Follow-up analysis of the Stratfor password list (Part 2). (IMG: J.Anderson)
In part two of The Tech Herald’s follow-up on the Stratfor password analysis, we examine common password creation methodologies, and why some of them simply don’t work like they used to. In addition, we look at some recent advice printed by the media, and put it to the test.
When The Tech Herald started to examine the list of password hashes lifted during the attack on Stratfor, the goal was to see how many we were able to recover with little to no effort on our part. The sheer volume of recovered passwords during the first test led us to remark that password creation and management is stuck in the Dark Ages, the overall volume of recovered passwords after the second test confirms this. [You can read more in Part 1 of this report.]
In this report, we’ll examine some of the most common pieces of advice given to people when developing passwords for usage, and see how they stack against the 119,912 passwords recovered from the Stratfor list.
Basic Passwords vs. Complex Passwords
One of the first things people are often told is that complexity matters when it comes to passwords. This is true to a degree, but it isn’t flawless advice. In fact, no two people will agree on what makes a password complex. Along with complexity, people are also told to make their password unique, but again, no one will agree one what unique means. Should it be unique to a domain? Should it be unique to an individual? Should it be both?
“If you're worried about a site being crashed and your password being used against you somewhere else on a different site, uniqueness is very important...The problem is that it's nearly impossible to enforce,” explained Rafal Los, the Enterprise & Cloud Security Strategist for HP.
For example, he posed a hypothetical question, how would a social media site enforce uniqueness? They can enforce it within their domain, but they have no say anywhere else on the Web.
“Complexity matters only if you understand how complexity works. A password of 'password' is no more or less complex than 'password1' or 'passw0rd' to a modern password-cracking system,” Los added.
Moreover, Los said, complexity means little if the user cannot remember the password. It's been proven by research from vendors such as Bit Defender, that passwords are consistently recycled. The longer and stronger a password is, the more a user is likely to consider it unique, and thus secure. However, people have bad memories, so creating such a password for every site is just a bothersome chore.
So that unique social media password may be shared with GMail too. This is why Los points to phrases as passwords, as they will meet the complexity and length requirements, and make things easy to remember. They also make things harder for password cracking attempts, but not impossible.
Yet, Phishing and other attacks against passwords (such as man-in-the-middle attacks or Malware) can defeat phrases altogether.
Password creation advice that only looks good in print
Just before the Stratfor hack, a reporter for a major Web and print publication offered readers password creation advice that will render the newly minted passwords “uncrackable.”
The idea that a password can be uncrackable is truly hilarious. That simply isn’t true, and should never be promised by anyone who works in or around the InfoSec world.
So what is the advice that will create these “uncrackable” passwords?
- Spell a word backwards.
- Use L33t speak.
- Randomly throw in some capital letters.
- Don’t forget the special character.
The first bit of advice deals with spelling a word backwards. The example was ‘New York’, turning it into ‘kroywen’. This advice offers no value.
In Hashcat (the program we used to crack the Stratfor list), one of the rules that can be created deals with taking a word from a given dictionary, such as New York, and attempting it in reverse, with or without spaces.
Not only would ‘kroywen’ be cracked easily, so would ‘kroy wen’ or other variants. Moreover, you can string password cracking rules together, giving the cracking application more variables to play with, such as attempting ‘KroyWen’ or ‘kroYweN,’ and everything in-between.
The second piece of advice uses the same example, ‘kroywen.’ This time it’s altered with L33t speak, transforming it into ‘kr0yw3n.’ The reporter goes on to explain that obvious replacements such as @ for the letter A, or the number 3 for the letter E, are not the only options. Any number or symbol can be used so long as the L33t speak replacement makes sense to the user.
Yet, this advice ignores the fact that the reason such replacements are obvious are because people tend to stick with what they can remember. Rule wise, password crackers can often swap characters out.
For example these rules will swap a given letter:
sa4 (Change a to 4)
sa@ (Change a to @)
ss5 (Change s to 5)
so0 (Change o to 0)
Again, rules are combined, so switching between capitol letters and lowercase, as well as L33t speak is a trivial task. These five passwords were all taken from the Stratfor list.
Randomly inserting capitol letters:
As you can see from the L33t speak example, this does nothing to hinder a password cracker. If the password being used can be found on a word list, then the cracking program can attempt several combinations of that word.
