One of the inconveniences of modern life that impacts Systems Administration heavily is the thorny issue of authentication and, in particular, the use of passwords. These annoying words and phrases pervade the workplace, our homes, even our cars, and the breadth of services we use on each of the devices we access.
Whilst there some ambitious plans to do away with passwords entirely, not only are these schemes relatively far off but they also involve potentially scary devices like fingerprint and retina scanners– small gadgets that will inevitably be eaten by the dog or will contain grids of numbers far more complicated than our old-school passwords. So in the meantime, below are two reasons why creating hard-to-decipher passwords is worth the effort:
Two Types of Attacks
1. Random Attacks
All computing devices (public or private) connected to the internet are constantly being probed by ne’er do wells from Shanghai to San Diego and from Moscow to Manchester. If you think no one cares about the collection of New Kids on the Block photos stored on your home desktop, you’re partly correct. Friends may not care, but the lurkers are interested in everything, indiscriminately. Home router logs show a constant stream of break-in attempts and your internet connection is no exception.
The majority of these random attacks are generally only for sport—the reward is the triumph of successfully breaking into the system, looking around, and leaving. The compromised system owner is left totally unaware of the breach.
Random attacks typically use brute force techniques such as throwing huge lists of common login names, passwords, and phrases (with the odd spelling variation) at the prey in the hope that one will eventually enable access. Imagine your password is a nation of the world and you have Yakko trying to hack you; this would apply equally to Botswana1 or Lichenstein99, as computers are somewhat faster than fictional cartoon animals (with the exception of Road Runner and Speedy Gonzales).
The best way to avoid random attacks is to avoid using dictionary words or common phrases.
2. Targeted Attacks
No one in Gdansk knows you named your first-born Firebloom Asprilla, so ‘iloveufireyasp’ is safe, right? Absolutely not; family names are even worse than dictionary words. Targeted infiltration attempts come from people who do know who are and, unlike most random cases, they’re not just digging out of curiosity. They’ll use what they know about you to crack the codes you use and access your information.
If you’re unfortunate enough to be a Seattle Seahawks fan, for example, you’re less likely to get randomly hacked than if you’re a Patriots or Steelers supporter (see chart below). But people at your office see you wearing that Seattle jersey every Friday during the season so ‘Seahawkz’ is still a bad choice. Don’t use sports teams, favorite bands, and especially not the names of your children or pets.
Tangential to this, but still important, is not sharing nicknames and other information on social networks. You never would, knowingly, of course. But ever seen those apps or e-mail surveys telling you to combine your first pet’s name with your mother’s maiden name to find your new hilarious 70’s-style nickname? Well, McWharton Bounder, you just gave away two of the most common answers to security questions needed to access your financial services on the web.
How to Avoid Being Attacked:
There are essentially two approaches to avoid being the target of an attack. The first is to use complex passwords, with capital letters, numbers and (if supported) symbols. A single capital letter doubles the permutation base that a hacker, attempting a brute force password crack, will have to employ. A 3-letter password, for example, gives the hacker 17,576 (or 26 to the 3rd power) variations to try. Adding a single capital letter ups the options to 140,608 (52 to the 3rd power). Extend the math to an 8-character password, add some numbers and symbols and it becomes something in the region of 3,596,345,248,055,296 (888) variations, a number which seems large even to Congress working on this year’s budget or to NFL agents.
Yes, typing eight characters takes longer for human fingers, but the difference between remembering three characters versus eight for the brain is insignificant whilst the difference for a machine is huge.
The other approach is to use uncommon phrases and xkcd can explain that far more gracefully than I can. Though even when you employ a solution like this, you should never re-use a password…for reasons we’ll get in to next time.
At GiftCards.com, we force our employees to adhere to strict password guidelines. And those who log in to our system to create personalized gift cards, to buy discount gift cards, and so forth are encouraged to do the same.
There has been some debate in the office as how to common sports passwords rank. So just for fun, using data from Xato’s list here is the Bad Password League table, based on professional football team names. I demurred from doing proper divisions and playoff brackets as, fun and silly as it is, I have better things to do even outside the football season.
As you can see, the only team names that don’t appear in Xato’s list of the top 10,000 most common passwords are the Texans and the Buccaneers. However given that 30 of the 32 team names appear in the top 10,000, hackers won’t spare Houston or Tampa when carrying out a dictionary attack so it’s still a very bad choice.