Password Security

Everyone has wonderful passwords, right? I'm sure you've got a different one for every website you go to, with some crazy combination of upper case, lower case, numbers, and symbols. Nothing in there is personal, like a pet's name or your mother's birthday, and it would be absolutely impossible to guess. Right?

Ok ok, you can stop laughing. But that is the current suggested standard by people who are supposed to know this stuff. And they are 100%, absolutely, gut-wrenchingly wrong about everything. In light of the recent major losses of consumer passwords, it's time we had some hard conversations about password security.

I've worked in some places where security was 'tight' and 'secure' when it was anything but. One place had multiple systems for people to login to, with different rules about security strength but which all had to be complex. A particular coworker had three different systems which required her to change her password every three months and each password on those systems had to be significantly different from all of her previous passwords (so no changing just the numbers at the end of a word, for instance). There was no way for her to remember all those passwords, so she wrote them down and kept them at her desk. Security vanished. The cleaning crew could have accessed everything behind her password wall.

This is an important note to remember. Most passwords are cracked due to human error. Someone writes something down so it's easy to remember and tapes it to the bottom of a mousepad. Clever! And exactly where nefarious types might look. Or behind the monitor. Or under the desk. Good password security needs to enable the user to remember their password so it doesn't get written down while making it complex enough to not be easily guessed by human or bot. This is where password security rules come in.

Most of these rules come from archaic systems back in the dark ages of the internet. Assuming people actually still use passwords like 'God' or 'password' or 'Janie040791' for their bank account. The first two should be filtered out by most modern systems and the third isn't actually all that bad if the system's security is properly setup. Let's examine some of the reasons for these rules put upon us by password security systems.

A mix of upper and lower case characters, symbols, numbers
Purpose: Increase complexity of characters to deflect brute force attacks
Problems: It also increases the difficulty of retention. "Did I capitalize the first or second 'L' in 'Arm@dillo8914#%*?"
Why it's useless: Brute force attacks are almost completely ineffective against modern systems (explained further below). Also, forcing these kinds of rules actually reduces the number of variations bots need to try.

Minimum character count of X
Purpose: Again, this increases the difficulty of guessing a password. For simplicity, assume we have 100 characters available to use (easy math). A one digit password has 100 varieties. A two digit password has 100 * 100 (10,000) varieties. Three digits? 100 * 100 * 100 = 1,000,000. It climbs rapidly.
Problems: Longer passwords also harder to memorize.
Why it's kinda ok: People can memorize things longer than two or three characters fairly easily and it adds a lot more to the basic security for not much pain. Lot's of bang for your buck.

Maximum character count of anything < 50
Purpose: ??? Saving space in their database?
Problems: This is literally the opposite of the previous two rules. It reduces complexity.
Why it's completely useless: It always boggles my mind when this kind of limit is imposed. I understand that there needs to be some theoretical limit to this based on whatever database you're using, but space is so cheap these days that any sort of limit here is fighting a useless battle. Back in the dark ages when 1MB was considered a lot of space, limits like this might have made sense. I don't even consider a hard drive unless it lists its space in terms of TB (1024 * 1024 * 1MB).

You can't use X character or word in your password
Purpose: Either they're trying to hand hold you and prevent you from using something stupid (a good thing) or they can't figure out how to parse strings into an MD5 hash with certain characters (ridiculously bad).
Problems: Once again, you're reducing complexity. Even worse, you are preventing the user from using something that is probably easier to memorize. The most common of this type of security prevents you from using your name or username in your password. That's a good use! The other most common prevents you from using a space. This is one of the worst things, which I'll explain further down below.
Why it's good and bad: Reducing complexity by removing available uses means bots and hackers have fewer possibilities to sift through. However, preventing users from using easily guessed passwords is actually a really good thing.

You may be saying to yourself, "Wait, but why are these things good or bad? I thought hackers had bots which could try thousands of passwords per second, sift through dictionaries for commonly used words, and be completely undetectable?" Well, some of that may be true, but modern hacking has little to do with Hollywood movies from the 80's.

Let's take a quick moment to define a brute force attack: An automated bot interfaces with an application and tries combinations of user names and passwords. If a hacker has obtained one or more usernames, then half of the work is already done. Let's assume this is true for the time being. So the bot has a username and an interface, so now it needs to try different combinations of passwords. It can do this in several ways. The most basic way is to try a random collection of characters (and numbers and symbols) within the size range of passwords (see how setting your max length password is different here between 20 and 100?). A more sophisticated way would be to try every possible combination. So "aaaa" then "aaab" then "aaac" etc. The best ones use combinations of info they have about their target, dictionaries, and complex algorithms to try to guess the passwords. Even the best of these are subject to the problem of volume. There are tons of possibilities! The term "brute force" comes from the fact that they are just banging their proverbial head against the wall and trying to break through.

Counter measures -

Throttling: This is a method of invalidating password attempts which come in too fast. Usually, something like one second is fine. Most humans can't enter multiple passwords in faster than one a second, so only bots get slowed down with this sort of limitation. And it's fairly effective as well. At one password try per second, at 60 seconds a minute times 60 minutes in an hour with 24 hours in a day that gives us 86,400 possible combinations in a day. Remember our simple, 3 digit password above? It has a million possibilities. To do all of those combinations, it would take a bot 11 and a half days to go through all of those. A 5 digit password? 115,740 days. That's over 300 years.

