Follow-up analysis of the Stratfor password list (Part 2). (IMG: J.Anderson)
In part two of The Tech Herald’s follow-up on the Stratfor password analysis, we examine common password creation methodologies, and why some of them simply don’t work like they used to. In addition, we look at some recent advice printed by the media, and put it to the test.
When The Tech Herald started to examine the list of password hashes lifted during the attack on Stratfor, the goal was to see how many we were able to recover with little to no effort on our part. The sheer volume of recovered passwords during the first test led us to remark that password creation and management is stuck in the Dark Ages, the overall volume of recovered passwords after the second test confirms this. [You can read more in Part 1 of this report.]
In this report, we’ll examine some of the most common pieces of advice given to people when developing passwords for usage, and see how they stack against the 119,912 passwords recovered from the Stratfor list.
Basic Passwords vs. Complex Passwords
One of the first things people are often told is that complexity matters when it comes to passwords. This is true to a degree, but it isn’t flawless advice. In fact, no two people will agree on what makes a password complex. Along with complexity, people are also told to make their password unique, but again, no one will agree one what unique means. Should it be unique to a domain? Should it be unique to an individual? Should it be both?
“If you're worried about a site being crashed and your password being used against you somewhere else on a different site, uniqueness is very important...The problem is that it's nearly impossible to enforce,” explained Rafal Los, the Enterprise & Cloud Security Strategist for HP.
For example, he posed a hypothetical question, how would a social media site enforce uniqueness? They can enforce it within their domain, but they have no say anywhere else on the Web.
“Complexity matters only if you understand how complexity works. A password of 'password' is no more or less complex than 'password1' or 'passw0rd' to a modern password-cracking system,” Los added.
Moreover, Los said, complexity means little if the user cannot remember the password. It's been proven by research from vendors such as Bit Defender, that passwords are consistently recycled. The longer and stronger a password is, the more a user is likely to consider it unique, and thus secure. However, people have bad memories, so creating such a password for every site is just a bothersome chore.
So that unique social media password may be shared with GMail too. This is why Los points to phrases as passwords, as they will meet the complexity and length requirements, and make things easy to remember. They also make things harder for password cracking attempts, but not impossible.
Yet, Phishing and other attacks against passwords (such as man-in-the-middle attacks or Malware) can defeat phrases altogether.
Password creation advice that only looks good in print
Just before the Stratfor hack, a reporter for a major Web and print publication offered readers password creation advice that will render the newly minted passwords “uncrackable.”
The idea that a password can be uncrackable is truly hilarious. That simply isn’t true, and should never be promised by anyone who works in or around the InfoSec world.
So what is the advice that will create these “uncrackable” passwords?
- Spell a word backwards.
- Use L33t speak.
- Randomly throw in some capital letters.
- Don’t forget the special character.
The first bit of advice deals with spelling a word backwards. The example was ‘New York’, turning it into ‘kroywen’. This advice offers no value.
In Hashcat (the program we used to crack the Stratfor list), one of the rules that can be created deals with taking a word from a given dictionary, such as New York, and attempting it in reverse, with or without spaces.
Not only would ‘kroywen’ be cracked easily, so would ‘kroy wen’ or other variants. Moreover, you can string password cracking rules together, giving the cracking application more variables to play with, such as attempting ‘KroyWen’ or ‘kroYweN,’ and everything in-between.
The second piece of advice uses the same example, ‘kroywen.’ This time it’s altered with L33t speak, transforming it into ‘kr0yw3n.’ The reporter goes on to explain that obvious replacements such as @ for the letter A, or the number 3 for the letter E, are not the only options. Any number or symbol can be used so long as the L33t speak replacement makes sense to the user.
Yet, this advice ignores the fact that the reason such replacements are obvious are because people tend to stick with what they can remember. Rule wise, password crackers can often swap characters out.
For example these rules will swap a given letter:
sa4 (Change a to 4)
sa@ (Change a to @)
ss5 (Change s to 5)
so0 (Change o to 0)
Again, rules are combined, so switching between capitol letters and lowercase, as well as L33t speak is a trivial task. These five passwords were all taken from the Stratfor list.
Randomly inserting capitol letters:
As you can see from the L33t speak example, this does nothing to hinder a password cracker. If the password being used can be found on a word list, then the cracking program can attempt several combinations of that word.
