Pages

Tuesday, September 5, 2017

"Your Password Sucks" by Bryan T


We all have a basic understanding of why passwords are important. If I asked you to email all of your passwords to me, you wouldn’t do it. You understand that your online identity has value and that you wouldn’t want to give it up to a stranger.

However, keeping your password a secret is only half of the story. Having a strong password also matters, but unfortunately, this is a topic many people don’t understand. Perhaps even more dangerously, there are many people who falsely believe that their passwords are secure.

Personally, I’ve gone through many password changes as my understanding of cybersecurity has evolved. I’ve gone from using a two character password to using my name as a password to using a basic “word + number” password to a secure 40+ character password. I’m lucky that I haven’t experienced any devastating losses before switching to using a more secure password. (Although sometimes, I receive the rare email that some stranger in China logged into an account that still uses my old password!)

Know Thy Enemy

Before you start designing passwords, it’s important to understand who you’re fighting against.

Your most valuable asset is, ironically, the fact that you aren’t valuable. You are one of billions of internet users and there is no reason why an attacker would want to dedicate all of their resources into potentially ruining your life. However, don’t trick yourself into thinking you aren’t a target. If an opportunity opens up, expect to have several hundreds of computers trying to break into your account.

“If an opportunity opens up?”

I’m going to focus on an attacker’s ideal scenario—when a service you use has been compromised and customer details have been leaked. An attacker can try to guess your password even if the service isn’t compromised, but they’ll generally be limited to 1000 guesses per second. In the case of a data breach, the risks are far more interesting.

Once your account details have been released in a data breach, the danger you’re in depends on the security practices used by the compromised service. If the service stores your passwords in plaintext (i.e. character-for-character the exact same way you registered it), you’re screwed regardless of how strong your password is.

Fortunately, most services store a hash of your password, preventing attackers from obtaining your password immediately. In this scenario, the time you have to protect any vulnerable accounts depends on how much time it takes an attacker to guess your password.

a side note on hashing Storing a hash of a password is more secure than storing a password in plaintext because a hash cannot be reversed. If you imagine your password as a recipe, its hash would be a cooked meal. It’s easy to verify whether two meals come from the same recipe (they’ll taste the same!), but hard to derive the recipe from the meal (without guessing, of course).

How quickly can an attacker guess your password from a stolen hash? Your average gaming computer can generate over 20,000 megahashes per second. For Americans, that’s 20,000,000,000 hashes (guesses) per second!

And that’s with your average gaming computer. Dedicated computers can achieve speeds over 8 times that, generating over 160 gigahashes (that’s 160,000,000,000 hashes, Americans) per second.

It’s important to note that most attackers make random guesses. Humans are lazy and tend to create passwords that match a set of patterns. A common strategy for cracking passwords is to take a giant list of leaked passwords and apply millions of common transformations (e.g. converting o’s into 0’s, s’s into $’s, changing capitalization) on them.

Even if you have a long password, if it resembles a common password pattern, it may be cracked more quickly than a shorter password composed of completely random characters.

Design a Strong Password

Password strength indicators lie to you. Many websites will claim that a password is “strong” just because it contains a few special characters. In reality, the strength of a password is not determined by what characters it contains, but by how difficult it is to guess the order of those characters.

We need to design a password that meets the following criteria:
      It should be long enough that random guessing is infeasible.
      It should be unique enough that it cannot be guessed with a strategy.
      It should be memorable enough to be recalled without much effort.

A good procedure for creating passwords is the “xkcd method” (aka passphrase method):




The logic behind the “xkcd method” is that choosing four random words takes more information to represent in a computer, meaning it’s less likely to be guessed randomly. Because the passphrase is composed of words that have significance to the creator, it’s also easy to remember.

This method is sometimes criticized for being easy to crack if the attacker has a strategy. Indeed, if an attacker knows that they should only guess permutations of English words, they could reduce the search space (and thus the time it would take to guess your password) significantly. Because of this flaw, I recommend you also use a word that isn’t likely to be in a dictionary.

The final procedure looks like this:
  1. Pick three random words. Try to use a random number generator to pick the word if you can; humans are a terrible source of randomness.
  2. Pick a word that is unlikely to be found anywhere else. This can be a made up word, an inside joke, or even an uncommon misspelling of a word.
  3. Connect the words together using spaces.
  4. Memorize your passphrase! Creating a short narrative for your passphrase may help you remember it.

