USING PASSWORDS GUIDE

Your Guide To Creating And Using Secure Passwords You Can Easily Remember

 

[ INSERT VIDEO HERE ]

Creating stronger passwords is not going to help if your system is already compromised with Malware. Trojans can keylog, screen scrape and form grab to get hold of the password credentials. So the very first thing to do before changing your passwords is to make sure your computer system is clean and protected.

You have subscribed to Internet Security Essentials because you are serious about protecting yourself online. We consider ‘Using Passwords’ to be one of the most important topics because passwords are often the weakest link in the chain when it comes to protecting yourself online. Passwords are a huge problem and a genuine headache for those people managing systems. Most of the advice out there on the internet is at best obsolete and too often just downright bad.

It’s time for you to get serious about using passwords
and we will show you how to construct strong,
yet easy to remember passwords.

MOST PEOPLE HATE PASSWORDS

Most people consider passwords to be a pain. Something they are forced to use but not to be taken too seriously. Given the option, most people will use extremely weak passwords. This is not speculation but absolute fact based on three major studies over the past twenty years.

A study by Daniel V. Klein over twenty years ago on almost 15 thousand account passwords used on UNIX systems found that many people used very simple passwords. He was able to crack 21% of the passwords in one week using the computing hardware and software available to him at that time with a dictionary of known words and permutations.

In 2009 a list of ten thousand Hotmail, MSN and Live.com cracked account passwords were published to the net showing that people continue to make the same weak password choices. Even more scary was that the list was only for accounts starting with A and B meaning that the actual list was much bigger.

Also in 2009, the website rockyou.com was hacked and 32 million passwords were posted on the net with no other identifiable information. In statistical terms this is hardly a sample but rather conclusive data. An analysis of the passwords confirmed what all the smaller samples and studies have shown; that is that nothing has really changed in twenty years with regard to the password choices of people and that many remain apathetic to security concerns despite all the repeated warnings.

So what are the ten most popular passwords of all time.

Rank Password Number of Users Found
1 123456 290,731
2 12345 79,078
3 123456789 76,790
4 Password 61,958
5 iloveyou 51,622
6 princess 35,231
7 rockyou 22,553
8 1234567 21,726
9 12345678 20,553
10 abc123 17,542
Note: ‘rockyou’ is the name of the site so not one of the universally most popular passwords in its own right but rather an indication that a percentage of people will just use the name of the site they are accessing as the password if allowed.

This list really only shows the contempt or total disregard a large number of people have for security. Most people do use stronger passwords than this but would be shocked to learn that chances are their password can be easily hacked also.

How strong would you think the password ‘fylgjas’ (guardian creatures from Norse mythology) or ‘pataitai’ (Chinese for ‘hen-pecked-husband) would be? You might feel you are being pretty clever picking such passwords but these are examples of passwords cracked by Daniel V. Klien twenty years ago in his password cracking experiment.

Dictionaries available to password cracking programs are extensive including not just foreign languages (even less popular languages like Yiddish) but also scientific, legal and other specialized lexicons.

With this knowledge you would guess that ‘wombat’ (an Australian animal) would not be a very good password but how about ‘w0mbat’ or ‘WomBat’ or even ‘tabmow’? This is again an example of a password cracked in Klein’s experiment twenty years ago which not only checked dictionary words but also over 70 possible permutations for each.

Today’s password cracking tools have much larger dictionaries at their disposal and can run through hundreds more permutations for each than the experiment of two decades ago. It is for this reason that more and more password systems now reject a password based on any dictionary word or name.

BRUTE FORCE ATTACK

Not only are the password cracking tools much smarter today, but the hardware is also many times more powerful. With the availability of inexpensive GPU processors (special Graphics Processing Units) as part of today’s graphics cards you will be surprised how fast and easy your password might be to crack using sheer ‘brute force’ (systematically going through every combination of characters).

GPU's are now standard in many inexpensive graphic cards installed in computers today

How fast do you think a five character random password like ‘xnZyr’ would take to break using password cracking software with a normal CPU? How about 24 seconds at a rate of 9.8 million password guesses per second. Now use a computer with the addition of a GPU graphics card and the same password can be cracked in less than one second!

Now lets try a random six character password like ‘nSKeO7’ and the normal CPU takes 1 and half hours while the GPU struggles for a whole 4 seconds!

When we increase the length to 7 characters the normal CPU will be busy for the next four days while the GPU will actually give you time to make a cup of coffee taking 17 minutes and 30 seconds.

Adding special symbols to your password does make it stronger but still crackable in a relatively short period of time. Take a random password with mixed-case/symbols/spaces like ‘S8&J os’ and give it to the normal CPU and it will be out of action for some 75 days while the GPU will have it done in under 7 hours.

Lets jump to a nine character mixed-case random password and with a normal CPU you will not just have time to watch the grass grow but entire trees as 43 years is the estimated time it will take to crack such a password. When the GPU is employed you can take a full one month vacation and then relax for maybe another week once you get back as it will take up to 48 days to crack the same password.

