Passwords: The Advice Remains the Same

Written By Mike Olivier, PTAC Procurement Advisor, CMMC RP

Passwords are what allow access to computers and systems; they’re pretty much a necessary iterant to all users. They’re the first line of defense in protecting systems and users. They’re half of what’s called the credentials. The first half is user identification, followed by authentication — the password. How to construct a good password is a matter of discussion, and in this case, the best way to define a good password is to define what it’s not.

A good example is not to use common phrases, advice we’ve all heard, like password. Even using conjunctions with your company name isn’t a good idea. Solarwinds123 was the password for the hack into Solarwinds, which affected many thousands of federal government systems. However SolarWinds has recently determined that the password was for a third-party vendor application. It wasn’t for access into the SolarWinds IT systems and had nothing to do with the attack or breach of the company’s IT systems.

Nevertheless humans construct passwords or use a password manager; the discussions then centers around what makes for a good password, how long to keep a password, how many you need, etc. Even a password manager must have standards. A good way to look at this is to examine passwords which have been used before. This can be easy because so many passwords have been stolen and published.

Password culture analyzed

In password construction, the top 20 or 50 always seem to be the same, even across nationalities. They include password, 123456, abc123, QWERTY, Admin, and so on. As most of us know, these not-so-clever password variations have been around for a long time. The question is why people still use them; most likely, it’s because they’re easy, and most importantly, there are no back-end password standards which force stronger passwords. This is a management issue. In addition to the common list of lame passwords, there’s the issue of password overload. That’s the increasing number of passwords needed. So to make it simple, people use the same password for many functions (the same one for online banking and Amazon, for example). Another interesting fact is passwords tend to be specific to user culture. English speakers will use English letters, numbers, and common special characters, as Spanish speakers will use Spanish letters with accents, numbers, and the like. Each group will be slightly different, with a defined character set of 72-100 characters. The Hive password cracking study used a 650-character set to establish the timelines to crack a password. That means your password will take much less time to crack if you’re not taking advantage of these 650 characters including Cyrillic, symbols, and Latin extensions. In addition people use common names; a mild generalization is men tend to use sports teams and athletes in their passwords while women tend to use children, grandchildren, and pet names in their passwords.

How could you guess what words to use, go to their Facebook page. Age is also a factor in password construction. People older than 60 tend to use the same password for many functions. The summary is obvious, don’t use the common list of well-known passwords; use a unique password for every account, and use multifactor authentication (MFA) for every account you can. For Google, less than 20% of users use MFA, meaning you’ll be more secure by turning on MFA than the other 80%. Last is complexity — the more complex, the better, and the longer, the better. There are limits to complexity, as complexity is constrained by culture and knowledge. For example, it’s unlikely users will begin adding Cyrillic characters to their passwords after reading this.

The research and education

As mentioned, the Hive study is a deep dive into addressing the advantages of password length and complexity to password-cracking time. The analysis was based on the assumption that a hacker had managed to steal a list of user identifications and their associated hashed passwords. The hacker has the user ID, but passwords are hashed, a standard means to protect the confidentiality of the password. The hash takes the plain text password and generates a 32-character string. To log in, the hacker will need the user ID and the plain text password that generated the hash. Since the hacker cannot undo the stolen hash, the challenge for the hacker is to find the correct combination of plain text characters which when entered as the password will be hashed and match the hash stored in the database. Of course there are many software applications dedicated to this process. The first thing that will happen is the hacker will run known or compromised password hashes to see if there’s a match. If the user has used the same password before, this increases the changes success. Another factor is the hashing software can be targeted to the user based on culture, gender, and other factors. These factors take advantage of the most likely characters used, such as words and special characters.

Essentially increasing password complexity and length is defense; it’s about increasing the time it takes to match the stolen hash value. An observation is as processing power increases, in individual systems and in the cloud, the time to crack a password decreases. The argument is at some point in time the advances in computing power will make traditional passwords obsolete. Until that time the advice is the same as it has been: use long and complex character sets, use MFA, use different passwords for each account.

Key examples

Solarwinds123 Former SolarWinds CEO blames intern for “solarwinds123” password leak – CNNPolitics

Not so bad, not into IT System [UPDATE] SolarWinds Executive Blames Intern for Leaking Company Password ‘solarwinds123:’ The Password Used Since 2017 – Tech Times

How many use MFA Google’s MFA/2FA (multifactor authentication) targets are set low –