Example (using rules for L33t speak, toggle case, and reversal):
cat Cat cAt caT CAt cAT CaT
tac Tac tAc taC TAc tAC TaC
c@t C@t c@T C@T c@7 c47 C@7
C47 74c 7@c 7@C 74C t@c t4c
Don’t forget the special characters:
Again, sticking with just the previously mentioned rules, adding special characters does not mean a password is uncrackable. It doesn’t matter if the special characters are used as replacements, added at the beginning, or the end of the base word.
Here are some additional examples taken from the Stratfor list.
The “uncrackable” password advice continues by offering this advice:
“Another option is to pick a pattern on the keyboard and type based on that. For example, a counter-clockwise spin around the letter d could result in 'rewsxcvf.' Throw in some random caps and numbers to really lock it down.”
When we cracked the Stratfor hashes, one of the word lists we used consisted of nothing by keyboard combinations. At 180MB in size, it shredded keyboard pattern-based passwords from 3-18 characters long in a matter of minutes.
So, it’s clear that the four steps to an “uncrackable” password amount to little more than an authentication layer that is easily defeated. However, we all need passwords. It’s a way of life online, and we use them offline too. The PIN for the ATM is a password, so is the locker combination at the gym. Yet, the locker and ATM have defined rules, which are uniform in scope. You know your limits at the ATM (4 characters) and you know the locker will require 3 sets of numbers in a Right-Left-Right sequence.
Online, some of the more complex and useful pass-phrases are defeated before they can even be used. Not because someone cracked them, but because the application itself refuses to allow them. When a user registers for a given website, they’re often presented with limits on the length and characters with respect to allowable passwords. This means that while Kathy*14ee_#5 may be a strong choice for the password field; the application’s limits may reduce it to Kathy14.
For most applications, the limits placed on passwords stem from development issues, where certain characters are needlessly blocked instead of sanitized for the sake of security. There’s also usability and customer experience considerations, where the website or application wants to make things as easy as possible when it comes to registration. This tradeoff often comes at the expense of security, as the password is sacrificed for easy use, leaving Kathy with no other option but to ditch her crafty password for something weaker.
Password testing and a false sense of security:
Most experts agree that length equals a relatively secure password. This is what pass-phrases are the go to solution. As mentioned earlier pass-phrases offer length, and can offer complexity as well, but only if they are designed that way. People often turn to websites that offer a test of sorts when it comes to password strength. The site that earns the most recommendations is HowSecureIsMyPassword.net.
Now the website itself holds a disclaimer that it is for educational purposes only. Yet, many people will test a password there and based on the results, consider it secure and move on. This is interesting, because some of the passwords that were taken from the Stratfor list registered as ultra secure.
The following list of passwords would collectively take eons to crack according to HowSecureIsMyPassword.net. Each one was cracked during the first set of testing against the Stratfor hash list. Total time for that test was less than five hours.
The time is now!
live and let die
Take note that these passwords, while cracked within hours, all meet the criteria often recommended by experts. They’re long, complex in that they use numbers and special characters, and seven of them would count as a pass-phrase.
Dealing with password heartaches and headaches:
“Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess...” –XKCD (http://xkcd.com/936/)
In the last few years, there has been a growing discussion within the InfoSec community on the use of multi-factor authentication, augmenting the use of passwords with an additional layer of protection. It isn't perfect, but it's solid layer of protection for networks and applications. It's just that it's not widely adopted.
Passwords are no longer the sure bet that they were 10 years ago. These days, passwords are best regarded as an additional layer of authentication. The advice of making a password long and easy to remember isn’t as easy as it seems, but it’s all we’ve got.
A password should have length, and it should use a mix of numbers and characters. However, with length comes the issue of memory, so mnemonics is often the recommended solution.
Example: In 1998, I started working the helpdesk for a local ISP.
When it comes to creating a solid password, the only thing to remember is to make it as long of a password as can be remembered, and to create variations it so that you’re not recycling them. How you go about doing this is up to you. Passwords are a personal thing, and the methods you use to construct one should be yours alone.
With that said, nothing is perfect, and a focused attacker will crack the password you create eventually. If you find yourself needing to remember a number of complex passwords, use an application such as KeePass or LastPass. This way, you only need to remember one master password, and from there the application takes care of the rest. In addition, if your bank or workplace offers the use of a multi-factor authentication method, take it. The added security is worth it.
As a friend pointed out recently, it's ironic really that World of Warcraft offers multi-factor authentication to players, yet most banks do not offer such protection to customers. (Due to usability reasons mostly.)
So if your password is ever stolen, your level 50 Elf is safe, but that direct deposit is history.