Creativity Is Your Best Weapon Against Password Hackers

On the bright side, the rates of both violent and property crimes are in decline in the US and have been declining significantly over the past quarter century. But despite these positive trends, there is one category of crime that continues to grow: cyber crime. Cyber criminals are not picky about who they target and every company, institution and individual could be a potential victim.

One of the most important ways to protect yourself from cyber criminals is to design strong passwords. Cyber security firms research passwords that have been leaked in data breaches and publish lists of the most common passwords in use. Looking at these lists, it’s safe to say that a vast majority of people aren’t even trying: “123456” and “password” are almost always at the top two spots. I’m sure a few people thought they were pretty clever when they choose “letmein” as their password, but it usually makes the top ten so I don’t recommend it. These common passwords lack creativity, to say the least.

Understanding the technology and math behind how passwords are cracked will help put everything in perspective, but these concepts alone aren’t enough to protect you. You also need creativity. Without it, you simply can’t design a strong password. If you’re a creative person, then great, this will help you. If not, you’ll need to try to be creative.

But before we address the creative aspects of password design, let’s get some of the technology stuff out of the way.

It’s All About Probability

When a user creates a new password, it is most likely stored as a hash in a database. Your password might be “bananacreampie”, but once it is hashed, it will be stored in a database as something like this:

AMNbbhZLcQHpDd0DWX+mylxJezioiLLIOO3nVhcxvHLWfwVaNVTKz3nyuFW55FlTwQ==

A hash is a mathematical algorithm that transforms passwords of varying length to a fixed size, and most importantly, it is a one-way street. The hashed password cannot be converted back to the original password. The only way to crack a hashed password is to guess what it is, run it through the hashing algorithm and see if there’s a match.

For the sake of this post, let’s assume that a hacker has stolen password hashes from a database and is trying to crack the passwords offline with software. Password cracking software is open-source and accessible to anyone. This software applies a brute-force approach and guesses every conceivable password until a match is found. Guessing every conceivable password, of course, takes a long time. Although the rates vary, if the hacker is extremely sophisticated and has powerful technology at their disposal, it’s possible to guess upwards of one hundred billion or even one hundred trillion guesses per second! At that rate your password will, sooner or later, be found.

However, before beginning a brute-force search a hacker is going to pick off the low hanging fruit and check for the passwords on the most common password lists. Your precious password of “abc123” doesn’t stand a chance. It will be found in less than a second. Then, a hacker will probably search for dictionary words. If your password is “monkey”, “football” or “princess” then you’re out of luck.

After all password lists and dictionary words have been exhausted there is at least one more strategy before beginning a brute-force attack. Password cracking software typically gives the option to use a mask. A mask is more efficient than a brute-force attack because rather than trying every possible combination we are trying likely combinations. Hackers know how humans design passwords, so they can look for common patterns. For example, if a website’s password rule requires a capital letter and a number, more often than not the capital letter will be the first character of the password and the number will be the last character of the password. The attack can be configured so that capital letters are only tried at the first position and numbers are tried only at the last, significantly reducing the amount of time it takes to crack passwords such as, “Password1”, “Dragon5” and “Sunshine9”. By using such common predictable patterns users are making passwords easier to crack.

Go Long

So now that we know not to use common passwords, dictionary words and to avoid common substitutions, but how can we design a strong password that hackers will have the least likely chance of cracking?

A good rule of thumb is “longer is better”. Due to the law of exponential growth, a longer password will take longer to crack. However, this can backfire. It is possible to choose a password that is long yet weak, such as:

aaaaaaaaaaaa

0123456789

passwordpassword

qwertyuiop

Make It Random

Beyond length, one of the main aspects of a strong password is its entropy or its randomness and unpredictability. A password with a higher degree of entropy will be much more difficult to crack. All of the above passwords are on the longer side but lack sufficient entropy. In other words, they are easy for hackers to guess.

Another good rule is to increase a password’s “search space” or the amount of possible characters that the password could contain. This is why many sites have password rules. We’ve all seen these before. Something along the lines of: your password must contain an uppercase letter, a number, a special character, an element from the periodic table and a haiku. While these rules have the users’ best interest in mind, enforcing password rules can also backfire. As we’ve seen, most users stick to very predictable patterns and substitutions. But another issue can arise: passwords that are difficult to remember.

Make It Memorable

At a previous job our IT manager was a stickler for creating strong passwords for our servers. The only problem was that the passwords were so random and complex that they were nearly impossible to remember. He would hand me a sticky note with a password written on it and instruct me to destroy the sticky note after I had it memorized. Good luck remembering a password such as:

Plx31a$h0&kd2*Gz8(qw

Not only did I NOT destroy the sticky note but I was also tempted to tape it to my computer screen! Even when dealing with passwords that aren’t so crazy I find myself forgetting the substitutions.

“Gee, was the ‘e’ a ‘3’ or was the ‘i’ a ‘1’? Or maybe the ‘i’ was an exclamation point?”

When we can’t easily remember passwords, we tend to write them down and hence, unwittingly increase the chances of the password being stolen. (Keep an eye on Debbie from accounting. I better not catch her rummaging through my drawer looking for a stapler again!)

Get Creative

So, now we know a password must be long, have significant entropy, contain a significant variety of characters and be easy to remember. What’s next? Well, this is where creativity comes into play. Now you get to be creative and come up with a unique “password signature” that’s easy for you to remember. I can’t tell you how to do this. You just have to be creative. You see, if I listed specific steps and everyone started following them then that would give hackers an advantage. So, come up with a unique combination of characters that is easy to remember. You could use character pictures such as:

^_^

<(&)>

\___/

…and then append it to a word that’s easy to remember. You can even use dictionary words at this point. Since they are padded with your unique signature they won’t match during a standard dictionary attack. The important thing is to come up with your own system that is unique and special as you are.

So, how about something like:

(#777banAna777#)

— — *8* — — Doggy

trumpeT-=iii=<()

The above passwords are especially strong and, at one hundred trillion guesses per second, would take centuries to crack. Also, they are much easier to remember than:

Plx31a$h0&kd2*Gz8(qw

So, there you have it. A little creativity and effort when designing passwords could be the difference between being a victim of cyber crime and outsmarting the hackers. Data breaches happen far too often and, unfortunately, there is no end in sight. We must stay vigilant!

Moncur is a branding + digital agency. Leveraging our specialized expertise in strategic messaging, branding, advanced technology website development and integrated digital marketing, we help large B2B companies brand, market and sell what they do online. Learn more at www.thinkmoncur.com.