Stop Recycling Passwords

Now you have a strong passphrase, but you can’t just use it everywhere.

First, some websites will not accept your new passphrase. Some services will complain about your password being too long or not having enough special characters.

Second, reusing passwords poses a security risk. Any service you give your password to may store your password insecurely or use your password for nefarious purposes. If one of your accounts is compromised, any accounts using that password are also in danger.



Manually creating per-service passwords that are secure, unique, and memorable is not a trivial task. The solution is to use a password manager such as Master Password or LastPass. A password manager allows you to create strong passwords for every service you use while only requiring you to remember your master password.

Not only does this solve the issue of password reuse, but it also allows you to create passwords that satisfy the password requirements of services that don’t accept passphrases.

Shame Bad Websites

If you see a website that has a maximum length limit on passwords or prohibits certain characters, yell at them aggressively and threaten to stop using their services (try testing their PR team by doing it in public, like on Twitter). These are signs that a website stores passwords insecurely. Websites that hash passwords properly should not have these restrictions. (Sadly, a couple of offenders are Turnitin and College Board!)

If you see a website that requires you to include any number of special characters, feel free to politely tell them that those requirements are no longer recommended.

The National Institute of Standards and Technology (NIST) recently (just this year!) changed their security guidelines, advising companies to remove password complexity requirements. Research suggests that these requirements actually lead users to create worse passwords. Part of the reason why many passwords fit common patterns is because users tend to replace letters with similar-looking symbols and numbers in order to satisfy unnecessarily strict password requirements. Although these passwords contain more obscure characters, since many of these substitutions are predictable, they don’t make the password any more secure.


Last Words

If you only take away one thing from this post, it should be the idea that password design is a science, not an art. While security experts may disagree about what the “optimal” password creation procedure is, most would agree on one thing: Most people don’t know how to make passwords.

The passphrase creation method detailed here is certainly not the only way to achieve a high level of security. You’re free to use whatever method you see fit; I only ask that you understand the risks and make an informed decision.

The strategies mentioned here aren’t a definitive guide to cybersecurity either. If you want to ensure that your online identity is completely secure, I encourage you to do your own research. If you want a good jumping-off point, I recommend looking into multi-factor authentication (especially the emerging standard, U2F).

And if you do end up becoming a security nerd, try not to get tunnel vision. Don’t forget to watch out for your offline identity too!


Credit to xkcd for having so many relevant comics!

38 comments:

  1. Nicely organized, funny, and relevant. Your intro still needs work; it's the weakest section of the post. Although it succinctly covers the general topic, it doesn't captivate the reader's attention and the transition to the instructional portion is a bit rough, especially the parenthetical interjection. Overall, it was an entertaining read on a serious topic.

    ReplyDelete
  2. I really enjoyed how you integrated your personal humor, while still providing actual ways to make a strong password. It helps develop a sarcastic style throughout the entire "tutorial"

    ReplyDelete
  3. Your blog was very easy to follow and while you did use some jargon uncommon to the average person you defined those terms. There was also a nice incorporation of pictures here and there to further elaborate your points with some examples and provide some humor. Lastly, I found the informal and straightforward tone to be very refreshing.

    ReplyDelete
  4. I thoroughly enjoyed your article and it has inspired to take the necessary precautions in order to secure my online identity! The use of humor within the comic strips added a nice element to the piece and aided in the understanding of your topic. In regards to your actual written text, the organization of the piece helped to align the steps and importance of making a strong password. Not to mention your topic was well researched and provided some excellent advise on password making. Excellent job!

    -Varsha Hunter

    ReplyDelete
  5. I now know that I need to go change my passwords! This piece was very informative and easy to follow. Your choice to use images to support and explain your information made it easier to understand you and your little spurts of humor made me laugh at my own ignorance. Thank you for writing this informative piece!
    -Amber Duran

    ReplyDelete
  6. I love how you gave advice to us readers about our passwords. There are a lot of hackers out in the world and this blog inspires people to create passwords that hackers cannot guess. I thought the images and examples were nice to present your point.

