Panda Security has issued a press release warning users of the myths around secure passwords and that the way they are creating their passwords makes it easier for hackers to guess them.
The release looks at the way websites advise users on what is a good or bad password and it raises an interesting point that should have users scrambling to make widespread changes to their passwords. The problem here is that by advising users to use a mix of capital letters, lower case letters, numbers and symbols (not everyone supports symbols), sites have inadvertently made passwords less rather than more secure.
What does this mean?
If you are confused by that, let’s look at what it going one. Using the set of data above a user is likely to do the following with their password:
- Original: ThisIsMyPassword
- New: Th1%I5MyPa55w0rd
- Or: Th1%-I5-My-Pa55w0rd
They have replaced the vowels with numbers and symbols using what is generally known as Leet or L33t speak. What they have also done is leave the first letter in each word capitalised. They also use the hyphen as a word separator. This means that the automated programmes the hackers use can begin to look at hyphens, then work on the capital letters and after than do a simple word search.
More worrying is that in systems that require regular password changes and prevent you making simple letter changes to a password, this approach defeats the system. Changing vowels for numbers and then changing some of those for symbols means that a user can effectively keep recycling their password. The result is that once a hacker knows a password they can begin to try variations of that password.
A predictability database
What makes this even more worrying is the amount of data, including user names and passwords that are circulating on the dark web. It is possible to assemble a large database of names and passwords then run a simple program to create the variations of that password using simple substitution. The net result is that hackers are running rings around users and the so called secure password options on the web.
Panda Security reports that this is what they are seeing. In the release they say: “..the experts have used a program – similar to the one used by the criminals – to analyze over 10 million passwords. They’ve done this to compile a list of the easiest passwords for criminals to guess.
“The result is a ‘predictability index’ that they tested on another 32 million passwords to verify its effectiveness. According to the results, the least common passwords were the most secure. This means that it is important to have a long password that includes symbols as opposed to just upper and lower case letters.”
How to make passwords more secure?
Solving this is simply a matter of using common sense and according to the experts making your passwords less predictable and longer. For example,:
- Mix up where the capital letters are. Don’t start words with a capital letter, randomly use them inside your password.
- If you are going to use a word separator don’t use the hyphen all the time. Use a range of symbols to separate words and even run some words together without a separator.
- Extend the length of the password to be a passphrase. This means that hackers have to expend more compute power to crack the password.
For example passwords could be:
- tH1%ismYpA5%w0Rd
- tH1%*is€my*pA5%w0Rd
- Th15ismypA5%W0Rd4ndu*w0n’t€g3TiT
It will always be an arms race between users and hackers. The introduction of multi-factor security is taking too long and in many cases fails. For example, Twitter won’t allow those who manage more than one account to use the same telephone number to secure the accounts. Ironically this would make the data they then sell to advertisers more secure
Another option is to look at the use of biometrics. Barclay’s Bank have been experimenting with this for their business customers. The advances in biometric readers mean that they are no longer fooled by warm sausages or fingers cut off dead bodies despite the mainstream media still focusing on that as a solution.
Conclusion
For some time now users have been told to use a pass phrase rather than a password. The problem is that too many systems on the web, such as those use by airlines and retailers, are incapable of dealing with long passwords and many don’t even allow the use of symbols.
It is time for an update to the utilities that rate the security level of a password so that common mistakes like these are eliminated. Corporate password systems need to be able to detect where users are just using simple substitution rather than wholesale change of their password. We also need to get away from old systems that limit passwords to 13 characters. With today’s compute power available to hackers they can easily run through all the combinations in a fairly short space of time.
Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.
At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Incidentally, biometrics are dependent on passwords registered in case of false rejection in the cyber space. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. And, in a world with passwords killed dead , we have no safe sleep. Passwords will stay with us for long.
It is too obvious, anyway, that the conventional alphanumeric password alone can no longer suffice and we urgently need a successor to it, which should be found from among the broader family of the passwords (= what we know and nobody else knows).