Last year, a password management service released a list of the 10 most common passwords. For the fifth year in a row, the two most popular were “123456” and “password.”
It’s impossible to exist in modern society nowadays without several dozen passwords. Whether you’re logging into your computer, an email account, bank, or Neopets, you had to follow a strict set of guidelines while creating your passcode. Well, the man who invented those guidelines now regrets his life’s work, but the rules remain in place. Our passwords are difficult for humans to remember but easy for computers to guess. We’ve been doing passwords wrong for twenty years, but that may be about to change. Let’s explore.
In 2003 a man named Bill Burr, no not that Bill Burr, wrote an eight-page guide for the National Institute of Standards and Technology about creating secure passwords. The NIST adopted Burr’s stance and began recommending the standards for all internet and cyber-security companies. However, looking back on it recently, Burr admitted that he regrets much of what he wrote in this document. His set of guidelines was based on a white paper from the 1980s before the internet and cyber-security had reached today’s widespread prevalence.
So, what are these guidelines? Odds are you’re already familiar. Burr suggested that all passwords include at least eight to twelve characters, a capital and lower case letter, a number, and a symbol. He also recommended that users change passwords every 90 days to ensure security. In the end, these guidelines seemed to overcomplicate things, making it difficult for humans to remember passwords but relatively easy for computers to guess. Throw in the rule about continually changing your passwords, and it became almost impossible for anyone to keep it all in order.
But why are these passwords so important? The answer is simple. We use passwords to protect our most secure information, so there’s a lot of value in hackers stealing that information to either use it themselves or sell it to somebody else.
Unfortunately, security breaches are quite common at all sorts of internet-based companies. That means a vast portion of people have had their account login details stolen already without knowing it. Of course, it might not seem like a huge deal if your Target.com login details were stolen, but if you’re anything like the average person, then you use the same email and password combo for most of your logins. However, even if your password is slightly different, it won’t make much of a difference in deterring hackers.
There are three key ways that hackers can beat a password. The first is called brute force. Put simply, brute force hacking is when a cyber-criminal creates some sort of AI password guesser. The program will run through a string of the most obvious passwords, gradually becoming more complex. It uses any data that it could find about you online, whether from your Facebook profile or other hacked databases. In 2012 a hacker revealed that he had built a brute force program that could guess any 8-character password in less than six hours by making 350 billion guesses per second. Nowadays, security experts claim those programs can guess closer to 1 trillion times per second.
Next is the dictionary attack. While brute force is geared towards random chunks of numbers, letters, and symbols, dictionary attacks work by guessing words. Most people use familiar, everyday words in their passwords, and even a string of two or three words will usually include a standard sequence or phrase. But modern hackers have no difficulty finding out the correct combination to hack successfully. Their AI programs don’t just memorize dictionaries, but they read through novels, textbooks, and movie scripts to find popular combinations of words.
The last kind of attack is called phishing, which is where cyber-criminals imitate websites to trick unsuspecting users into revealing their passwords. Unfortunately, these tips won’t help you there.
With each of these tactics comes a critical drawback. While AI hacking programs can make tens of trillions of guesses per minute, they can only do so with certain login types. For example, when you’re logging on to your banking website, it requires the browser to communicate with its database. This takes time and slows down those AI programs so much that they became somewhat useless. Instead, these password hacks are used more with local data, like your hard drive, your PGP secret key, or your password database on your favorite browser. However, regardless of what your password is protecting, it’s essential to understand which rules do and do not work.
Why Bill’s Rules Don’t Work
Our friend Bill’s suggestions about creating strong passwords had a few key issues. As we mentioned, they are often difficult to remember and easy for computers to guess. But why is that the case?
Well, first off, the most common passwords are simple phrases with limited variants. For example, if your password is “MoneyTree”, it will be effortless for a dictionary attack to break into it. After all, the two terms form a relatively well-known phrase. So, under Bill’s rules, you would probably have to change this to include symbols and numbers as well. You may come up with something like “Mon3y+r33,” using 3s and plus-signs as replacement characters, but it turns out that password isn’t actually much better.
You see, these AI hacking programs aren’t just good at understanding what the prevalent words are. They’re also experts at how humans subtly change their passwords to make them “more secure.” In following Bill’s rules to improve passwords, people have adopted something called “leetspeak.” Leetspeak is an informal language or code used on the internet, in which standard letters are often replaced by numerals or special characters. So, an E becomes a 3, or an I becomes an exclamation mark. You may think you’re being clever when you include these characters, but, in reality, you’re doing what everyone else does.
The thing is, a password that includes any common phrases or leetspeak substitutions will be entirely ineffective against a dictionary or brute force attack as long as it’s less than 12-15 characters. This is because these passwords lack something called entropy. Entropy is essentially a fancy word for randomness, and each bit of entropy increases the time it takes for a hacker to guess your password. If your password is twelve characters long, contains one real word, translated into leetspeak, with a few extra symbols at the end, then it likely has about 30 bits of entropy. This is because a single word is not that difficult to guess, and then there are only so many symbols and numbers that can go along with that. This password could be cracked in hours.
