Exposing password myths: shattering the stereotype of strong security

As a Software Craftsperson at Codurance, with a long history of working in security related companies, I was very happy recently when I was asked to join our internal security capabilities group. Not only are we focused on making sure we’re a secure company ourselves, but we’re also helping to promote a security-first mindset with our Craftspeople, so that our clients can benefit from our expertise too.

My first mission in the group was something I was very keen to jump on, knowing there’s a lot of misinformation out there on the topic: improving our password policy. After getting carried away with the amount of information I was putting in, and the examples I had created to demonstrate these ideas, I realised I had gone way overboard with my initial goal, but now had the perfect foundation for a blog post.

So here I’m not only going to tell you how to create a good password, I’m also going to show you why you need to avoid certain pitfalls, and why the classically regarded “complex” password really doesn’t have a leg to stand on.

Background

Typically people think a secure password is one that others can’t guess easily because it’s hard to understand, and by using confusing and complex looking strings of characters, surely no one is going to be able to follow along with what you’re typing by looking over your shoulder right? Well I’m sorry to say that 99 times out of 100, the problem isn’t with pesky colleagues or dodgy looking dudes on the train, the issue lies with password crackers.

How does password cracking work?

Password cracking involves generating ideas of what your password could be, and gathering those ideas into a list. This list can then be used to perform a dictionary attack, which is where a machine takes these phrases and manipulates them, joining them with other words and characters, and then attempts to do a brute force login on a system with weak security, or if the cracker has the hashing key and hashed password from a leaked database, they can iterate through all of the potential passwords, and hash them with the key until the output matches the hashed password.

Crackers will use knowledge of bad password practices, along with leaked or phished information from users to generate these lists of potential passwords, and prioritise more likely passwords over less likely ones to ensure maximum efficiency. It’s not a case of if a password can be cracked, but when. The difference between a weak password and a strong password could see the time taken to crack the password go from a week to over a hundred million years.

Bad password creation

Here’s a few of the main methods people use when they think they are creating secure passwords, and why in reality, they aren’t.

Typical requirements

Many websites and services tell you a secure password needs to tick certain boxes in order for it to be secure, and because all of these services repeat the same guidelines year after year, a bit of a “false standard” is arising across the entire internet.

So let’s look at a common example of this, let's say 8 characters long, and it has to contain a capital, lowercase, a number, a special character from a list of ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/. Sure it sounds complex, but if we look at the time taken to crack a password with these requirements, something like CaP1tal5@ looks complex, but a cracking bot only needs to check 10 characters total, starting at length 8, with pre-defined parameters so each character could only be 1 of 94 known possibilities.

The most important part in a password is the length. Having a longer password makes it take exponentially longer to crack than a shorter one, and so allowing people a smaller amount of characters in their passwords is a bad start. However, by giving a specific length requirement, it gives the crackers a place to start their attack, such as in the case of our example, where they know it’s not going to be 7 characters or less. By having set requirements such as capitals and specific characters, crackers could also assume that people who may usually use a 6 or 7 character password for instance, may now use the same password, but with a special character and a number added onto the end, making it one step easier to crack.

This is just one example of how passwords can be guessed based on the typical person being given strict requirements.

Reusing passwords

Reusing the same passwords, words, or characters between services is one of the worst offenders for bad password design, and in fact is one of the key reasons why the other methods on this list are so vulnerable.

If I have a password like codur4nce on one website, and a cracker has that password, when they go to another site which might have the same requirements, except they need a capital letter too, what do you think they will try before any other password? It's going to be Codur4nce.

This forces crackers to do all of the same checks twice. It sounds like doubling their workload is a lot of extra effort for them, but using modern software and computers to do this for them it’s no effort at all, and the time frame impact is minimal.

Using one word

Using one word in your password (along with extra requirements given) such as Codurance!@# gives the cracker an easy starting point to base their attack off of.

If the cracker suspects, or even knows you're using something like the name of your workplace in your password, such as with our example, then all they have to crack is the extra three characters on the end.

Alternative letters

Using alternative numbers in place of letters, such as substituting “A” for “4”, seems like a plausible idea to try and stay one step away from your password being guessable. However, even through simple, automated iteration it’s going to only take nanoseconds to go from trying one to the other.

Even worse though, is that because this is a popular strategy in its own right, the system doesn’t need to even wait to iterate through each character, when it knows people may try a “4” instead of an “A”, or a “0” in place of an “O”. If a cracker wanted to guess Codurance as a password, their next logical steps are going to be C0durance, Codur4nce, C0dur4nce, etc.

Using service related keywords

Appending or inserting service related keywords into your passwords is also a big no no. People trying to crack passwords are looking for patterns more than anything, and if you have a password that does follow mostly secure patterns, such as the 3 words pattern (which we’ll discuss below), you can still leave yourself open to attack if you're too cavalier here. If a cracker finds a leaked password of yours, from something like Facebook is compass often sandwich facebook, the first thing they will use to try and log into your google account would most likely be compass often sandwich google, followed by compass often sandwich gmail, and so on.

Using secret answers

I call them “secrets answers” because they’re typically the kind of things you’re asked for recovery questions, things such as “your first pet name” or “your mother’s maiden name”.

Using these kinds of words only leads to crackers being able to add easily identifiable and accessible information about you to their list of keywords. When malicious actors can scour your social media accounts, and the many leaked databases of personal information available on the web, they can quickly automate the creation of lists of thousands of potential passwords based on the information they find.

How crackers use these flaws

When crackers use these different techniques to find/guess your passwords, they don’t just use one of these ideas to guess them, they use combinations of all of them, to automatically create hundreds of thousands of passwords that can all be fed through a system in seconds to see if they can work out a match or not.

How would they even know where to start though?

At this point you may be saying "yeah but the cracker needs to know some kind of base password to start with, as long as they don't have that it's fine". Well unfortunately we’re seeing increasing amounts of password leaks from all kinds of major corporations these days, and honestly not enough is being done about this. A good website you can visit to find out if your information has been leaked is haveibeenpwned, where you can see if any of your passwords have been leaked online through any of these data breaches we keep on hearing about.

Creating a secure password

So how do we get secure passwords? The NCSC provides fantastic advice for creating secure passwords, which I’ve also seen used by many secure corporations in my time too: using (at least) three completely random words, such as doctor horseshoe guitar.

If you need to make any modifications to a secure password for a specific site's requirements, you can do that on top, so you might end up with Doctor horseshoe guitar5!.

Passwords based on words like these are not only easier for you to personally remember, but also much harder to crack, purely based on the length.

There are many resources out there that can help generate passwords like this.

Secure password storage

Once you’ve generated your password, you should look to store it into a secure password vault, such as BitWarden. You should make sure that any service you choose to do this is secure itself, and always use Multi-Factor Authentication to secure these accounts as well.

One of the benefits of using BitWarden is that their “Tools” section gives you a way you can customise their password generator to help meet the requirements mentioned above.

Final thoughts

All passwords are crackable, but the importance is knowing that when someone is going to crack your password, their software takes nanoseconds to differentiate between Password and P4ssw0rD. However the difference between cracking P4ssw0rD and This is my password is astonishingly more difficult for a cracker to achieve (for now).

And finally, always use Multi-Factor Authentication in addition to a password. Methods such as a token sent to a device, a fingerprint, or facial recognition work well. You could even take that a step further, and implement additional security requirements such as IP restricted logins, use of VPNs, user profiling tooling that helps determine if your user looks authentic based on behavioural patterns, etc. 

Those, however, are topics for another day!