Skip to content
A person entering their username and password on a laptop.

Passwords Passwords Passwords

World Password Day has been and gone (apparently) but passwords are here to stay, for a while longer at least. There is so much information out there about password security.

Contents

World Password Day has been and gone (apparently) but passwords are here to stay, for a while longer at least. There is so much information out there about password security but how do passwords actually get cracked and what can we do about it to help ensure that our credentials are kept secure?

Password Cracking

At some point everyone on LinkedIn has seen a table like this:


Source

These tables show up from time to time and are fairly widely shared, we’re sure you’ve seen something similar many times. Based on the table a 9 character password with numbers, uppercase and lowercase characters would take 153 days to crack.

If we take the example ‘Password1’, it meets complexity requirements, has a mixture of uppercase, lowercase and numerical characters but quite clearly this is a terrible password and you shouldn’t use it!

So how does password cracking actually work?

These tables that float around from time to time aren’t necessarily wrong (aside from the slightly dubious timings) but they are incomplete, the problem is that they only tell part of the story.

The tables are only focused on a sub-set of password cracking known as a ‘brute force’ attack; this kind of password cracking technique is what most people think of when anyone talks about password cracking, essentially the idea is to just try every single combination until eventually you find the right one.

  • A B C … AA AB
  • AC
  • … AAA AAB
  • etc.

It’s fairly easy to visualise how adding in extra character sets such as uppercase, lowercase, numbers and symbols can make this style of attack much slower.

The more characters there are in the set, the longer it takes to iterate through each one, if an attacker has to try every single uppercase character & every single lowercase character it will theoretically take twice as long to find the password, for this reason it’s a good idea to use multiple character sets (lower, upper, numbers, symbols).

The problem is that this isn’t how password cracking works, not usually anyway.

The Problem

Fundamentally passwords are a tricky business, in order to be useful they must be memorable but memorable passwords are typically easier to guess and generally would not meet the complexity requirements that almost all organisations enforce.

This has the effect of pushing many people down a similar route.

Start with a memorable thing:

Family member’s name, favourite sports team/athlete, favourite animal etc.

Lets take an example of: wookie (the big hairy guys from Star Wars)

In order to meet the complexity requirements that word is then usually ‘mangled’ in some way.

In order to meet the character set requirements, we’ll need to add at least 1 capital letter, 1 number and 1 symbol.

Often this ends up looking something like this:

  • Wookie1!
  • Wookie123!!!
  • Wookie0?
  • etc.

Alternatively, letters may be switched out for numbers or symbols like this:

Wook13 W00k!3

etc.

A huge number of passwords are derived using a process similar to this so if this seems alarmingly familiar, you’re far from alone!

If we take one of these examples, Wookie1!, we have all 4 character sets and 8 characters total so based on our table this seems like a pretty secure password.

As previously mentioned however there are a number of different ways to crack a password, one of the most common methods is to use a wordlist, generally a list of common passwords is a good place to start.

One of the most commonly used password lists is Rockyou.txt, named after a development company (called RockYou) that created widgets for various social media platforms such as MySpace and Facebook whose entire database was stolen some time in 2009. To make matters worse the entire database was stored in plaintext meaning that every single user’s password was visible.

Rockyou contains approximately 14 million unique passwords belonging to approximately 32 million users.

This statistic is also quite telling in that on average each password was used by nearly 3 people, in reality there were many people using the same few passwords and a small number of outliers with unique, secure passwords.

Wikipedia even has a list of the most common 10,000 passwords.

These lists can then be manipulated using ‘rules’ which essentially mangle the input in similar ways to what was already discussed (changing letters to numbers/symbols) etc.

What Can We Do?

So how do we create secure passwords?

In an ideal world passwords would be long strings of completely random characters, however these are virtually impossible to remember.

Password Managers

The good news is that password managers are literally designed for this, using a password manager is generally considered to be a good idea.

There is a caveat here, if there is a weakness in the password manager, or if the ‘master password’ is compromised there is a single point of failure.

All things considered, password managers are generally considered to be a good thing.

MFA

Multi-Factor Authentication typically works using the principal of ‘something you know and something you have’.

In most cases the thing you know is your password and the thing you have is usually a mobile phone, by sending a notification or SMS to the phone we can be sure that you ‘have’ the device that has been pre-registered.

Making Secure Passwords

There are situations however when neither of these options is available so it is still important to create strong passwords, here’s a list of things that can be useful to remember:

  • In most cases a [space] counts as a symbol, this means that a phrase can be used rather than just a single word, this is generally a lot harder to crack due to the length.
  • Avoid dictionary words where possible
  • Avoid proper nouns (names, brands etc) where possible
  • Break up ‘real’ words in ways that are memorable

As a rough idea of what we mean, the password below is far more secure than the previous examples and is likely to be just as memorable: “Wookookies ARE h41ry!?”

  • Wookookies – not a real word but is still easily memorable because it sounds funny
  • Use of multiple special characters throughout ([space], !, ?)
  • Use of uppercase, lower case and numbers
  • Long

To be clear, please do not use this password, it’s just an example. Any password that is not a secret is no longer secure and shouldn’t be used.

Takeaways

  • Use MFA where possible
  • Use a password manager where possible
  • Check to see if accounts have been compromised (https://haveibeenpwned.com)
  • A secure password is only ‘secure’ if you keep it that way, if any password is compromised it’s no longer any good (even if you really like that password)
  • Use non-dictionary ‘words’ that are unique

Recent posts

What is Non-Perfect Cybersecurity? Why is Perfect Cybersecurity so Difficult to Achieve?

Read more

Automated vs. Manual Penetration Testing: A Comprehensive Guide

Read more

Penetration Testing: A Comprehensive Guide

Read more

Network Penetration Testing: A Comprehensive Guide

Read more