We have gone through all these examples so you can see how just how possible it is to crack any password of nine characters or less and also see how the difficulty (time taken) increases exponentially with the length of the password.

TIME TAKEN TO CRACK PASSWORDS

5 character password less than 1 second
6 character password 4 seconds
7 character password 17 min 30 seconds
9 character password 48 days

Be aware that the above cracking examples are not using a supercomputer or any sort of specialized hardware. Just a regular personal computer with the addition of a relatively inexpensive video card running a GPU. The cracking software used is IGHASHGPU which is a freely available password recovery tool and the operator does not need to be any sort of genius or even a security expert.

THE LENGTH OF THE PASSWORD MAKES ALL THE DIFFERENCE

Maybe now you are stating to get the picture. Twenty years ago Klein was able to crack 21% of passwords in a week using a mainframe equipped with dictionaries by performing just over 70 permutations on each word. Today any 7 character password can be cracked by brute force in hours using a regular personal computer with a GPU graphics card.

It makes one wonder how many of Klein’s original passwords could a regular personal computer with GPU crack in a week today? Try to imagine the capabilities of a well resourced organization like an intelligence agency with access to super computers running massive numbers of parallel processes. Is any password safe?

Microsoft are now officially recommending 14 character passwords. If you had read that before learning about modern password cracking capabilities you might have thought it overkill but now it does not seem that excessive. You also have seen how the difficulty in cracking passwords grows exponentially with the addition of each character to the length.

When you realize that today some of the passwords can be cracked in hours that were not crackable in a life time 20 years ago, it is yet another reason why longer passwords are a better choice.

I hope that by now you are sold on the need for longer passwords, but given that it is often hard to remember even those shorter passwords, especially with mixed-case, numbers and symbols, the idea that many computer systems now require a 10 or 14 character password is daunting.

Many guidelines will tell you that a good password is one that is easy for you to remember but hard for others to guess. The problem with this statement is that most people will assume ‘others’ to be other people like themselves. If it were only other people like yourself then the majority of the passwords we currently use would be more than adequate. The trouble is that in addition to the threat of a brute force attack, ‘others’ may include experienced hackers with a good understanding of how most people construct their passwords who, after a little personal research, is able to make some very intelligent guesses. When working in conjunction with smart password cracking software, the time required to crack a password can often be substantially reduced.

HOW WE CONSTRUCT PASSWORDS

In 2011, Tony Hunt completed a detailed analysis of passwords using some 300,000 accounts breached from Sony, Gawker and some other sources. He has published a number of articles based on his research including ‘The Science of Password Selection’ which examines exactly how people construct their passwords

In his research he determines that passwords are inspired by words of personal significance or other memorable patterns and attempts to obfuscate or strengthen passwords usually follow predictable patterns. He concludes that truly random passwords are all but non-existent being less than 1% of the large sample he looked at.

password sources

The problem is how to construct a strong password that we can remember.

HOW LONG DOES IT NEED TO BE

We have already determined that the password needs to be longer than the popular 8 characters still used and recommended by many. So how long does it need to be? Microsoft are recommending 14 characters which is great and, while we do not consider this excessive, we are going to recommend a minimum of 12 characters based on research by the Georgia institute.

In 2010 they set up a cluster of computers with GPU cards installed and were able to crack any 8 character password in less than two hours. It was estimated that the same methodology would take 180 years when applied to an 11 character password and 17,134 years for the 12 character password. Computing power will continue to increase exponentially but we believe for the time being (maybe only another 20 years) 12 characters will be sufficient

That just leaves the problem of how to think up and remember a 12 character password. The best password would be 12 random characters with mixed-case/symbols/spaces. There are even free password generators online that can do this for you but our advice is to avoid them for security reasons. While those behind them may be sincere in their desire to assist you to improve the strength of your password, there remains the possibility that a few unscrupulous people may also be behind such services or one of the legitimate services might be compromised.

Most people who have enough trouble with phone numbers. I know I do. The biggest problem with 12 random characters with mixed-case/symbols/spaces is committing them all to memory. We will show you how do you create a strong 12 plus random characters with mixed-case/symbols/spaces that you can easily remember.

IS USING ONE GOOD STRONG PASSWORD ENOUGH?

Most people use the same password or same few passwords for all the systems they log into and I am sorry to have to inform you that this is a big NO NO, even with a new strong password.

You can understand that if just one of the systems you log into is compromised then all the others are immediately exposed. Does this mean you have to create secure passwords for every system you log into? The short answer is yes but we will look at ways to make this easier.

Many people have what they consider to be different strength passwords that they use for different systems according to their own appraisal of the importance and accordingly, risk of a system. Many of the ‘more important’ systems already force them to use ‘stronger’ passwords such as a minimum of 8 characters with mandatory mixed case and addition of numeral. We now know how insecure that is don’t we!

