Passwords, not good enough anymore!
In the earliest days of computing physical access to the computer was enough security. Today all of our devices are wired up and networked constantly connected to threats more pervasive than many of us realize. We have been taught to use passwords, and we hate them. Now it seems we are constantly told our passwords are not good enough, they are not. Why is it that passwords that used to be acceptable are not good enough anymore?
First our techy friends told us we needed to add a number to our password (early 90's). Then they said to replace several characters with numbers (late 90s). Then they said make it longer (Early 00's). Next we were told to use an acronym/mnemonic for a short phrase (Late 00's). Now they are saying fully randomized passwords at least 12 characters in length. Why do they keep changing the rules?
Simply put, Moore’s law. Gordon Moore co-founder of Fairchild Semiconductor and Intel, noted that the number of transistors per circuit would double every two years. David House, an Intel executive, stated because the speed was also increasing, overall performance will double every 18 months. And as far fetched as this sounded, it has.
The Apple iPhone 4 has computing capability comparable to the Cray Supercomputer. You knew you had a computer in your pocket, you didn’t realize it was a supercomputer.
But what does computing power have to do with our passwords?
As computing power increases, the time it takes to crack a password decreases.
Our passwords are typically not stored as we type them, instead a computer formula is used to convert the password into a fingerprint. These formulas are called cryptographic hashing functions. The fingerprint is known as a hash. These functions have the property that every time they are given the same input they will give the same output. The input cannot be determined from the output, they are not reversible. If they input varies just a little bit, the output will be significantly different so that it is not possible to determine if you are close to a correct guess. When we login, the formula is run on the password we provide to generate a hash, that hash is compared with the hash that is stored in a database and if it matches, we are given access.
In order to “crack” a password, I must find the input that will generate a given output or cryptographic hash. I know the algorithm being used, but because of the properties of a cryptographic function, I cannot guess, I will need to try every possible combination. This process of trying every possible combination is called brute force.
What does this have to do with changing password requirements?
The faster I can test each possible combination, the faster I can crack your password. If I can double computing power, I can crack your password in half the time. And while I cannot guess, I can be intelligent about what inputs to test first. While there are 217 billion possible combinations of lower case letters in 8 characters, yourdictionary.com only lists 29 thousand 8 letter words. I will be able to test those in a fraction of the time. And while they only list 4,000 4-letter words, when two 4-letter words are combined, there are 16 million possibilities, still that is 1/10,000 the number of functions to test. If we consider 4 character words with 4 numbers to make up the difference, there are 400 million possibilities to test. So while I cannot guess per se, as in your getting warmer, I can be intelligent about what inputs I attempt first, and if the user was not using a truly random password, then I have pretty good chance to find it quickly.
We are so predictable.
When they told us to use a number in our password, we thought well I have to remember the number may as well be one I can remember. So we used the date. More specifically, we used the year, often the year of an important event in our lives, or the current year. So as a cracker, I will look for numbers in the range 10–18 first, then 90–00 and 00–09. Next 70–90, and so on. Of course I also will look for 1970–2018 as likely candidates. What about symbols? The crackers are onto you there as well. They know that if you are required to use a symbol, it is very most likely the ! exclamation mark and it is most likely at the end of your password, or the beginning. Other common symbol use is as letter replacements, P4$$w0rd anyone? Yeah the crackers used this long before you did, their cracking code will attempt that as well. So your attempts to not use a dictionary word, while using a dictionary word now fail. A cracker will build a database of all these possible combinations, and prioritize them before the truly random attempts. But before they test those, they will use a list of frequently used passwords, because it seems we are not quite so creative as we think we are.
All of these cracking techniques work to reduce the number of attempts required to crack a password. Using a password that breaks all of those rules, means that our password will not be found until they have tried all of the other more likely possibilities.
Length is truly king.
In 2010 a 5 node 25 GPU cluster was built and tested that was capable of cracking every possible 8 character Windows password in 5.5 hours. It was capable of processing 350 billion guesses per second. Consider that. In the first second, every possible dictionary word, with every possible padding technique, including character swaps. In the second second every possible lowercase combination of random letters. Within the first few seconds all of the standard password creation techniques will have been exhausted, and only the truly random will remain to test. After 5.5 hours ever possible combination will have been tested.
But that was 7 years ago, computing power has doubled 5 times since then. In 2017, the test was repeated with an updated build. This time it was only a single computer with 8 graphics cards in it. This system had 1/3 the number of graphics cards and 1/5 the number of computers, but was only 1/2 the speed of the original. Now a single computer is capable of every 8 character windows password in 11 hours.
Cryptocurrency has changed the game
Some will dismiss these as hypotheticals that a criminal won’t have a computer that powerful, that such machines only exist in the labs of wealthy corporations, but cryptocurrency has completely changed that. Now, such “mining rigs” are common place, and they pay for themselves plus some. So a criminal can build his password cracking power house, and have it mining cryptocurrency in the down time. Best part, he can buy it all with your credit card because you didn’t use a proper password.
Cryptocurrency has changed it in other ways, that I don’t think many have considered. Those cryptographic hashing functions are at the core of cryptocurrency, and cryptocurrency mining is almost the same as password cracking. In fact they use the very same process. Mining for bitcoin requires running Sha256 hashes looking for the input that gives the required output. Exactly the process used to crack passwords, input that gives the required output of a cryptographic hash. Because of this, machines dedicated to the task have been built. The Bitmain Antminer S9 is capable of processing 14TH/s using the Sha256 algorithm. This is approximately 150x faster than the machine above. If the passwords were stored using Sha256, the 8 character password space could be covered by this machine in approx 8 minutes. Still think 8 characters is long enough?
The Good News, Size Matters, Choose your Size
Adding just one character to the 8 changes the time from 8 minutes to 12 hours. Another character (10 total) and it becomes 50 days. With 12 characters it will take over a century. Of course that isn’t true because over a century computing power will have doubled 800 more times. Not 800 times more powerful but 2⁸⁰⁰ or 6 with 240 0s behind it more powerful. Or put a little more comprehensible, in 18 months 1 century becomes 500 years. Another 18 months, 250 years, after 6 years, it will only take 62.5 years to crack all 12 character passwords. After 35 years it will only take 1 hour to crack all 12 character passwords on a reasonable personal cracker, so definitely not a century. But it seems that a truly random password using upper, lower, numbers and symbols is good for a while. If however you are using any kind of pattern, words, or dates, you should be going much longer. While it would take 5.5 hours today to crack a random password, any password using a 2–8 character word in any form would be cracked in the first few seconds by that same computer.
How can I remember a password that doesn’t use words?
There are a great many options for password management today. My favorite is KeePass. Another option is 1Password, but that requires a fee, though it is a bit more user friendly. I find KeePass to work well enough once you get used to it. In any case, such a tool is critical. It will relieve you of the need to remember passwords, and it will make it easy to do that thing you never do, to use a unique password on every site.
Conclusion TL:DR;
Computing power is accelerating, doubling every 18 months. Password strength has to keep up to avoid compromise. The best way to do this today is to start with 12 character random passwords today, and add a character in length every 18 months. Alternatively, use a much longer password if you are using any type of pattern (not truly random) and still increase the length every 18 months. Finally, use a tool to manage your passwords so you can easily generate unique random passwords for every new account.