Passwords_ So Important, Yet So Misused _ Passwords
- 1. 2/1/2016 Passwords: So Important, Yet So Misused | Passwords
http://www.informit.com/articles/printerfriendly/1338067 1/5
Passwords: So Important, Yet So
Misused
By John Traenkenschuh
Date: May 1, 2009
Return to the article
President Obama's Twitter account was compromised because of a simplistic security
failure on the Twitter website. Sarah Palin's Yahoo! account was compromised
because of the growing security interdependence among too many websites.
Microsoft MVP and CISSP‐ISSAP John Traenkenschuh illustrates basic password best
practices, pointing out the new problems that Web 2.0 brings to all of us, not just
important politicians.
Early in 2009, Americans were surprised to discover that several famous Twitter accounts were
compromised, including President Obama's and Britney Spears'. Even more surprising was the simple
trick used to gain access to these accounts: a simple password‐guessing scheme. Like so many other
emerging social networking sites, Twitter failed to provide even the simplest password‐protection
techniques, such as locking an account and resetting the session if multiple incorrect passwords are
entered.
In this article, I'll refresh your knowledge about passwords and show you how to use them better. After
reading this article, you'll know at least a little more about password safety:
What constitutes basic password protections
The mathematics behind password‐guessing schemes—so you can choose more effective
passwords
How to apply what you've learned about passwords—and avoid becoming a chump member of
some unsecured website
Passwords
We're still discussing passwords in 2009?! A decade ago, I thought by now we'd all be using fingerprints,
digital certificates, or retinal scans of some kind. Instead, we're still primarily using passwords, a secret
combination of keyboard characters that uniquely identifies the user as that specific person. (At least,
that's the theory behind passwords.)
Password‐guessing scripts became common years ago. These scripts would attempt to log in, using a
- 2. 2/1/2016 Passwords: So Important, Yet So Misused | Passwords
http://www.informit.com/articles/printerfriendly/1338067 2/5
known ID and a word from a dictionary file as a potential password; tirelessly, patiently trying one word
after another. These scripts could guess any password eventually. As an initial response, people began
substituting punctuation characters for letters. The word "password" became "p@$$w0rd"—because
that's not a dictionary word, right? Soon, vast dictionaries of "script kiddies" passwords were available
for download. As a secondary response, operating system and application vendors began increasing the
length of acceptable passwords. For reasons we'll consider later, the old systems of eight uppercase
characters for passwords was too limiting. Additionally, some vendors decided to implement a system
that would lock the account after too many incorrect guesses, thereby rendering it useless to an
attacker. Is this enough? Well, taken all together, here was the protection system:
Longer passwords
More complex passwords
Account lockup after too many incorrect guesses
These controls made passwords reasonably secure. Initially.
Permutations: Potentially Pleasing Passwords
The mathematics behind possible passwords are called permutations. It had been some time since I had
studied permutations, but reading the "Windows Server 2008 Security Guide" reminded me. It explains
the importance of password length, creating a larger pool of passwords to guess. Let's review the
permutation theory behind passwords.
TIP
If you're interested in network hardening, there's some great information in the Microsoft podcast
"Hardening Windows Server 2008 Deployments with the Windows Server 2008 Security Guide."
We want a password that's very difficult to guess yet reasonably easy to remember. Let's start with a
simplistic password, three letters long (English) and uppercase letters only. Because our password can
repeat letters and combinations, we can express the potential number of passwords as 26 (the number
of letters in the English alphabet) to the third power (263). The result, 17,576 passwords, sounds like a
lot of potential passwords, but today's very fast computers can blitz through those combinations in
record time.
But what happens when we add a few letters to our password? Let's continue with those uppercase
letters only, but let's make it a six‐character password. That gives us 308,915,776 potential passwords,
if my Windows calculator gets it right. Doubling the password length increases the number of potential
passwords by a factor of over 17,000! Long passwords clearly are better than short ones.
Of course, those 308,915,776 passwords can be cracked more quickly if you're someone whose
password is slightly guessable. Live in Chicago and use "DaBears" (your favorite football team's popular
nickname) as your password? You're asking for a quick compromise of your account.
- 3. 2/1/2016 Passwords: So Important, Yet So Misused | Passwords
http://www.informit.com/articles/printerfriendly/1338067 3/5
Let's improve even more on password length by creating a password consisting of both uppercase and
lowercase letters. That gives us 52 total characters. Even our three‐character password now has
140,608 potential passwords! That increases the potential passwords by a factor of eight, without
struggling to remember more letters. Add some of the eight "$peci@l" characters that some password
systems accept as valid, and now we can use 60 potential characters. With a three‐character password,
this provides us with 216,000 possible passwords. Review this math carefully: Adding eight more
potential characters gives us a little more than 150% more passwords, even with a three character
minimum password. And if we go to an eight‐character minimum and 60 potential characters, we have
a possible 167,961,600,000,000 passwords.