I have also seen suggestions online for constructing different passwords using prefixes to identify the system such as ‘fb’ for Facebook or ‘ym’ for yahoo messenger. As soon as such ideas became known those permutations would be added to the cracking dictionaries. Once one password is compromised all the others are exposed. Likewise if we were to come up with a system here, it too would be included in future hacking dictionaries so forget the idea of building in a system identifier on to your strong password in order to use it on multiple systems.

We don’t recommend using the same password for more than one account or system but when you have a dozen or more passwords to remember we would not only be fooling ourselves if we thought you would follow this recommendation so we will provide a suggestion that would require you to only have to remember one of your strong passwords.

There are circumstances when you feel you do not need a strong unique password. Perhaps you are doing some research and need to sign up to some special forum to ask a question and will probably never return or maybe you are making a one off purchase and need to register an account in order to make a purchase and again you don’t think you will ever return to make another purchase.

Surely it’s ok to use one password for these types of accounts you ask?

Let’s look at these two examples.

The first is where you just want to log in once and maybe ask a question, never to return. The risk seems extremely low so what does it matter if your account was later compromised?

The second example would already be ringing alarm bells with any security person. Anywhere that a financial transaction is involved the risk is much greater. If your credit card details are stored on the system then other items might be purchased using your card. Maybe you had not thought of that?

While the ‘three strikes and you are out’ protocol protects your account from dictionary and brute force attacks, someone armed with a list of username/passwords (as most people will also use the same account name if given the option) could have a ‘BOT’ (software program called a web bot, or spy bot that crawls the web looking for openings) go out and try other forums or online stores and gain access. Someone could then potentially access a number of other such one-off accounts created by you and collect a lot of different information about you from each, allowing them to build up a profile that would enable someone to impersonate you online.

So if you are serious about protecting yourself from identity theft and online fraud, then our advice is never use the same password on multiple systems.

If you really don’t plan to come back, then why not just make up a strong unique password on the spot? Write it down and then you can even just discard it when you are finished.

If you do plan to come back but there is absolutely no need to use any personal information that would identify yourself, then use a fake name with special matching email address. You have just reduced the risk to virtually zero. Be aware that most systems will track your IP address (the address of your computer which can be changed) and this could allow someone with serious intent to track you down. Also be aware that many systems do not allow multiple accounts from the same address so if you later wanted to create an account in your real name it can be a problem.

It comes down to if you need to use your real name then create unique strong pass-phrases otherwise you can go with a fake name and weak password.

THE FUTURE OF PASSWORDS

Given that just twenty years ago, an 8 character random password with mixed case, numerals and special characters was something even mainframe computers would struggle with and now a small network of personal computers with good graphics cards can crack in under two hours, it begs the question: is there an end to how long a password will need to be in order to be secure? While the strength of a password grows exponentially by adding additional characters so does computer power, each and every year. With Microsoft already recommending 14 characters as the minimum length, we are already pushing the boundaries of what is reasonable for a human to have to remember.

Interestingly, many sites requiring high security, such as financial institutions, have not gone down the path of making the password longer and longer but instead try to build smarter, more secure interfaces. One bank I use brings up an onscreen graphical keypad which will display numbers in random order designed to defeat keyloggers and screen scrapers that try to record passwords. Another bank I use supplies me with a dongle. I log in using a username and weak password and I am then presented with a challenge prompt. I need to press the button on the dongle and enter the displayed pin code which is time sensitive. These are just two examples of how others are implementing methods to improve access security.

We believe the future of passwords will not be passwords. Technology will be used to help you gain secure access to virtually everything you need. These new electronic keys you may carry will probably be bio-tech based using something that identifies you to the system you want to access. In the future you might not need to remember any passwords. The potential downside to this is a greater loss of privacy. We predict the growth of huge tech security companies providing these solutions and subscribing to one them will be as necessary has having a mobile phone.

SO WHAT SYSTEM IS THE BEST FOR NOW

In movies you often see cracking depicted as something progressive with each successive character being cracked until the entire password is revealed. It does not work that way in the real world. There is no way of the cracking programing to know what characters are correct so it needs to get the exact combination all at once.

If your password can not be found in any of the dictionaries that are used by hacking programs then they can only try a brute force attack. This is where the length of your password is important. As explained the estimated time to crack any 12 character password is currently thousands of years. We have looked how weak most passwords are and how predictable people are even when it comes to thinking up passwords. The only real solution is if people can pick a seemingly truly random password which is what the system we provide here does.

Before we show you our password system and provide a solution to having to remember multiple strong passwords we need you to indicate where you think you currently are with regard to password security.

Risk Self Assessment

Based on information you have read how do you asses the threat to password security for you?
Select from one of the following – if unsure always select a higher threat level

I have my passwords totally under control No Threat
I think my current passwords are OK but show me your ideas for strong easy to remember password Low Threat
I can see now that my current passwords are weak so show me how to create strong easy to remember passwords Medium Threat
OK I admit it, my password is simple like 123456 and I need to fix this ASAP High Threat

Select Your Threat Level

No Threat Low Threat Medium Threat High Threat 
Click to save your threat level (you can change it anytime by returning to this page)