Example (using rules for L33t speak, toggle case, and reversal):
cat Cat cAt caT CAt cAT CaT
tac Tac tAc taC TAc tAC TaC
c@t C@t c@T C@T c@7 c47 C@7
C47 74c 7@c 7@C 74C t@c t4c
Don’t forget the special characters:
Again, sticking with just the previously mentioned rules, adding special characters does not mean a password is uncrackable. It doesn’t matter if the special characters are used as replacements, added at the beginning, or the end of the base word.
Here are some additional examples taken from the Stratfor list.
The “uncrackable” password advice continues by offering this advice:
“Another option is to pick a pattern on the keyboard and type based on that. For example, a counter-clockwise spin around the letter d could result in 'rewsxcvf.' Throw in some random caps and numbers to really lock it down.”
When we cracked the Stratfor hashes, one of the word lists we used consisted of nothing by keyboard combinations. At 180MB in size, it shredded keyboard pattern-based passwords from 3-18 characters long in a matter of minutes.
So, it’s clear that the four steps to an “uncrackable” password amount to little more than an authentication layer that is easily defeated. However, we all need passwords. It’s a way of life online, and we use them offline too. The PIN for the ATM is a password, so is the locker combination at the gym. Yet, the locker and ATM have defined rules, which are uniform in scope. You know your limits at the ATM (4 characters) and you know the locker will require 3 sets of numbers in a Right-Left-Right sequence.
Online, some of the more complex and useful pass-phrases are defeated before they can even be used. Not because someone cracked them, but because the application itself refuses to allow them. When a user registers for a given website, they’re often presented with limits on the length and characters with respect to allowable passwords. This means that while Kathy*14ee_#5 may be a strong choice for the password field; the application’s limits may reduce it to Kathy14.
For most applications, the limits placed on passwords stem from development issues, where certain characters are needlessly blocked instead of sanitized for the sake of security. There’s also usability and customer experience considerations, where the website or application wants to make things as easy as possible when it comes to registration. This tradeoff often comes at the expense of security, as the password is sacrificed for easy use, leaving Kathy with no other option but to ditch her crafty password for something weaker.
Password testing and a false sense of security:
Most experts agree that length equals a relatively secure password. This is what pass-phrases are the go to solution. As mentioned earlier pass-phrases offer length, and can offer complexity as well, but only if they are designed that way. People often turn to websites that offer a test of sorts when it comes to password strength. The site that earns the most recommendations is HowSecureIsMyPassword.net.
Now the website itself holds a disclaimer that it is for educational purposes only. Yet, many people will test a password there and based on the results, consider it secure and move on. This is interesting, because some of the passwords that were taken from the Stratfor list registered as ultra secure.
The following list of passwords would collectively take eons to crack according to HowSecureIsMyPassword.net. Each one was cracked during the first set of testing against the Stratfor hash list. Total time for that test was less than five hours.
The time is now!
live and let die
Take note that these passwords, while cracked within hours, all meet the criteria often recommended by experts. They’re long, complex in that they use numbers and special characters, and seven of them would count as a pass-phrase.
Dealing with password heartaches and headaches:
“Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess...” –XKCD (http://xkcd.com/936/)
In the last few years, there has been a growing discussion within the InfoSec community on the use of multi-factor authentication, augmenting the use of passwords with an additional layer of protection. It isn't perfect, but it's solid layer of protection for networks and applications. It's just that it's not widely adopted.
Passwords are no longer the sure bet that they were 10 years ago. These days, passwords are best regarded as an additional layer of authentication. The advice of making a password long and easy to remember isn’t as easy as it seems, but it’s all we’ve got.
A password should have length, and it should use a mix of numbers and characters. However, with length comes the issue of memory, so mnemonics is often the recommended solution.
Example: In 1998, I started working the helpdesk for a local ISP.
When it comes to creating a solid password, the only thing to remember is to make it as long of a password as can be remembered, and to create variations it so that you’re not recycling them. How you go about doing this is up to you. Passwords are a personal thing, and the methods you use to construct one should be yours alone.
With that said, nothing is perfect, and a focused attacker will crack the password you create eventually. If you find yourself needing to remember a number of complex passwords, use an application such as KeePass or LastPass. This way, you only need to remember one master password, and from there the application takes care of the rest. In addition, if your bank or workplace offers the use of a multi-factor authentication method, take it. The added security is worth it.
As a friend pointed out recently, it's ironic really that World of Warcraft offers multi-factor authentication to players, yet most banks do not offer such protection to customers. (Due to usability reasons mostly.)
So if your password is ever stolen, your level 50 Elf is safe, but that direct deposit is history.
From our Other Sites
This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most […]
Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.
McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]
Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.
This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]
This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.
This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.