So what can we conclude? Choosing short, predictable, and simplistic‐character passwords is bad. With
just a little work, adding in some special characters and creating a longer password, we can make the
hacker's job much more difficult. Avoiding predictable values (your town's favorite sports team, for
example) can make the password even more difficult to crack.
In fact, you can e‐x‐p‐a‐n‐d your passwords by creating and using passphrases. Let's face it, "E3lif&lsk"
can be a bit difficult to remember. Now consider this passphrase, which is acceptable on many modern
operating systems: "MoronsCrackPasswordsThatDoNotMatter!" Sure, that's a lot of typing, but it will
survive a few brute‐force attacks. Under most multiuser attacks, your account will stand long enough to
convince the attacker to focus on the administrator's account—the one using "happiness" as its
password. (This was the password the Twitter administrator used. This simple password and the lack of
account lockup helped the hacker. A lot.)
Now that we have a world full of websites that implement security inconsistently, we all need to review
site security carefully. You don't want to become (or remain) a member of a site that has lousy security
policies. If you use the same or similar passwords on all websites, the website with the poorest
password abilities will force you to have a lowest‐common‐denominator password, significantly
weakening your security across the Internet.
Even keeping different passwords can have its issues, though. If you have an email account on a system
with poor password abilities, that still weakens your security a great deal. How? Many websites send
password‐reset email to your email account. So if your email can be compromised, that email account
could be used to receive password reset notices—ironically, for those accounts that have stronger
password policies. A weak password scheme trumps stronger schemes every time.
Potential Password Problems: Signs That It's Time to Move On
Before joining or remaining with an Internet site, review its password security practices and abilities.
Is the password sent over an encrypted connection? It does you little good to create an
unguessable password if it will be sent across the Internet unencrypted. Find out whether
encryption is used with the application.
What is the password's minimum and maximum length? Beware of websites and applications
that don't insist on a minimum length, or that declare a maximum password length in the single
digits.
What characters does the site support? Is the password limited to uppercase or lowercase? Are
punctuation characters allowed in the password? If not, these limitations may corral you into
using passwords that are more guessable than you intend.
- 4. 2/1/2016 Passwords: So Important, Yet So Misused | Passwords
http://www.informit.com/articles/printerfriendly/1338067 4/5
Are the password‐reset challenge questions predictable or easily researched? Once the
challenge answers are guessed, what can the attacker do? Vice‐presidential candidate Sarah
Palin's Yahoo! account was cracked because the hacker simply learned all he could about her.
Thus, he was able to answer all of her challenge questions and then take control of her account.
CAUTION
Consider carefully whether you should share so much of "you" with the entire Internet. In
the old days, hackers were good at asking you to take surveys that would ask your children's
names, favorite sports teams, and so on. Why? These were likely passwords. As you go
online (and reveal every detail in your life), you allow people to guess your challenge‐
question answers, (or at least claim to be you when talking to Help Desk staff half a world
away).
What was the color of your favorite car—and why was it red? (Many people prefer red as a
vehicle color. Some answers to questions are pretty easy to guess.)
Is the account locked if too many incorrect responses are given? Beware of assuming that this
feature is implemented and that it will work. Many systems cannot implement a persistent
counter, so hacker tools take two tries at your password and then skip to another account. When
the tool returns to hacking your ID and password, will the system "remember" the past two
incorrect guesses?
What are the password‐reset mechanics? Is the password reset sent to an email account with
lousy password policies? In today's dispersed web world, even account lockup is not the panacea
it once was.
Is the account lockup permanent or temporary? I've got good news and bad news for you. Good
news: Your account is locked. Bad news: The lockout resets automatically after 20 seconds—
enough time for the script to work on three other accounts before trying your account again.
Discouraged? You Should Be.
Despite having excellent functionality with websites, we're still compelled to use passwords. Passwords
are very easy to break or guess, because people choose simplistic values. Even those applications with
account lockup features often create breakable backdoors with ineffective challenge questions or
cheesy temporary timeouts. In response, the best you can do is this:
Use complex passphrases whenever possible.
Ensure that password‐reset functionalities are lined up to use your email account with the best,
most secure password policies.
© 2016 Pearson Education, Informit. All rights reserved.
