11 August 2013

PINs and Passwords, Part 2

The Saint
The Saint
by Leigh Lundin

Today’s message, bottom line first.
  1. Users spend more time thinking up names than they do passwords.
  2. Worry less about the variety of characters you use in a password (or P@$$w0rd) and opt for long passwords, which offers far more security.
  3. You’ll find examples of the most common passwords at the end of the article.
Now, if you’re in the mood as a writer or reader to learn how passwords are created, stored, and broken, read on.

Good Book, Bad Passwords

In managing programmers and a computing center, I was responsible for the final line of security. Although networked, our machines faced fewer threats than computers do now. They wouldn’t pass muster today, but I leaned on Biblical and historical words, such as that original password, shibboleth. Our discs required separate access passwords to read, write, and multi-write, so I not-so-cleverly chose Shadrach, Meshach, and Abednego. Naturally you see a problem: If someone cracked one, they should be able to figure out the other two.

Biblical passwords still flourish throughout the internet, albeit in the form as first names: Angel, Daniel, David, Faith, Grace, John, Jordan, Joshua, Michael, and the most often appearing name: Jesus. Let me tell you, folks, you shouldn’t rely on Jesus (the name at least or that ever-popular jesus1), to protect your private information. As Leslie Charteris's The Saint might say, the ungodly never sleep.

Deep and Wide

I can’t seem to get away from Biblical allusions today.
passwords

We can look at a password in two dimensions, depth and length. A simple PIN number is 10 characters in depth (0-9) and typically 4-digits wide, although PIN lengths up to 10 digits and passwords over fifty characters aren’t unheard of. We might say an alphanumeric upper case only password is 36 characters deep, for example: AARDVARK. Computer scientists use the fancy term ‘entropy’ in reference to ‘uncertainty of a random variable,’ usually considered in code-breaking. Mixed case greatly increases the ‘entropy’ or difficulty in guessing it, e.g, AaRdVaRk. Allow any character of a keyboard, and you run up the difficulty again, i.e, /\år∂vårk. Conversely, rely only on numbers or single dictionary words (or puerile swear words), and you seriously compromise the security of your account.

The ‘aardvark’ example at right shows passwords represent a two-dimensional array. From a Chinese menu, you pick one character from column one, another character from column two, etc. The greater variety of characters allowed, the greater the difficulty of cracking. But entropy increases even faster if you type longer passwords.

So, pardon me for restating the cliché, but longer is better. Thus you can radically harden your password by increasing its length, i.e, Tough_nut_to_crack, assuming your provider allows passwords that long. The lesson here is you potentially gain more strength from longer passwords versus short ones with special characters. Pick anything you privately know and like, perhaps a quotation or phrase that sticks in your head and go with that.

Cracking the Code

How do crackers break passwords? They know the frequency of passwords like we show below, so normally they take a few stabs at the obvious, ‘123456’ or ‘password’. If they’re serious about cracking your account, they use a script to run through the possibilities in the ‘aardvark’ table at right, a character at a time, just like an odometer. I encourage you to make life as difficult as possible for them.

But the ungodly have other ways. If a malicious party can trick you into downloading a tiny piece of code, they can monitor your keystrokes. This works in a way similar to child monitoring software, but it transmits your keystrokes– all of them– to a third party somewhere else in the world.

Soft and Hard

While we’re on the subject of nanny monitoring software, you might want to check nobody’s monitoring you! You’re vulnerable to anyone who has access to your computer.

Eli Lilly
A client had a problem of files being deleted. Eli Lilly thought someone was logging onto and vandalizing machines after hours, but couldn’t figure out how. After advising the client to make personal backups of everything, I went on the hunt for two possibilities: either a keystroke monitoring program or a discreet hardware device called a keystroke logger that plugs between the keyboard cable and the back of the computer.
keystroke logger © CNH Tech

The culprit turned out to be an insecure (and in my opinion nasty) little supervisor who didn’t want her subordinates to shine too brightly. Ofttimes a woman’s workplace impediment isn’t men, it’s other women.

In my consulting experience, such micro-espionage tricks are hardly unique. You never know when or where you might be spied upon.

Geekology

Skip, if you wish, the following explanation how letters and passwords are stored, although crime writers might find the techniques useful in a story. Let’s take an easy word, say EASY itself. Normally each letter of the alphabet and punctuation character is stored individually as a number. The letter E stores in binary as 0100 0101. This happens to be 69 in decimal, but programmers look at it in base16, hexadecimal, which works out to 4516 or x45. If a program stored this in ‘plain text’, it would be easily readable by anyone familiar with the encoding, say ASCII or UniCode.
word: E  A  S  Y
dec: 69 65 83 89
hex: 45 41 53 59
#: 1,161,909,081
Normally, companies and government agencies deal with sensitive data in two ways. One is to encrypt it. When you provide a credit card, the program should take a great deal of effort to obscure your card number while allowing it to be retrieved when the time comes.

They could also encrypt passwords, but why store passwords at all? When you think about it, all the computer needs is a yes/no answer whether the password you give now matches the original you made up long ago.

