Any password can be cracked, given enough time. All you’re doing when you choose a nice strong password – 20 characters, say, with upper- and lowercase, numerals and symbols – is slow down would-be attackers. Make it complex enough and it might take them an aeon or two to crack it. Even if they’re the NSA.
That’s assuming, of course, that some dipshit website doesn’t store your account password in plain text in its database, which is then purloined by Anonymous because, being a dipshit website, it’s vulnerable to attack by script kiddies armed with SQL injection tools.
But that aside…
Strong passwords are to be recommended. But what does ‘strong’ mean? We all know that ‘password’ is a crappy password, apart from those idiots who think they’re being ironic by using it. RIM thinks it’s such a crappy password that it’s now banned its use for Blackberry IDs, along with 105 other too-easy-to-guess words.
Well, it’s a start, but I can think of a lot more than 106 bad choices. Any hacker’s dictionary file will contain many thousands of words that should never be used to secure an account. But maybe RIM doesn’t want to frustrate its users too much when they’re trying to come up with an easy to remember word that the system will allow.
Indeed, perhaps RIM thinks it’s better if an attacker has to spend five minutes, rather than two, brute-forcing an account. Banning just 106 words feels like PR, or security theatre, more than actual security. It gives the impression that something is being done rather than actually achieving any measurable increase in protection.
The trouble is there seems to be little in the way of agreement when it comes to what constitutes a strong password. Prof Steven Furnell wrote a fascinating article for Computer Fraud & Security (‘Assessing password guidance and enforcement on leading websites‘) in which, among other things, he analysed those handy little strength meters that some sites provide when you create a password. You’ve seen them – they’ll tell you if your password is ‘strong’ or ‘weak’. But what criteria do they use to decide this?
Furnell found massive inconsistencies between sites – some would judge a password like ‘plokmonk’ or ‘77889912’ as weak because they consist of only one type of character, while others considered them strong because they’re eight characters long (and perhaps because they don’t appear in any dictionary). Individual sites were also inconsistent between initial sign-up and password changing mechanisms. There were sites, too, that would change their ratings from weak to strong just because you add ‘1’ to the end of the word.
And there’s another problem. Not only is there no real standard, our judgment of what is strong needs to be continuously re-assessed. A ‘strong’ password is one that is unlikely to appear in dictionary files (lists of commonly used passwords that attackers use to automate password-guessing) and rainbow tables (lists of pre-computed encrypted or ‘hashed’ passwords – if you need these you’ll know what they’re for) and is also long enough and complicated enough that it won’t succumb to brute forcing, where the attacker runs through all possible combinations of characters.
Brute forcing takes a lot of processing power. The more power you have, the faster you can run through the combinations. It used to be believed that an eight-character password would require so many attempts that attackers wouldn’t have the computer firepower at their disposal to achieve reliable results in a reasonable timeframe.
That’s all changed, for two reasons. First, the algorithms for mounting such attacks keep getting smarter. Researchers have repeatedly reduced the effort needed to attacked SHA-1 hashes for example, with Jens Steube having just shaved another 21% off the time taken. Some researchers have taken to using cloud-based computing facilities to effectively create cheap supercomputers to achieve rapid brute forcing. And graphics cards (GPUs) now frequently provide the horsepower needed to crack passwords, as Jeremi Gosney most recently demonstrated. His cluster of just 14 GPUs was able to try 180 billion MD5 hashes a second (as if you needed any more confirmation that MD5 should be left to die).
The password is a crude and badly used form of security (although it’s often all we’ve got). Even if you think your passwords are good, it would be a mistake to become complacent. Technology will simply overtake you.
Footnote: Forgot to add earlier…
Note to Samsung: Yes, ‘s!a@m#n$p%c’ might be considered a reasonably secure password in some circumstances. But using it as an SNMP community string, hardcoded in your printer firmware is not secure. FFS.