Password Strength
 How to create an invincible password | ThoughtLab
by Matt Lord March 28, 2012

How to create an invincible password

Tech

Standing at the gates of your digital life is one lone soldier: your password. But how resilient is this guy to a hacker attack? Anyone who has ever had an email, Facebook or Twitter account hacked will know how annoying it is to see yourself suddenly peddling spam to all of your contacts. It’s a bummer. But this is the lighter side of hacking and as we know, it can get much more serious.

32 million passwords and you

Every year, SplashData, a password management provider, releases a list of the weakest internet passwords compiled by ranking, based on millions of stolen passwords posted online by hackers. If your password is on this 2011 list, change it now, before someone strolls leisurely into your digital life and sets up spam camp.

1. password
2. 123456
3. 12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon

Most password lists are compiled using survey data, but back in 2009, the social application site RockYou suffered a data breach that resulted in the exposure of more than 32 million passwords. This is real-world, high volume data that shows us just how the public use passwords, and how you can create a password that tries a little harder. Here’s the top ten:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

The top ten here doesn’t really differ that substantially from the SplashData list. The only major difference is that a monkey turned into a princess and that entry #7 is the same name as the site.

But what is interesting about the data is the shortness and simplicity of all the hacked passwords. Nearly 50% of these breached passwords were user names, words you can find in the dictionary or trivial passwords (consecutive numbers for example).

RockYou had a minimum password length requirement of five characters and a staggering 30% of users chose to create a password that was between 5 and 6 characters. This made it much easier for the hacker attack to be successful. Basically, the longer the password, the harder it is going to be for Dr. Evil to figure it out. Check this out:

If a hacker used a list of the top 5,000 passwords based on data such as this, on a site similar in size to RockYou, it would only take one attempt per account to successfully hack 0.9% of user passwords. If the hacker was using a DSL connection with a 55KBPS upload rate and each attempt was 0.5KB in size, the hacker can have 110 tries per second. So theoretically, a hacker could access one account per second, or access 1,000 in 17 minutes. This, ladies and gentlemen, is known as a dictionary attack.

Dictionary attacks

In the hacker world, there are two types of attack: brute force and dictionary. Dictionary attacks are considered to be more efficient that brute force attacks and yield a higher rate of success.

The entire Oxford English Dictionary contains around 171,000 words, but the average person uses far less than this figure, typically somewhere in the region of 10 to 40 thousand. A dictionary attack will take a collection of these commonly used words and systematically start hacking away. You may not use an entire word as your password because you cleverly substituted a letter for a number (h3llo, for example) but even that is not safe from a dictionary attack. A hacker can perform string manipulation techniques that try the word backwards (olleh) or deploy common number-letter replacements (h3llo). Whoops, they cracked it.

But for the hacker, things don’t normally have to get that complex. A small dictionary attack often leads to the fastest success rate, and just using a short list of girls’ names can shake down a lot of password fruit from the hacker tree.

How to create an invincible password

Don’t use the same password for everything

Before we tell you some smart ideas on how to create a password that can’t be easily hacked, heed this warning: don’t use the same password for everything! An employee that uses the same password for Facebook and their workplace brings a very real possibility of compromising enterprise systems and that’s where things get serious and you get fired. The same goes for your bank too. Imagine a hacker gets into your Facebook, finds out where you work, hacks into there and just for fun, hacks into your bank as well and has a transfer party. No job, no money, things are looking bad bubba! So if you are reading this in a cold sweat, go change things right now. We’ll wait.

Delete your web browser cache

You may have been wondering how a hacker would know what bank you use and what your login ID is. Well, all of this information can be found in your browser’s cache. It’s all there, neatly stored, labeled and loving waiting to be put to use. Use tools like CCLeaner and Privacy Eraser every now and then to delete all of this information.

Use a password manager

Once your cookies have disappeared, your websites will no longer recognize you, so now is a good time to start using a password manager. For the Mac, use 1Password, or RoboForm or KeePass for Windows. These will create and manage strong passwords for all of your sites in an encrypted format that can’t be hacked. They will also sync to your iphone or Android. The only downside is that if you are using multiple PCs, you will need to sync the password manager or use RoboFOrm2Go on a USB stick.

Think pictures, not words

What we have garnered from dictionary attacks is that using a readable word is a bad idea. So think patterns and pictures. For example, say the first initial of your first name is M, try drawing it on the keyboard. Something like zse4rfvgy7ujm. If the first initial of your last name is L, try drawing it starting from the 5, like this 5tgbnm. Put them together and you have an invincible password that expresses your artistic side.

Throw a lot of numbers in there

So, you are crazy about astronomy and you just love Jupiter. We know by now that Jupiter is a pretty weak password. So throw some numbers in there. 1j2u3p4i5t6e7r. Easy to remember and impossibly difficult to crack.

Use psychedelic sentences

Typing a long sentence is no doubt better than ‘princess’ but it’s hardly infallible. So, think of a sentence that means something to you, like, “Why does my boss sneeze every time he gives me my paycheck” and mix things up a little. Take the initial letters from this sentence and replace a few of them with letters, so it looks like wdmb53thgmmp. Random is king in password land.

The future of passwords

So by now, you should have some pretty good ideas on how to amp up the security of your passwords. But what does the future hold? In 2004, Bill Gates predicted the demise of the password and it seems as though he may soon be right.

The Defense Advanced Research Projects Agency (Darpa) is looking into new forms of identification and authentication based on human behaviors. According to their website they have invited researchers to investigate the way people use machines to instantly verify the user. Such techniques include, "...how the user handles the mouse and how the user crafts written language in an e-mail or document."

Nasir Memon of the Polytechnic Institute at NYU is developing a technique that will open an iPad by unlocking an image in a series of motions, recognizing the unique movement of a user’s fingers. You can watch a video of Memon explaining the concept here.

Researchers at the Carleton University in Ottawa, Canada, are also exploring the possibility of using a person’s thoughts to authenticate identity. The concept is based on the premise that brain waves are unique to the individual. Even when a number of people think about the same thing, the measureable electrical impulses will vary.

This has the potential to become a new kind of biometric security tool, but for now it is very much in the research stage and some researchers are skeptical that a computer will ever be able to passively recognize a unique mental image in an individual’s head. This is largely due to the fact that the link between thoughts and brain waves is immensely indirect and an unaccountable number of nerve cells are mashed together by the time brain wave patterns can be recorded.

Operation Blackout

One final word on hacking, the hacker group Anonymous announced recently that they will unplug the internet on 31 March. They claim that on this day, they will disable the 13 root DNS servers of the internet. By doing this, no one would be able to perform a domain name look-up, rendering the HTTP internet useless. So, if you type https://www.thoughtlab.com on Saturday, you could get an error page. Probably. Doubtfully. Anyway, we could all use the day off. See you Sunday. Love, Thoughtlab.

Next: Congress and the UDID