    ReplyDelete
  7. Of all the topics to write about you chose this, and boy was it interesting! For years I've heard about having proper password protection and gone out of my way to use a series of unique passwords, but this brought me to an entirely new perspective. I never even thought about those sites which restrict passwords and how they could lead to the misplacement of my own password in their storage. The break down of the article is also very helpful to the piece as each sub header offers the reader a different way in which they have been leaving themselves vulnerable to bad password maintenance. With the presentation of these tips there are defiantly a few new things I need to do to spruce up my protection, but even with knowing these bad password habits I will still never change parts of my password. - Gavin Gnaster

    ReplyDelete
  8. Wow this was very interesting and informative you have really out done yourself. The pictures you used were hilarious! Keep doing what you do because I have to admit that my password sucks.

    ReplyDelete
  9. Nice job on organizing the sections it made it very easy to follow. After reading it made me rethink every password I've created and how vulnerable I could possibly be lmao I guess I'm going to spend some nights changing passwords. Thank you for the information!

    ReplyDelete
  10. Oh boy! As a person who has been using the same password for everything for roughly the past 5 years... your tutorial/blog post was terrifyingly eye opening! However you managed to be concise with information (while being witty), that is usually incredibly hard to understand (like hashing) since it's not really something you can visually see. So now I have a proper resource to help correct my horrible habit. Thank you for scaring me into using better protection for my digital self, while not overwhelming my not so tech savvy brain!
    -Anais Moran (period5)

    ReplyDelete
  11. Your blog entry was very interesting and educational. I've been thinking a lot lately about how I can create a password both easy enough to remember and secure enough to keep people out or certain accounts, but I am a person who normally doesn't prefer having a password even on my phone. I way too often give my passwords out anyway so I don't see much of a reason to have a password so hard to log in with.

    ReplyDelete
  12. Being able to entertain your audience while also teaching them about the value of having a complex but easy-to-remember password is a great skill to have and takes mentors years to develop. Personally, I only used 2 passwords for about the past 9 years but this entry showed me the errors of my ways. Overall, this is a great entry that deserves more attention than what it gets on this blog.

    ReplyDelete
  13. I'm impressed that you were able to simplify password making and its complications into a vernacular that's easy to read, something that would otherwise be difficult to comprehend. It's nice that you were informative in showing precisely how to make an effective password as well as explaining exactly why it the reader should in the first place. Although the images may sidetrack the reader a little bit, they definitely kept the reader entertained and informed.

    ReplyDelete
  14. This was such a creative and out of the box piece and I thought it was so good! I really enjoyed how your personality and humor showed in the piece. Great Job!!

    ReplyDelete
  15. I love how different this piece was , very creative! It's so hard to do something like this to keep the readers going but you really made me enjoy reading this with the simplicity of passwords. Got me to think maybe I should broaden up my passwords ! Great work
    Breanna carrillo
    Period 5

    ReplyDelete
  16. Lauren Elizabeth WrightSeptember 17, 2017 at 12:17 PM

    This was really interesting and very well written. You did a great job at conveying all this information in a clear manner. I also liked your use of images to help explain even better.

    ReplyDelete
  17. I loved that you added humor to your instructions, it made them engaging and overall fun to read. You provided great advice, everyone these days has numerous accounts for websites and countless passwords so password security is extremely important. I loved your comparison between hashing and a cooked meal, it made a concept that may seem abstract super simple.

    ReplyDelete
  18. As someone who plays a lot of video games, I found this guide really funny and useful. I have signed up for so many websites with the same email, username, password combination that I didn't realize how much of my information that I was compromising. Thank you for the laugh and making me more aware of how important it is to use multiple passwords. The difference between losing everything or not could only be 15 seconds extra thought!

    -Travis Ly

    ReplyDelete
  19. This was very informative yet extremely entertaining. I appreciated your use of humor in your own words and through the use of pictures. For an in-depth topic, it was very easy to follow because of your clever explanations and clean organization. I feel as though I actually learned something useful, thank you.

    ReplyDelete
  20. Excellent write up, The use of pictures made it more interesting to read. Made me even question if my passwords i currently use are possibly safe or guessable.

    -Justin Quemado

    ReplyDelete
  21. This post was very enjoyable to read and quite informative. I really liked the humor and comics you put into it- I was super interested throughout the entire post. I also found this very relatable because a while ago, my email and social media accounts got hacked because I recycled the same password for basically everything, which I learned the hard way not to do. Now that I look back on it, my passwords aren't strong at all (plus I really need to stop reusing passwords) and I still haven't changed my passwords on some of the accounts that got hacked (lol). After reading this, I'm definitely going to take extra precautions to make sure all my accounts are safe.