On the other hand, a twelve-character password made up entirely of random numbers, letters, and symbols will have nearly twice as many bits of entropy. This could take much longer to hack, but it’s still not the best option because it will be impossible to remember. Sure, some browsers will generate and save these passwords for you, but what if you have to log in on another browser or a different device? As smart as you may think you are, you will struggle to recall it.
This is because the human mind remembers things by association. For example, if I ask you, “what’s the 14th letter of the alphabet,” then you almost certainly can’t say it off the top of your head without first counting through each letter. That’s because we don’t associate each letter with a number— we associate letters with the ones next to it. That’s why it’s so much easier to remember a sequence of letters that form a word instead of, say, a random series of one-digit numbers. It’s much easier to remember how to spell the word “orange” than it is to recall the sequence “937562.” But now that we know what doesn’t work, what exactly does?
How to Make Stronger Passwords
The most effective way to beat a hacker is to introduce more entropy into your password, and the best way to increase entropy is to make your password longer. So, you need a lengthy, random password that you can easily remember. There are two popular methods for achieving this. Each one works splendidly if you follow all of the rules, and both will be relatively useless if you don’t.
The first is called the sentence method. The idea is to come up with a sentence that is unique but easily memorable. For example, “Simon Whistler is my favorite YouTuber, and I watch all of his videos.” That’s a great sentence. Now, take the first two letters of every word, and combine them to make your password. Our example would break down like this “SiWhismyfaYoTuanIwaalofhivi.” The result is twenty-seven characters that look like complete gibberish but are recognizable to you.
One crucial part of this method is to avoid common phrases. A well-known example went around a few years ago that utilized a famous line from Shakespeare. “To be or not to be, that is the question” was broken down into “2bornot2bthisthquestion”. While this is an easy to remember variation of the password method, it lacks the first example’s entropy. This is because a sophisticated hacker will have trained its AI program by making it read even more Shakespeare than you did in high school. It’s well aware of the Hamlet quote, and the sequence of words, translated into leetspeak, is not random. Avoid this, and your sentence based password will be strong.
The other system is known as the passphrase method. Put simply, a passphrase is a combination of easy to remember passwords that only you can think of. So, again, the passphrase “ChevyFordToyotaMazda” may seem random to you, but the words are all relatively similar. Instead, look around your room and pick out six objects that seem unrelated. For example, “CandlePianoSpeakersBookshelfMugCactus.” Then, as you sit at your desk, if you forget your password, you only need to look around the room to be reminded of what you chose.
Still, even that example lacks the most potent entropy. After all, many of those objects can be found in most rooms, but there is one way to introduce true randomness into your passwords. It’s called the Diceware method. The Diceware method was devised by cybersecurity experts to stump hackers once and for all. It’s quite simple, though it may take ten minutes to put together. Grab a six-sided die, a pencil, some paper and track down the Diceware word list online. This list contains almost 8,000 random English words, each one corresponding to a five-digit number. Roll the dice five times, write down the number, and find the corresponding word on the list. That’s the first word of your passphrase. Repeat five or six more times, and your phrase is complete.
This method introduces true randomness by including words that have nothing to do with you or your identity. But, you may be thinking, a seven-word password seems like overkill. Isn’t three or four words just as secure? The answer is a resounding no. If a theoretical hacker knows you used the Diceware method, then their odds of choosing your first word are one in 8,000. However, add a second word, and it becomes one in 64,000,000. That’s still simple enough to be hacked in a day, though. If you increase to five terms, the best software would require 6 months to guess. With six words, that total becomes 3,500 years. So why the seventh word? Well, one-trillion guesses a second may seem impressive now, but in five years, that may seem embarrassingly slow. Best to prepare for the rapid increase in hacking technology.
In the end, even the best security experts admit that passphrases are still profoundly flawed forms of protection. The human mind can only be so random, and it often struggles to remember things in the moments when we most need them. That’s why the next steps in cyber-security are entirely removed from passwords.
One innovation that has become quite common already is multi-factor authorization. These often require some sort of biometric pattern like fingerprints or retina scans, which significantly increase security. But even these will one day become easily hackable.
The next innovation in cyber-security is the inclusion of AI and machine learning to track user behavior down to the most minute detail, such as internet behavior, mouse movement, typing speed, and other similar, unique characteristics. Once effectively implemented, this AI will understand precisely how you behave on your computer, and your behavior will be monitored to ensure that it matches the baseline. This way, even if someone can hack into your password, they will be locked out if their behavior is irregular.
Of course, by then, hackers will have determined the next step for hacking this security measure. The game of cat and mouse will continue without end, but by listening to the real experts, you can stay one step ahead.
So what do you think? Are you still using “123456” for your login? Do you believe these security concerns are a bit overblown?
Perhaps you feel that way, but how many times have you had to reset a password this month? You can blame Bill Burr for the ridiculous requirements, but now, you can only blame yourself for not making the changes that will make your logins more secure and memorable.