How to Outguess Passwords

Security is always about the weakest link


Have you ever wasted a few moments with a sketchy website that promises to reveal your Klingon name (wizard name, ghetto name, porn star name, etc.)? Some of these sites are fronts for password-harvesting operations. They’ll ask you for some personal data—mixed in with Trekkie trivia
—and prompt you to make up a password. Scammers know that the password you supply is likely to be similar or identical to ones you use elsewhere. They may sell collected passwords on the black market for about $20 each.

A password is like the key to your home. There are weak locks and strong locks, but neither does any good when a pickpocket swipes your key. Security is always about the weakest link.

Most identity thieves don’t bother with trickery. They pick the low-hanging fruit—the passwords easiest to guess. One recent study found that nearly 1 percent of passwords can be guessed in four tries.

How is that possible? Simple—you try the four most common passwords. A typical list would run password, 123456, 12345678, and qwerty. That opens 1 percent of all sesames.

Okay, you’re in the 99 percent not using an insanely bad password. You still have to consider the speed of today’s hacking software. John the Ripper, a free hacking program, can test millions of passwords a second. One commercial software recovery program intended for forensic use (on seized computers of child pornographers and terrorists) claims it can check 2.8 billion passwords a second.

Initially, cracking software runs through an exhaustive, frequently updated list of thousands of the most popular passwords and then segues to a full dictionary search. It tries every single word in the dictionary, as well as all common proper names, nicknames, and pet names.

Most of us have been shamed and browbeaten into adding numbers, punctuation marks, and odd capitalization to our passwords. This is known as mangling. In theory, mangling makes it a lot harder to guess a password. In practice, not so much. Almost everyone’s mind follows the same well-worn mental grooves. When a site insists on having a number, password becomes password1 or password123 with alarming regularity. A requirement to mix capitals and lowercase elicits Password or PaSsWoRd. Mandatory punctuation marks gets you password! and p@ssword. A password that might look secure, like $pider_Man1, isn’t. Everybody is oh-so‑devious in the same ways. There is reason to fear that site-enforced mangling rules cause users to pick simpler, easier‑to‑guess base passwords. Mangling can create a false sense of security.

News features on password security invariably cut to the cynical expert who belittles every common or realistic password practice. Many pros subscribe to the “write it down” philosophy. “Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down,” wrote consultant Bruce Schneier in 2005, eons ago in the digital world. “We’re all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.”

Even with the paper in hand, it’s a chore to peck out a long, hard‑to‑remember password. Good luck with a mobile device’s virtual keyboard. The gulf between experts and reality is illustrated by my father’s system. He writes his password on a Post‑it note and sticks it to his desktop monitor. The password is nothing fancy, just a two- word phrase with no digits or funny characters. Not only do real people choose insecure passwords, they have a heck of a time remembering them.

In their digital wanderings, many users leave behind a snail trail of similar passwords. They try to use the same password for every site, damn the risk. But some sites play nanny, enforcing ad hoc rules about length and types of characters required. Users are forced to customize their usual password and then, when they try to log back in, they can’t remember how they customized it.

A lot of what’s known about dumb passwords comes from the December 4, 2009, security breach of RockYou.com, a publisher of Facebook games. A hacker posted the site’s 32,603,388 user names and plaintext passwords. There have been many breaches before and since, but the scope of this one has made it a key dataset for the good guys and the bad guys.

The most popular RockYou password was 123456. A reported 290,731 were using that one. There were many differences by age and gender. For men under thirty, sex and scatology supplied popular passwords: pussy, fuck, fucking, 696969, asshole, fucker, horny, hooters, bigdick, tits, boobs, and the like were high up on the list. Elders of both genders leaned toward dated pop-culture references. Epsilon793 might not be such a terrible password, were it not the password of Captain Picard on Star Trek: The Next Generation. The seven-digit 8675309, an inscrutably common choice, was a phone number in a pop tune way back when. Boomers, the eighties called, and they want their passwords back.

It’s the easiest thing in the world to create a secure password. Use a random string of characters. You can’t achieve perfect randomness mentally, but you don’t have to do so. Websites and applets aplenty will give you random passwords generated from atmospheric noise. Here are some examples I just pulled from random.org:

mvAWzbvf
83cpzBgA
tn6kDB4T
2T9UPPd4
BLJbsf6r

Problem solved? Sure, for the paranoid mnemonist—or those who use a password manager app secured by a fingerprint reader. Everyone else balks at the prospect of memorizing character soup. It doesn’t help that we’ve been told we need a different password for every account.

Most users care more about convenience and less about security than the experts do. I’m not so sure the crowd is wrong. Do you have a panic room in your home? Probably not, though the people who install panic rooms will tell you that you need one. Before you spring for the panic room, maybe it would be better to make sure you always lock your front door.

Realistic password threats fall into three categories. Call them casual, mass attack, and targeted.

Casual means people you know. A snoopy coworker or family member may want to log into your accounts. He will be trying to guess your password based on personal knowledge of you (without the benefit of password-cracking software). The casual snoop might know your high school team was the Wildcats and try that. He might be completely defeated by wildCatz1.