    Alyssa Santos
    Period 1

    ReplyDelete
  22. Well, I guess most of us have come to the conclusion, after reading this, that we all need to change our passwords immediately! It was a very thorough and easy to understand explanation. The sarcasm made it more engaging to read, unlike a dry and boring textbook. I never knew that you had an interest in cybersecurity.

    ReplyDelete
  23. I like everything about how this was written with a less serious tone about a more serious topic. I also gained very valuable information about how to create a safe and secure password, thanks.

    ReplyDelete
  24. Not only do you teach us how to create effective passwords, but you teach us why and how hackers are able to compromise your current ones. This combined with the light sprinkle of humor you add into this piece kept me interested in what you had to say. Now, time to go change my password...

    ReplyDelete
  25. An effective and creative way to make something that, to most, is extremelying simple and straightforward. Not only did the writer explain why our password sucks, but how we can fix it so that hackers have hard time. The writer took a relatively boring topic to most and made a humorous and sarcastic piece to engage the reader in a generalKY uninteresting topic.

    ReplyDelete
  26. This was very creative and I enjoyed reading about different ways to fix my terrible password that I have been reusing for the past 3 years. I also liked how you mixed humor into this piece of writing.
    - Steve Martinez period 1

    ReplyDelete
  27. Wow. My passwords do suck. I don't think I'll be changing them (I'd never remember a new password) but I certainly appreciate your instruction! The way you structured this way amazing, I love the breaks by the images and the witty sarcasm tucked in between phrases meant to incite utter terror. The large strait forward headings are both informational and humorous. Well done, now I'm self conscious over my password crafting skills.

    ReplyDelete
  28. I really enjoyed reading this! I'm guilty of all of the things listed and it was enlightening for me to read your guide. I love how you were able to be so detailed in describing something that can be seen as simple to others!

    ReplyDelete
  29. Alejandro QuintanillaSeptember 18, 2017 at 6:30 PM

    The post was extremely informative and I admit to being guilty to some of the common insecure password tropes. This article was humorous but helpful in suggesting how to make a memorable but uncommon password to use.

    ReplyDelete
  30. Your informative piece had the perfect balance between professional instruction and witty humor. As the author, you effectively organized key ideas in a such a way that readers could easily absorb important information and laugh at your well placed humor.

    ReplyDelete
  31. I enjoyed how you implemented humor along with some visual aid to help inform about a topic that is often overlooked in an age where password security is vital. I will definitely change some of my passwords to ensure that they are more secured. Awesome work!!

    ReplyDelete
  32. This article you have written Bryan simply BLEW my mind! The complexity of the range of emotions you displayed all played out to make a humorous yet educational article on why my password is complete garbage! I will definitely be using these tips into making my new computer password, along with every account i own for every program. Thank You so much for your words of wisdom Bryan. I simply do not know what I would have done without you. -Ahmed Mahmoud

    ReplyDelete
  33. Thank you so much writing this piece. It was very informational and it spoke to me on another level because I realized that my password is indeed terrible. The way you presented it with a hint of sarcasm as well as the use of the comic, made for a very well done execution of the piece of writing. Thank you for writing this! - Jennifer Kirksey

    ReplyDelete
  34. I have to hand it to you for writing an entertaining yet really informative piece about password safety: it really brought to light some of the problems people have (especially with password recycling) while keeping my attention from drifting off into other tangents of thought. There are definitely parts that can be expanded upon (e.g. Brute force hacking and other methods), but this is the perfect for a blogpost with just enough information to better those who read it.

    ReplyDelete
  35. This comment has been removed by the author.

    ReplyDelete
  36. Hey Bryan, your piece was phenomenally written. I really liked that you stayed professional however added some humor in to the mix. This piece made me realize that my passwords sucks. I need to change each of my accounts. Got to blast

    -Jerico Franco

    ReplyDelete
  37. Hey Bryan, your piece was phenomenally written. I really liked that you stayed professional however added some humor in to the mix. This piece made me realize that my passwords sucks. I need to change each of my accounts. Got to blast

    -Jerico Franco

    ReplyDelete
  38. What can I say everything you said was right about making up passwords and "thinking" they're strong. I am guilty as charged especially with reusing passwords across multiple platform and I think it's more about being lazy than actual confidence in it. In this day and age with the amount of control technology has over us I think it is more important than ever to establish strong password strength thanks for the great read.

    ReplyDelete

Remember, make your comment positive, supportive, and specific to the piece you're commenting on. No anonymous comments! :)