Today’s message, bottom line first.
- Users spend more time thinking up names than they do passwords.
- Worry less about the variety of characters you use in a password (or P@$$w0rd) and opt for long passwords, which offers far more security.
- You’ll find examples of the most common passwords at the end of the article.
Good Book, Bad Passwords
In managing programmers and a computing center, I was responsible for the final line of security. Although networked, our machines faced fewer threats than computers do now. They wouldn’t pass muster today, but I leaned on Biblical and historical words, such as that original password, shibboleth. Our discs required separate access passwords to read, write, and multi-write, so I not-so-cleverly chose Shadrach, Meshach, and Abednego. Naturally you see a problem: If someone cracked one, they should be able to figure out the other two.
Biblical passwords still flourish throughout the internet, albeit in the form as first names: Angel, Daniel, David, Faith, Grace, John, Jordan, Joshua, Michael, and the most often appearing name: Jesus. Let me tell you, folks, you shouldn’t rely on Jesus (the name at least or that ever-popular jesus1), to protect your private information. As Leslie Charteris's The Saint might say, the ungodly never sleep.
Deep and Wide
I can’t seem to get away from Biblical allusions today.
We can look at a password in two dimensions, depth and length. A simple PIN number is 10 characters in depth (0-9) and typically 4-digits wide, although PIN lengths up to 10 digits and passwords over fifty characters aren’t unheard of. We might say an alphanumeric upper case only password is 36 characters deep, for example: AARDVARK. Computer scientists use the fancy term ‘entropy’ in reference to ‘uncertainty of a random variable,’ usually considered in code-breaking. Mixed case greatly increases the ‘entropy’ or difficulty in guessing it, e.g, AaRdVaRk. Allow any character of a keyboard, and you run up the difficulty again, i.e, /\år∂vårk. Conversely, rely only on numbers or single dictionary words (or puerile swear words), and you seriously compromise the security of your account.
The ‘aardvark’ example at right shows passwords represent a two-dimensional array. From a Chinese menu, you pick one character from column one, another character from column two, etc. The greater variety of characters allowed, the greater the difficulty of cracking. But entropy increases even faster if you type longer passwords.
So, pardon me for restating the cliché, but longer is better. Thus you can radically harden your password by increasing its length, i.e, Tough_nut_to_crack, assuming your provider allows passwords that long. The lesson here is you potentially gain more strength from longer passwords versus short ones with special characters. Pick anything you privately know and like, perhaps a quotation or phrase that sticks in your head and go with that.
Cracking the Code
How do crackers break passwords? They know the frequency of passwords like we show below, so normally they take a few stabs at the obvious, ‘123456’ or ‘password’. If they’re serious about cracking your account, they use a script to run through the possibilities in the ‘aardvark’ table at right, a character at a time, just like an odometer. I encourage you to make life as difficult as possible for them.
But the ungodly have other ways. If a malicious party can trick you into downloading a tiny piece of code, they can monitor your keystrokes. This works in a way similar to child monitoring software, but it transmits your keystrokes– all of them– to a third party somewhere else in the world.
Soft and Hard
While we’re on the subject of nanny monitoring software, you might want to check nobody’s monitoring you! You’re vulnerable to anyone who has access to your computer.
|keystroke logger © CNH Tech|
The culprit turned out to be an insecure (and in my opinion nasty) little supervisor who didn’t want her subordinates to shine too brightly. Ofttimes a woman’s workplace impediment isn’t men, it’s other women.
In my consulting experience, such micro-espionage tricks are hardly unique. You never know when or where you might be spied upon.
Skip, if you wish, the following explanation how letters and passwords are stored, although crime writers might find the techniques useful in a story. Let’s take an easy word, say EASY itself. Normally each letter of the alphabet and punctuation character is stored individually as a number. The letter E stores in binary as 0100 0101. This happens to be 69 in decimal, but programmers look at it in base16, hexadecimal, which works out to 4516 or x45. If a program stored this in ‘plain text’, it would be easily readable by anyone familiar with the encoding, say ASCII or UniCode.
word: E A S YNormally, companies and government agencies deal with sensitive data in two ways. One is to encrypt it. When you provide a credit card, the program should take a great deal of effort to obscure your card number while allowing it to be retrieved when the time comes.
dec: 69 65 83 89
hex: 45 41 53 59
dec: 69 65 83 89
hex: 45 41 53 59
They could also encrypt passwords, but why store passwords at all? When you think about it, all the computer needs is a yes/no answer whether the password you give now matches the original you made up long ago.
So programs create a different number that represents the password– a polynomial, a hash, or a modulus. Rather than look at EASY as a string of letters or even digits, we view it as one long number, just over a billion or precisely 1,161,909,081. This number looks large, but it’s minuscule in security terms.
To obtain its modulus (remainder), computers divide it by a huge prime number, though we’ll use a small one, say 33,331:
1,161,909,081We don’t care about the quotient, only the remainder, 23,752, which we save as a user key code, rather than the user’s password, which could be subject to hacking. The program then deliberately ‘forgets’ the original password, information too vulnerable to keep around. Thus, a well-behaved database of users won’t contain any passwords, and because the program uses large numbers, especially the prime divisor, it makes cracking the code by anyone other than the NSA or a pimply-faced nerd in Ukraine extremely difficult.
How does it work? When a member logs in, he provides a password. Because the computer no longer remembers the original, it divides the given password by that large prime and if the result matches the stored key-code, it allows the user in.
Adapt and Adjust
Final tip: Use the longest possible password you’re comfortable with. If you have a difficult time with special characters and weird spellings, rely on this simple trick: Use a ‘pass-phrase’, not a password, or better yet, make up a sentence. For example: ’23 Valley of the shadow of death’. If your account provider doesn’t like spaces, then use underscores or omit them. If they severely restrict the length (like my stupid bank), then use the maximum and consider special characters. Adapt and adjust.
Following are the most common passwords harvested from four different internet web sites. Some of them aren't pretty. Learn and avoid!