So programs create a different number that represents the password– a polynomial, a hash, or a modulus. Rather than look at EASY as a string of letters or even digits, we view it as one long number, just over a billion or precisely 1,161,909,081. This number looks large, but it’s minuscule in security terms.

To obtain its modulus (remainder), computers divide it by a huge prime number, though we’ll use a small one, say 33,331:
1,161,909,081
       ÷33331
—————————————
34859 r.23752
We don’t care about the quotient, only the remainder, 23,752, which we save as a user key code, rather than the user’s password, which could be subject to hacking. The program then deliberately ‘forgets’ the original password, information too vulnerable to keep around. Thus, a well-behaved database of users won’t contain any passwords, and because the program uses large numbers, especially the prime divisor, it makes cracking the code by anyone other than the NSA or a pimply-faced nerd in Ukraine extremely difficult.

How does it work? When a member logs in, he provides a password. Because the computer no longer remembers the original, it divides the given password by that large prime and if the result matches the stored key-code, it allows the user in.

Adapt and Adjust

Final tip: Use the longest possible password you’re comfortable with. If you have a difficult time with special characters and weird spellings, rely on this simple trick: Use a ‘pass-phrase’, not a password, or better yet, make up a sentence. For example: ’23 Valley of the shadow of death’. If your account provider doesn’t like spaces, then use underscores or omit them. If they severely restrict the length (like my stupid bank), then use the maximum and consider special characters. Adapt and adjust.

Following are the most common passwords harvested from four different internet web sites. Some of them aren't pretty. Learn and avoid!


 MySpace  FaceBook  Singles.org  phpBB
rank % password % password % password % password
1 0.24 password1 1.46 password 1.02 123456 3.03 123456
2 0.16 abc123 1.18 123456 0.61 jesus 2.19 password
3 0.12 password 0.39 12345678 0.41 password 1.45 phpbb
4 0.09 iloveyou1 0.26 1234 0.29 love 0.94 qwerty
5 0.09 iloveyou2 0.25 qwerty 0.20 12345678 0.82 12345
6 0.09 fuckyou1 0.21 12345 0.20 christ 0.60 letmein
7 0.08 myspace1 0.20 pussy 0.17 jesus1 0.59 12345678
8 0.08 soccer1 0.18 monkey 0.16 princess 0.53 1234
9 0.07 iloveyou 0.17 baseball 0.16 blessed 0.51 test
10 0.06 iloveyou! 0.17 football 0.15 sunshine 0.43 123
11 0.05 football1 0.16 letmein 0.13 faith 0.38 trustno1
12 0.05 fuckyou 0.15 696969 0.13 1234567 0.33 dragon
13 0.05 123456 0.15 abc123 0.12 angel 0.32 hello
14 0.05 baseball1 0.15 michael 0.11 single 0.31 abc123
15 0.05 soccer 0.15 shadow 0.11 lovely 0.31 111111
16 0.05 123abc 0.14 111111 0.11 freedom 0.31 123456789
17 0.04 hello1 0.12 master 0.10 blessing 0.30 monkey
18 0.04 qwerty1 0.11 superman 0.10 12345 0.29 master
19 0.04 summer1 0.11 harley 0.10 grace 0.23 killer
20 0.04 monkey1 0.11 1234567 0.10 iloveyou 0.22 123123
21 0.04 password2 0.11 fuckme 0.09 7777777 0.22 computer
22 0.04 nigger1 0.11 fuckyou 0.09 heaven 0.22 asdf
23 0.04 fuckyou! 0.11 trustno1 0.09 angels 0.20 shadow
24 0.04 nicole1 0.10 ranger 0.09 shadow 0.20 internet
25 0.04 cheer1 0.10 buster 0.09 1234 0.20 whatever
26 0.04 asshole1 0.10 hunter 0.08 tigger 0.20 starwars
27 0.04 fuckyou2 0.10 soccer 0.08 summer 0.17 1234567
28 0.04 blink182 0.10 fuck 0.08 hope 0.16 cheese
29 0.04 poop 0.10 batman 0.07 looking 0.16 pass
30 0.04 dancer1 0.10 test 0.07 peace 0.16 matrix
31 0.04 jordan23 0.10 pass 0.07 mother 0.16 tigger
32 0.03 football 0.09 killer 0.07 michael 0.15 aaaaaa
33 0.03 bitch1 0.09 hockey 0.07 shalom 0.15 pokemon
34 0.03 orange1 0.09 love 0.07 rotimi 0.15 000000
35 0.03 soccer2 0.09 michelle 0.07 football 0.15 superman
36 0.03 123456a 0.09 andrew 0.07 victory 0.15 qazwsx
37 0.03 baseball 0.09 sunshine 0.07 happy 0.14 testing
38 0.03 eagles1 0.09 jessica 0.07 purple 0.14 football
39 0.03 volcom1 0.09 asshole 0.07 john316 0.14 1
40 0.03 chris1 0.09 6969 0.07 joshua 0.13 blahblah
41 0.03 monkey 0.08 daniel 0.06 london 0.13 654321
42 0.03 flower1 0.08 access 0.06 superman 0.13 fuckyou
43 0.03 summer06 0.08 123456789 0.06 church 0.13 11111
44 0.03 ashley1 0.08 654321 0.06 loving 0.13 joshua
45 0.03 love123 0.08 joshua 0.06 computer 0.12 helpme
46 0.03 princess1 0.08 starwars 0.06 mylove 0.12 thomas
47 0.03 love 0.08 hello 0.06 praise 0.12 michael
48 0.03 nigga1 0.08 123123 0.06 saved 0.12 biteme
49 0.03 fucker1 0.08 ashley 0.06 richard 0.12 forum
50 0.03 angel1 0.07 666666 0.06 pastor 0.12 secret
• Credit for table: Jimmy Ruska

13 comments:

janice Law said...