Mass attack is like spam, nothing personal. The pro identity thief isn’t trying to break into your account per se, and she knows nothing about you personally. She’s trying to assemble a list of cracked passwords, typically for resale. Password thieves use software and begin by trying to crack the least secure sites, those that permit many guesses. This could be a game site where the password has no financial value. When the software guesses correctly, it tries the same password and variants on more secure accounts like banking.

Targeted means a private or public detective plus software. Should an informed person want to hack into your accounts, and should that someone have money and time (and the law?) on his side, he’s likely to succeed. The only countermeasure is using a random password long enough to guarantee search times of your life expectancy or greater.

Don’t be too sure you couldn’t be a target. A small business’s competitors may be willing to steal a laptop and expend the needed resources. So may a high-net-worth spouse in a divorce case. Hackers may take a disliking to someone’s business or politics. Twitter, meaning the whole site, was once compromised because an administrator unwisely chose the password happiness. In 2009 a hacker learned the Twitter password in a dictionary attack and posted it on the Digital Gangster site, leading to hijackings of the Twitter feeds of Barack Obama, Britney Spears, Facebook, and Fox News.

Like everything else in life, passwords involve trade-offs. You can’t have maximal security and maximal ease of use at the same time. One of the best of the commonly advised tactics is to convert a phrase or sentence to a password. You pick a sentence, phrase, or song lyric and use the first letter of each word as your password. May the force be with you would become Mtfbwy.

You wouldn’t want to use that one, though, and that’s the problem. You’re going to think of a well-known phrase from a movie, a college fight song, or South Park. How many eight-word-or-so phrases do you know verbatim? It’s not even clear that a randomly chosen phrase is harder to guess than a randomly chosen word. Few bother to mangle their pass-phrase acronym. It looks so random!

An ideal password scheme would work even if everyone used it. Should the pass-phrase scheme become popular, acronyms of all the pop-culture catch phrases would enter the lists of popular passwords, and cracking software would try these passwords first. Normally, acronyms are all letters and thus less secure than an any-character string of the same length.

Some of these drawbacks can be addressed. Never use a “famous quote.” One alternative is to use private jokes. Remember the funny comment the waiter said to Brenda in Cozumel? You do, Brenda does, maybe the waiter does, and that’s it. Should you pick that as your pass- phrase, the odds are high that you’ll be the only one on the planet using that phrase.

It’s less certain that the password itself will be unique. Different phrases can begin with the same letters, producing the same acronym. Some letters are more likely to begin words than others, and hacking software could potentially exploit this.

The best way to use the pass-phrase idea is to turn the conventional advice on its head. Instead of thinking of a phrase and converting it to a password (that won’t be all that random), get a truly random password and convert it to an easy‑to-remember phrase.

I used to use simple, stupid passwords. After one of my accounts was hacked, the site assigned me a temporary password. It was a random string of characters. I was going to change it until I realized that I didn’t need to do so. I could remember a random password.

The mind is good at seeing patterns in random data. This is how we remember phone numbers and Social Security numbers. It also works for random-character passwords like RPM8t4ka. I just now got that one from random.org. Though it’s authentically random, the eye and mind instantly spot patterns. In this case the first three letters happen to be all capital, and the last three are lowercase. The number 8 is twice 4.

You can easily translate a random password to a nonsense phrase. RPM8t4ka might become revolutions per minute, 8 track for Kathy. I don’t know what that means but I do know that it’s fairly easy to remember.

A password, a pass-phrase, a mnemonic—what’s the big deal? The difference is that a random-character password is the gold standard of security. It’s better than any human-chosen password could be. It will still be good even if everyone in the world adopts this scheme.

A random-character password of reasonable length is, for practical purposes, unguessable with today’s technology. It won’t appear in a list of popular passwords. A mass attacker could guess a random password only in a brute-force search. With upper- and lowercase letters and numbers, there are sixty-two possible characters. (I won’t count punctuation marks, as not all sites allow them.) That means it would take 62^8 guesses to be certain of hitting an eight-character password. That’s over 218 trillion guesses.

That effectively rules out an Internet mass attack and would slow down a targeted attack. Accepting the claim that some forensic software can spit out 2.8 billion guesses a second, it would take about twenty-two hours to make that many guesses. That’s secure enough for most people—should you disagree, you’re welcome to add a few more characters.

This doesn’t mean that a random password is invincible. It can’t be guessed, but it can be stolen. The Klingon name scam is one example. Careful folks fall for cons like that all the time. There is high-tech malware that records your every keystroke, and there are snoops using the low-tech method of watching over your shoulder as you type. Hackers may exploit a site’s lax internal security to get its passwords, through no fault of the users and their choices of passwords.

I use the “one strong password” philosophy. In view of the importance that passwords have assumed in our lives, it’s worth committing one random-character password to memory. You memorize your phone number, why not a password?

Once you’ve got that strong password, “protect the hell out of it,” says security consultant Nick Berry. Do everything you can to keep your computer free of malware, and use the password only for sites you know to be important and trustworthy. For games and unimportant sites, I use a simpler password that is nothing like my strong password.

