Security Check by Wes Dunn Apr 23, 2018 Password Best Practices: What Makes a Password Strong? Passwords are everywhere… Passwords are something nearly all of us use on a daily basis. Whether we’re logging into our computers, email accounts, social media accounts, or bank accounts; passwords are used to “secure” our online lives and that of the companies we work for or run. I feel safe in saying that passwords aren’t exactly the MOST secure way to protect these assets, but the eliminating passwords for some other method of authentication (like biometrics, for example) is pretty far off from being widely accepted and used. So, given this reality, it’s vital to the security interests of our businesses and to our ourselves that we choose strong passwords whenever possible. In this post, I will discuss the idea of “password strength” – what it means, how it differs from complexity, how password strength applies to security, and what you can do to make your passwords stronger and easier to manage. Password strength vs. password complexity Let’s start by talking about a couple of scenarios in which you have likely found yourself: You sign up for an online account or change your password on an account where the password change form gave you some manner of feedback in terms of strength. Usually this is done by a line or dot that changes from red (weak), yellow (decent, so-so, ok), and green (strong). You sign up for an online account or change your password on an account where a certain amount of complexity is required for a password to be accepted: minimum length, maximum length, special characters, capital letter, numbers, etc. So, when it comes to creating passwords, what do these terms, strength and complexity actually mean? There certainly there exists some overlap between the ideas of strength and complexity in passwords, a password like P@ssw0rd might meet the complexity requirements listed above, but it certainly isn’t strong. You might be asking youself, “Why isn’t that a strong password? Didn’t it meet complexity requirements?” The short answer is that while P@ssw0rd met some arbitrary complexity requirements, it isn’t a strong password because it’s easy to guess, even with two of the letters replaced with a special character and a number, respectively. The password features predictable substitutions, which is the beginning of why it’s not a strong password. This would be a very bad thing for you if a malicious actor were to try and gain access to one of your accounts using this password, this would definitely be used early in an attempt to access your account. To better demonstrate the idea of password strength, I’ll use an example from Gibson Research Corporation’s “Password Haystack” tool: Which of the following two passwords is stronger, more secure, and more difficult to crack? D0g..................... PrXyc.N(n4k77#L!eVdAfp9 It’s a trick question, the first password is actually a stronger password, even though it contains a simple/common word like ‘dog’ and uses predictable substitution. I believe this example serves as a great demonstration of how password strength differs from password complexity. To paraphrase the answer given on their site, the first password is stronger for a couple of reasons: 1) employs “padding” in the password (that’s all of those periods at the end), 2) it’s one character longer than the second. If you’re curious as to how they came to this conclusion, it’s due to the idea of a password’s “search space,” or the number of different combinations of passwords that can be created using different character sets and a password’s length. This number of different combinations is used to exemplify the number of “attempts” an attacker would have to make in order to crack that password; the more attempts needed, the better. It’s important to note (as the Haystack tool points out), the padding in the example padded password isn’t great, it’s repetitive and only at the end of the password. In theory, the first password is more secure, but if this type of padding were to become common, it’s likely that attackers would include these types of variations in the dictionaries (lists of common passwords) they use when attempting to crack a password. Strength is not a black & white issue: The example above is largely theoretical and doesn’t give consideration to how things will always play out in the real world. When it comes to passwords and how secure they can be, there are some things that we can control and others we cannot. Let’s start by exploring the things you cannot control. What you cannot control 1. How online services store their users’ passwords When you sign up for an account with some online service, they likely will not tell you how they are storing your account’s password, and even if they did, you aren’t going to be able to change how they do it. Hopefully, every online service to which you subscribe uses a secure password hashing algorithm to obscure your password before they store it. There are many different approaches to hashing passwords, some are more secure than others, an important difference between algorithms is how fast or slow they are. Ideally, your password is hashed using a strong, slow algorithm, because an attacker would be constrained in the number of attempts per second/per minutes they would be able to make if it takes for a server to verify whether a given password was correct or not. This difference in speed is another reason why having a strong password is so important: if you take the time to generate a strong password (long, difficult to guess), it will take much longer for an attacker to correctly guess your password. Unfortunately though, some online services don’t hash passwords at all, which means they are stored in plain text that can be read by anyone with access to the database where user information is stored. This leave your password completely exposed if a malicious actor was able to get the contents of a service’s passwords. 