Testimonials
  • Our project required a deep knowledge of hardware design, expertise in virtual server configurations, and the ability to quickly understand how to plug into our existing back-up/recovery processes. It was immediately evident that you had the experience and skills to pull it off.
    Patrick Stroud, President, PLY Interactive, Inc.

Strong Passwords Made Easy: Passphrases

Posted on September 23, 2011 by Nick Webb

Recently I got the following note about password security and how to make a strong password from Seattle Search Marketing Consultant Mark McLaren (edited for brevity):

My clients are having more trouble with hackers these days. WordPress is susceptible to hackers on a lot of levels but the main issue is usually one of break-ins and malicious use of PHP on the host server, typically to send spam, when a bot figures out how to crack the [weak] admin password. …

Indeed this is a big problem these days, and it certainly is not limited to WordPress.  Just a month or so back, two of my Twitter followers were hacked due to weak passwords and as a result of the attack phishing links were sent to all of their followers via direct message.

Message received from a hacked Twitter account, with a link to a phishing site

If this happens to you, hopefully your followers know you well enough to notice the message was not written by you. However, if they do follow the link and infect their computer, lose money from their bank account, etc., how is that going to play on your reputation as a business contact?

How Can I Create Strong Passwords?

What’s your advice regarding strong passwords? How many different passwords does a business need? How many different passwords do individual people need? …

There are a lot of websites and software that require “strong” passwords by forcing their users to pick passwords with a few different classes of characters, such as upper case letters, lower case letters, numerals, and special characters and provide a password of a certain length (usually greater than 8 characters).

Password complexity is certainly a good start, but boiling it down, the key to a strong password is length.

Making a Strong Password? Length is King

Length is very important as hackers apply brute force to figure out passwords, simply guessing one password after another, trying every possible combination (with the aid of software).  If your password is only a few characters long, it doesn’t matter what it is, it will only take a few moments to crack.

Each character you add makes it exponentially more difficult to crack, and according to SANS (a widely-recognized authority on computer security and training) even an all lowercase, random password of 15 characters would take a determined hacker nearly 700 years to crack.  Match that to just five days for a 10 character password with uppercase, lowercase, and numbers.

A Strong Password Example

If you simply use a dictionary word (or combination of multiple words) no matter how long or odd, the hacker is also likely to break in.  Why? Because their password cracking software checks passwords first against dictionary words as a shortcut.  Don’t expect simple character replacements to slow them down much, either, such as “S3att1e” — cracking software often checks for this and capitalization as well.

However, passwords containing five or more dictionary words can be strong when not a common phrase or quotation and especially when intermixed with “special” characters such as spaces, apostrophes, asterisks, tildes (~), etc.:

Bob*Visit's/us-often-in~Seattle!

That is a strong passphrase (as it contains multiple words). The cracker would have to “brute force” 32 characters (as the dictionary shortcut will not work), which will take well over hundreds of billions of days to crack (again, according to SANS’ excellent spreadsheet).

It is possible that a cracking program could accelerate the cracking of this password with use of a dictionary, but the goal here is to really avoid being low hanging fruit, and that password certainly accomplishes the task.

For the slightly less paranoid, a more simplistic passphrase with five words is likely to suffice:

Bob;visits;us;often;seattle

Furthermore this password is easy to remember, which means the user will not have to write down the password, adding even more security (stopping someone from breaking into your network due to the Post-it-Note under the keyboard syndrome).

I’m not that creative, how do I come up with a strong passphrase?

Do you recommend using a password generator or a mnemonic device of some kind? …

For most folks, I think a long passphrase as explained above is the best approach (five or more words), balancing complexity with the ability to remember the password without writing it down.

For IT professionals like myself (I have well over 200 passwords), a generator is a time-saver and most have a secure storage area. They also relieve us from memorizing each password (which is impossible at this scale).  The free KeePass software is a great way to manage passwords, just make sure you use a strong, easy to remember, passphrase to secure KeePass.

Should I use the same password for multiple sites?

Do you think people need a different password for every high-priority site – for online banking, etc.? …

Ideally users should have different passwords for each and every site and login.  If just one site gets hacked and your username and password are retrieved, the hackers can move onto other popular sites you use and gain access to your email, banking, and any other site that may share the same password.

Stealing passwords should be impossible if best practices were followed, but it still happens (ask Sony). You simply can’t trust all service providers to keep your information safe.

Email account security is more problematic than most realize, as many sites allow you to reset your password via email messages.  Thus if your email account is taken over, the hacker has access to every site using this popular password reset method.

Why are strong passwords so important now?

These attacks are happening more frequently. The reason is simple. Most people still use very weak passwords created years ago.

They are happening more frequently, and passwords are not the only culprit.  I believe the reason small businesses are now attacked more frequently comes down to 1) weak security (including passwords), making them easy targets, and 2) small businesses now have much more data worth stealing (such as electronic credit card information).

The Wall Street Journal backs this up in their recent article, Hackers Shift Attacks to Small Firms. To hackers, breaking into a small business is like breaking into a house on a dead end street, with no street lights, a locked screen door for safety and no one home.

While even Fortune 100 companies struggle with security and fight off attacks often, it’s easy to see why hackers go after the ill prepared low hanging fruit that is small business.

In Closing…

Mark finishes his note with a strong summation:

The bottom line is that it’s not just about us individually anymore. If we have easy-to-crack passwords, we are basically saying we don’t care whether hackers can gain access to all our contacts – family, friends, businesses, everyone. Those hackers can send email containing very dangerous links to every one of our contacts. People who open these emails and click on these links are at risk of having their computers and data destroyed or severely compromised. We need to consider this every time we set a new password. We are not just putting ourselves at risk. We are putting all our associates at risk.

Please take a minute today and change any weak passwords you may have to a strong passphrase. Change any passwords that are over a year old and change a password immediately after you suspect, or are notified, of a breach (break-in where passwords may have been compromised).

Stay safe out there!

This entry was posted in LinkedIn, Off The Wire, Tech Tips and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.