Bad Password Limits: We've all had a scare from this. You put in a password to a site and get an angry red message along the lines of "Two more tries and your account will be LOCKED to prevent unauthorized access." Yikes! Most places have the right idea here, but their implementation is way off. First, there's no reason to lock someone's account permanently from this (usually with some form of email restoration, but still). Some of the more lenient places will give you 10 tries before a lockout, so let's use that as our example. At only 10 tries, any bot will have practically no chance of getting in. With our 3 digit password, they've got ten tries at a 1/1,000,000 shot. And we have to recover the password and probably change it! What happens most of the time is people can't remember the particular combination of characters, numbers, and symbols they happened to pick out the day they signed up for this site. A much more reasonable solution is to lock the account TEMPORARILY, send a notice email to the user and to the administrator, and log the address of whoever was trying to get in. I would start with a 5 minute lockout. If the user is trying to get in, they get a bit to cool off and try to find where they stored this particular password. The bot would get 5 minutes of down time. That's 300 (5 minutes * 60 seconds) combinations of down time. A poorly implemented bot will keep trying and simply miss those combos, reducing its accuracy, while a well done bot will keep track of the fact that it's locked out and simply get a delay. But that's ok! Because if those 5 minutes expire and the bot keeps trying, we can track that and the next lockout could be a half hour. Then an hour, then a day. Each time giving notice to the user and the administrators. Unless both are asleep at the wheel, the attack will be noticed and something manual can be done about the brute force attack.

A combination of filtering exceptionally bad passwords, throttling, and bad password limits can make it virtually guaranteed that your password won't be brute forced open. However, I do want to stress that word "virtually" since there is always a chance. Since brute force is also counting on a bit of luck, there is always the outside possibility that the planets will align, black cats will congregate under ladders, and your beautiful 50 character password of random characters, numbers, and symbols will be hit on the first try.

So what can an average Joe do to have a good password? Here are three suggestions which I use to varying degrees and depending on where it is specifically I need the password for.

Random generators: There are a ton of these available from a quick Google search. You can put in some basic rules, give it a length, and wham! You have a super secure password. These are obviously going to be next to impossible to memorize, so you can use a password manager such as eWallet, KeePass, or LastPass to manage and store your passwords. One note of caution: This centralizes your passwords, meaning that if your password manager is breached, ALL of your accounts are at risk.

Formulas: This method takes advantage of the fact that the sheer number of sites or applications users access gives a certain randomness which can be utilized. Start with a small series of complexity, such as HiE77^D2. You'll memorize this, but don't be scared! You'll use it in all of your passwords, so it will actually be easy to remember in time. Then, choose your own unique version of extraction from a website. Let's take Google. Maybe your formula is to use all the consonants and take the number of vowels. You take your formula and add it to the beginning, middle, or end of your password seed (your choice of where to add it). So, using this example, our password becomes ggl3HiE77^D2. Or let's use bttrbggms5HiE77^D2. This gives you an easily reusable segment which ups your complexity and an easy formula for retrieving the rest. Any website you visit becomes its own key to the lock. Experiment and find your own unique method.

Phrases: This is my personal favorite, but it's blocked by many places because it uses spaces. Simply create a phrase that is unique to your application. Perhaps it's "I love BetterBugGames!" or "Isn't Google the best thing ever?" Both of those have a combination of upper and lower case letters and symbols. It would be pretty easy to add some numbers in there as well. These have the advantage of being easily memorized (especially if you pattern them all the same way) as well as having complexity and length. The first example is 22 and the second is 34! Not bad for something that's easy to type and easy to remember.

"That's great," you might say. "But what are these tech companies I entrust my password doing to help out?" That's a great question. Unfortunately, sometimes that answer is "not much." There are many ways companies could be helping out, including using my suggestions above, and lots of companies just...don't. I used to use a webhost who once wanted me to give my password verbally over the phone. They were storing my password in plain text! If someone cracked their database, they could have easily logged into my account. Plus, if I were one of those types who used the same password for all accounts, they would have also had my email and password to log into any website I accessed. I dropped that webhost very quickly. Proper security and vigilance seem to be in shorter supply than we all deserve as consumers.

I'd like to end with a short note about the inspiration for writing this email. Recently, the news was littered with stories about how eBay's passwords had been stolen, and that this had happened months before anyone noticed! Like a diligent internet user, I went to reset my password post-haste. First, I tried a phrase, but eBay happens to be one of those places which won't accept spaces in passwords. Frustration point number one. But fine, I just removed those spaces and tried again. Nope! This time it squawked because I had gone over 20 characters. 20? Even the shorter of my phrase examples up above was over 20 characters. Frustration point number two. At this point, I decided to experiment a bit. They did do some basic filtering against username and easy passwords, which was a good thing. Eventually, I ended up going to a random password generator, choosing a length of 20, and storing it in a password manager. I was seriously considering simply deleting my account and not dealing with them any more. One more hint of security problems, and that is what I'll actually do. The best way to secure your information when using a service that has no respect for your security is to simply not use them at all.

Jason Q
Lead Programmer
Better Bug Games