simple substitution rather than wholesale change of their password. We also need to get away from old systems that limit passwords to 13 characters. With today’s compute power available to hackers they can easily run through all the combinations in a fairly short space of time.