All useful and good. my problem is that I use a different password for every site and have to keep a list to keep them straight!

Leigh Lundin said...

Janice, I recommend password managers (of varying usefulness) for Macs and Windows. There's also a free product just for the web called LastPass.

Before these 'keychain' managers, I stored passwords in an encrypted spreadsheet. Although my laptop was stolen during a robbery, the passwords had some protection.

Anonymous said...

you should clean this up, we don't need to read obscenities.

R.T. Lawton said...

Leigh, a fascinating two blog articles. Even though none of my passwords make anybody's list, I see it's time to change them again.
How do you avoid downloading that keystroke program. The way e-mails are being hacked these days, even an e-mail from a friend can be a carrier. And other than not going to new web sites, how do you fefend there?

Robert Lopresti said...

I actually keep a piece of paper in my wallet with all my passwords for different library-related databases (many insist on characters that are forbidden on others...sigh). Of course, I don't actually have the passwords on the page, just clues that tell me which one I use. For example, one says FIC. That tells me which password to type in, but it won't tell a hacker anything.

Louis A. Willis said...

I've tried to remember to change my passwords each year, but, man, there're just too many. Even with a password manager, I'm too lazy to go through all the passwords.

Something I don't understand: why do sites that don't ask for money or private information require you to use a password? Unfortunately, at the moment no specific site comes to mind.

Dixon Hill said...

Leigh,

Thanks for explaining a mystery I’ve long pondered. How can a site know that I’ve entered the right password, yet claim not to know or store that password? Until this morning, I didn’t have a clue. Thanks for the explanation.

Since password-verification is sometimes (often?) accomplished by checking the remainder when divided by a certain number, I wonder if this can result (and, if so, how often) in what I might term “numerical harmonics,” where two different passwords generate numbers that produce the same remainder when divided. (i.e.: Could “Blood_and_honor” for instance fork over a remainder that’s the same as the remainder produced by “Perdomo_Maduro_Gordo” say?) As you can undoubtedly tell by my example passwords (which I grabbed from a paperback and a cigar box sitting on my desk) I’m not familiar enough with binary, hex, etc. to arrive at an answer, myself. Thus, I wondered if you might enlighten me.

And I, for one, got a kick out of that common password list.

Thanks,
Dix

Leigh Lundin said...

By the way, I highly recommend clicking on the Shadrach etc link.

Anon, I’m not sure you understood, but these are password reported at a snapshot in time from several large web sites. It’s interesting what people type when they think no one’s looking. It’s also to look at some of the passwords in their setting, like I love you being so close to ƒ me or ƒ me coming immediately before ƒ you.

RT, the best you can do is not click on any button or link you’re not sure of. Most browsers have a small window that monitors downloads, so it’s a good idea to check it once in a while. You can also get add-ons that warn you about suspect web sites.

Rob, we won’t tell anyone your password is first-in-class.

Louis, the best examples are free eMail sites. They prevent others from getting into your accounts.

Dixon, hypothetically it is possible that two people could have the same password, but a good site will make certain the chance is only one in trillions. Even then, you’d have to have someone guessing the two might be the same. The mechanism depends on one-way calculations. We threw away the quotient from our example, so it’s ultra-difficult to reconstruct the original.

Ray Oakes said...

Interesting and useful article. Thanks. I have to go back and read the first one.

Leigh Lundin said...

Thank you, Ray.

Dixon Hill said...

Thanks, Leigh.

Went back and read both the Shibboleth, and Shadrach, Meshach stuff. The first was fascinating reading, reminds me that there is no “sh” sound in Arabic, though there is one in Persian-Farsi. Studying Arabic with other American's, I found it common that we had great difficulty telling the three Arabic "h" sounds apart. This helped me understand why some Arabs simply could not pronounce the "sh" sound, nor could some differintiate between "sh" and "s" sounds when they heard them.

And, I ALWAYS love Armstrong — great stuff, buddy!

--Dix

P.S. Really enjoyed The Saint icon too, but forgot to mention it.

Leigh Lundin said...

Dixon, I had the same problem trying to pronounce Hindi– hell, even distinguish vowels that were too subtle for my ear.

I'm pleased you enjoyed the article and what a bonus– Louis Armstrong!

Anonymous said...

You might appreciate this:

http://blogs.discovermagazine.com/crux/2013/07/31/how-to-create-codes-that-even-the-nsa-cant-break/