2. How an attack is executed In the last point I made some references to how an attack (something you cannot control) can have an effect on how secure a password can be. I won’t dig into exhaustive detail, but suffice it to say that there’s a myriad tools, strategies, and hardware that can be employed in an attack. If an attacker is able to generate 10 thousand attempts per second, there is an extremely high likelihood that a short, but complex password will be cracked in a reasonable amount of time. For example: I used a random password generator to generate this password of 8 characters: 2xI5#%fX. According to a password strength estimation library created by dropbox (zxcvbn), this would be cracked in about 3 hours if an attacker were able to generate 10 thousand guesses per second. If I double the length of the password to 16 characters (t16qq*T4u*#^WtEg), it’s estimated that an it would take over 100 years to crack the password at 10 thousand attempts per second. 10 thousand attempts per second may seem like a lot, but if we’re talking about an offline device, like your laptop, it becomes quite possible for an attacker with the right means. Additionally, I hope this example illustrates just how crucial a role that strong passwords play when it comes to security. Below, I’ve included a link to a tool you can use to test your password strength using zxcvbn, feel free to try it out! What you can control Now that you’ve seen a number of things you cannot control when it comes to passwords, let’s explore the things you can do to mitigate your exposure to the things you can’t control. 1. How passwords are generated and stored A good password manager will store passwords in an encrypted state and will use a strong, secure algorithm to generate passwords for you. The combination of these two things is the simplest step you can take to improve your overall password strength and security. For example, our password manager Team Password offers a password generation tool with options to specify password length and character sets. This makes it easy to generate and save secure passwords for any service you use. Additionally, Team Password encrypts all passwords with a “master key” (that you set), before sending them to their servers, so no one is able to read them unless they have your master key. 2. How passwords are shared within your business One common, and insecure, practice that I’ve seen companies employ is to keep a spreadsheet of passwords to company services that is shared with everyone in the company. This is dangerous for a number of reasons, namely that it doesn’t allow for any granularity in who in the company is able to see/use passwords. This is another area where a password manager is a desirable option, as it can provide important access controls to company account passwords. 3. Don’t reuse passwords across accounts Because there are things we cannot control, it’s important to limit the impact of a password being leaked or stolen. The best way to mitigate against this possibility is to use a unique password for every service that requires a password. By never reusing a password, you limit the scope of impact that a single stolen password could have on your business. In many cases, when a large group of passwords are stolen, they are leaked or sold online, and you can guarantee that some attackers will take that information and try it on more services than the one from which the password was stolen. 4. Use Two-factor authentication wherever possible These service require a user to enter a second piece of information to identify themselves, most often this is a series of numbers that changes every minute or so. Not all services offer this, but it should be employed wherever possible. What to take away: While we’ve barely scratched the surface of all the possibly topics we could include when it comes to just passwords, I hope I’ve demonstrated the importance that passwords play in our daily life and how easily we can improve our security just by knowing what a secure password is and how to generate one. I don’t believe there is any one right way to generate a password, but I would strongly suggest the use of a password manager. Our Team Password product offers a 14 day free trial, so if you aren’t already using a password manager, I hope you’ll give them a try. Even if you don’t use a password manager, you’ve seen how password padding can allow you to generate memorable and secure passwords. Resources used in this blog: https://github.com/dropbox/zxcvbn - Dropbox’s open source password strength estimation library. https://lowe.github.io/tryzxcvbn/ - A simple, interactive way to test the zxcvbn library. https://www.grc.com/haystack.htm - Gibson Research Corp’s “search space calculator,” which offers a similar tool to tryzxcvbn but with more context around what makes a password difficult to crack.