If true, the news this month that a Russian crime ring has stolen 1.2 billion username and password combinations would be the largest security breach experienced to date. There is wide debate and skepticism as to whether this breach actually happened, and if so, the extent of the impact. Perhaps time will tell.
Regardless, the news does provide an opportunity to consider the ongoing problem with passwords. For years, passwords have been a weak link in the security chain, and the problem with passwords are well documented and widely known. Systems and sites have for the most part strengthened password polices by requiring minimum length, combination of upper or lower case, alpha, numeric and special symbol, etc. There remains widespread inconsistency between sites, and one problem with passwords is that many people reuse the same password across multiple sites. If the Russian password heist is indeed true, this could spell trouble for millions of people who have fallen into the trap of using the same password on multiple sites.
We teach people not to write their passwords down and at the same time, require that complex passwords be created and encourage people to use different passwords for every site. This is maddening and undoubtedly frustrating for everyone involved. Password managers are one answer, although not a seamless solution across the multiple devices the average person uses.
In order to solve one problem with passwords; difficulty in remembering complex strings, many sites automate password recovery by prompting the user for security questions and then, after all of that challenge and response, turn around and send a new password in an email! Email is as secure as sending a postcard in the mail as anyone handling the postcard can read it as opposed to a sealed envelope. Really?
Despite the fact that many sites now require complex passwords, many still remain and millions of us use very poor passwords. Worse yet, many of the same poor passwords are used by millions which makes it relatively easy to guess a password. There are many varied lists of the top ten, most used passwords, although consider this one example of the top ten:
How many reading this post are guilty of using one of the passwords mentioned above? Even executives are not immune, as I learned from firsthand experience many years ago when starting out in tech support when executives would give me their password so that I could work on their computer to resolve an issue they were having. Executives, like many others, use the name of a wife or child, birthdate, or one of the above examples.
So what is the solution? There are technology solutions such as tokens and biometrics, although even these are not invincible. Tokens can be compromised as was the case a few years back with RSA, and hackers can steal biometric data and find ways to use that as well. Combinations of methods are generally effective, such as a token and a password which combines something we know and something we have. Yet, many sites and businesses have not consistently implemented such strong authentication, and one of the blockers is the cost. So we continue to live with the problem of passwords.
There is a simpler and more holistic solution, even if not foolproof. Instead of requiring complex passwords which are difficult to remember, why not use a sentence, or a passphrase? Increasing the number of characters to 15 or more adds significant strength to the password and increases the amount of time and computing power to crack.
Consider the following examples tested at a password testing site:
(NOTE: I do *NOT* recommend using any password which you currently use at this site. While I have no reason to believe there is any malicious intent of the site owner, sharing a password at a site where they might be collected is not generally a good idea.)
Entering the phrase (all lower case) of “thisisapassphrase” which is 17 characters and certainly not complex would take 8 million years to crack on a desktop PC. Granted, organized crime can harness many computers for more computing power, yet this is still impressive.
Next, let’s try a complex password as defined by many sites as complex using upper and lowercase, as well as numeric. I typed in “Pa55w0rd” which I’ve seen many times provided by tech support folks when resetting a password. This test resulted in:
Adding a special character to the end improved the situation somewhat when I tested “Pa55w0rd!”
Adding complexity to our first example by changing it to “Th1s1saPa55phrase” gave us some really impressive results; 23 Trillion years!
There is not yet a universal solution to our plaguing problem with passwords, yet with most things in life, simple solutions can sometimes be effective. Consider changing the many passwords which you use to complex sentences and phrases which are easy to remember, yet at the same time difficult to crack, and you will be doing your part to help solve our problem with passwords.
– Ted Lloyd, CISM