April 19th, 2010

Very Secure and Simple Passwords

In December 2009, a major password breach occurred. The hacker posted on the Internet the complete list of 32 million passwords. An analysis of the list provides a terrifying view of the weakness of password-based security.

In this post I provide you with some recommendations to create very secure and simple passwords.

From the published list it was found that the most common password is 123456, which occurs 0.9% (what a surprise!). The frightening thing is that an amateur hacker using a rather slow Internet connection can attempt some 110 logins per second, which will yield one successful break in per second or 1,000 accounts in just 17 minutes.

The passwords 12345, 123456, 1234567, 12345678 and 123456789 occur 1.52%. The top 5,000 passwords were used by 20% of the users (6.4 million). A more sophisticated hacker can use that "password dictionary" to launch additional attack waves, and by doing so, eventually break into 20% of all accounts of the attacked system.

Developers can implement measures to counter such attacks, but it is just a matter of time before attackers figure out a way to circumvent them. The real solution is to have more secure passwords.

The current guidelines to create a secure password are to use at least 8 characters including mixed lower and upper case characters, numbers and symbols. In Thomas Baekdal's blog you can find a brilliant analysis of the strength of passwords based on the time it would take a hacker to break it. Following the previous guideline should create a password that is secure "forever", understood as a password that would take more than 1,000 years to be broken.

However most users won't create or remember something like ah5>2fG&. Actually, the vast majority of the top 5,000 passwords in the list didn't comply with the basic security guidelines: they were names, parts of email addresses, common words, slang words, and trivial combinations like 123456 or abc123. But, how can you blame users for not following those guidelines?

In the same blog you can see the comparative strength of regular passwords and passphrases. A passphrase is a combination of several words. For instance the passphrase "this is fun" is 10 times more secure than G7#x8z. Using uncommon or fictional words increases the security of the passphrase. A combination like "puffer shangy muz" is secure forever.

The advantage of passphrases is that they normally contain more characters than regular passwords, making them more secure, and at the same time, they are very easy to create and remember. We recommend using at least 3 words in your passphrase, and incorporate one or several uncommon words. You don't have to worry about upper and lower cases, numbers and symbols, but if they are part of your passphrase they will make it more secure.

Ruben Reyes - Lyquix Principal

Ruben Reyes

-Technology, Usability & Analytics

Ruben is the lead technologist at Lyquix. He consults directly with clients and manages Lyquix's development team.

Read More