There are so many ways that passwords get stolen that it’s not unreasonable to want a different password for each site. One customization formula is to take the last letter of the site name and tack it onto the beginning of the standard password. For Facebook, you’d add k onto your standard strong password, getting kRPM8t4ka. Though this customization isn’t secure in any absolute sense, it may get the job done. A snoop who sees you enter kRPM8t4ka to access your Facebook account is not going to have a clue how to generate your banking password. A mass attacker will collect thousands of passwords and find that a decent proportion of them work, unmodified, on other sites. He may not care about those that don’t.

I don’t have a punctuation mark or non-ASCII character in my strong password. In the rare cases where a site demands one, I add an easy‑to‑remember mark onto the end.

Some identity thieves skip passwords entirely. They pretend to be a user who has forgotten a password, and answer the security questions. Should they guess right, they can change the password to one of their choosing. Not only does the crook gain an identity to sell, but the legitimate user is locked out.

In 2008 someone hacked into Sarah Palin’s e‑mail account by guessing where she met her husband (Wasilla High). Four years later Mitt Romney’s accounts were breached by someone who guessed his favorite pet. It’s not just public figures who have to worry. Anyone who knows you well will be able to guess many of your answers to security questions. Hackers who don’t know you from Adam or Eve can use lists of the most popular pet names, used cars, team nicknames, etc.

Lately, news features have touted the counterstrategy of giving nonsense answers. The idea is that you answer every question in pig Latin, or give the same nonsense answer to every question. Your mother’s maiden name was Jimbob. Your high school mascot was Jimbob.

This probably works for the time being. That could change, should enough people adopt this strategy. Nonsense answers are probably as stereotyped as any other kind.

I always use honest answers. You don’t encounter security questions much. Years after you first answer security questions, when you have to prove who you are, you definitely don’t want to be in the position of not remembering your answers. Many sites let you choose security questions. I pick questions where my honest answer isn’t a common one or easy to guess.

Personal identification numbers (PINs) are the dime-store locks on our personal money machines. Nobody knocks himself out trying to invent a secure PIN. Most automated tellers limit them to four decimal digits anyway. I’m sure you can guess the most common PIN. Would you care to guess how many people use it?

Nick Berry estimates that 11 percent of the population uses 1234. There haven’t been many mass exposures of PINs. Hackers aren’t that interested because PINs are useless without the physical card. So Berry took lists of exposed passwords and filtered them to include only four-digit numbers with no letters. He figured that someone who uses 1967 as a password has some special connection to that number and is likely to use it when prompted for a four-digit PIN.

The second-most-popular PIN on Berry’s list is 1111 (chosen by 6 percent), and third is 0000 (picked by nearly 2 percent). Taken at face value, that means that a well-informed crook who finds your ATM card stands a 19 percent chance of guessing your PIN in the permitted three tries. After a third wrong guess the machine usually eats the card.

Here are Berry’s twenty most common PINs: 1234, 1111, 0000, 1212, 7777, 1004, 2000, 4444, 2222, 6969, 9999, 3333, 5555, 6666, 1313, 8888, 4321, 2001, 1010.

All the four-identical-digit choices appear. This isn’t a randomness experiment, it’s an I’m‑afraid‑I’ll‑forget-this-number-and-better-pick-something-really-easy experiment.

Berry found these less obvious patterns:

Years. All recent years and a few from history (1492, 1776) are high up on the list.

Couplets. Many pick a two-digit number and clone it to get the needed four (1212, 8787, etc.) Digits in couplets most often differ by 1.

2580. Some figure they’ll generate a random code by playing tic-tac-toe on the keypad. The only way to get the required four digits is to go straight down the middle: 2580. It’s the twenty-second-most- popular choice in Berry’s list. (For that you can thank the designer of the keypad, Alphonse Chapanis.)

1004. In Korean the numbers sound like the word for angel. This inspired a pop tune, “Be My 1004.” There are enough Koreans who figure that non-Koreans don’t know this to make it a popular choice.

It’s important to pick a PIN that’s not on the popular list. The least popular PIN was 8068, but you don’t necessarily want to use that, either. I would pick a number that begins with 6, 7, 8, 9, or 0 (as all of Berry’s least popular choices do) and has no evident pattern. Don’t use digits from a personal number like a MM/DD or YYYY birthday, driver’s license, or credit card. Those numbers are in your wallet, and losing your wallet is the commonest way to lose an ATM card.

Recap: How to Outguess Passwords
• Be prepared to memorize one good, strong password. It’s worth the effort.
• Go to a website that generates truly random passwords (like random.org). Create a list of five or ten candidate passwords.
• Pick a random password that you can convert into a memorable nonsense phrase. Use the phrase to remember the password.


Excerpted from Rock Breaks Scissors: A Practical Guide to Outguessing & Outwitting Almost Everybody by William Poundstone, published by Little, Brown and Company. Copyright © William Poundstone.

Buy Rock Breaks Scissors at Amazon / B&N / Indiebound / iBooks.