ZLABS‎ > ‎000 You Start Here‎ > ‎001 SECURITY‎ > ‎

Passwords

Updated 02/20/2017

Protecting Yourself

Focus on Passwords

 

Major Topics:
  • The Threat
  • Characteristics of Passwords
  • Top 25 Bad Passwords People Use
  • Other Bad Passwords
  • Case Study of Cracked Passwords
  • Suggestions for "strong" Passwords  <<<<
    • Self Created Passwords
    • Prose or Lyric Based Passwords 
  • Explaining the Math Involved
----------

 

The Threat

The global efforts to manipulate or seize your password protected resources by “cracking” passwords have grown since the 1990’s. It is a big business conducted small players to organized criminal and state sponsored activities. Advanced techniques used by organized groups are engaged versus “guessing games” used by individuals. Security has increased for web site information exchanges reducing sensitive e-mail documents we send, receive, or keep. Yet we continue to use e-mail to exchange sensitive or important information and even business confidential materials. One significant problem: people use words listed in ANY a Dictionary for their passwords or that have personal ties to them or their family. The bad-guys use Dictionaries of all languages (including the Klingon Language Dictionary from Star Trek) as a list of likely passwords. A good dictionary contains about 30,000 words making the Dictionary a rich source for crackers. If your password is not in any Dictionary and is not something personally identifiable, crackers are forced to either abandon their attack against you or use a time consuming "brute force" attack of guesses that can produced hundreds of thousands of failed access efforts. The longer it takes to hack your count the more expensive it is to them in lost time thus making it attractive for them to simply move on to their next potential victim.
 
Do the web sites or e-mail you sign into report the last time an attempt to sign-on was performed?
 
Some companies, including financial institutions, have limited the characters (exclusion or only certain special characters, may exclude numbers, may exclude capital letters, etc.) they allow in the creation of a strong password. Knowing the last time you attempted to sign on and actually signed on is good security information for you, yet few companies are offering this. If you have a problem on their constraining your ability to secure your account, let them know of your concern and ask who holds liability for losses from attacks by unauthorized actors and time between filing a claim and return of funds to your account. One large consumer company was hacked and customer names, e-mail address and other information was exposed for which the company contented it had no responsibility for that loss. READ their agreements before assuming your privacy is covered for your needs. One letter, number or a special character requires the same amount of space and computer time as any other character. Ask what their reasons are for not supporting this higher level of protection which should not cost them anything extra in dollars, computer storage, network use, or computer time. The company mentioned above reportedly spent $750 Million a year to protect unauthorized access. You should have the ability to be part of your protection and not a victim of their unfortunate decisions.

 

    1.  Once your password is cracked, the following could happen:
       
      e-mail containing unwanted or objectionable content including malware links appear
       
      your PC or in e-mail sent under your name 

    2.  any e-mail can be deleted including key e-mails that establish or document intent,  action, or agreements

    3.  any confidential information contained within that e-mail which could be used for any  number of reasons including removal or manipulation of funds, public exposure with  or without demand for ransom or secrecy

    4.  new e-mails can be created and sent indicating your acceptance or support of an  agreement, position, an attitude on an emotionally charged issue, attacks against  individuals or public figures, threats of violence or extortion, etc. Because many
       people 
      elect to use a single password for ALL secured access, the door is opened to  additional unwanted and harmful activity being done in your good name by your own  hand.


THE IMPACT
Many answer this question in a straight forward way: I loose stuff I didn't care about. Often this becomes things they did care about as e-mail is used for so many purposes.

Hackers do not have a budget, a timeline, deadline, productivity schedule or anything else driving them to achieve success outside of the potential for mischief or criminal intent.
Don't take up one day to find Government Officials surrounding your residence becacuse of an e-mail sent from your account discussing attacks against the United States. This is what many would call a career ending e-mail whether you sent it or not. You now must prove a negative ... that you didn't do something ... many have tried, few have been successful.

----------
 

Characteristics of Passwords
 
There are 5 security characteristics to consider when creating passwords:

characteristics to consider when creating good passwords:

  1. Length:
    93% of passwords are between 6 to 10 characters. Currently 8 is generally considered a minimum length but longer lengths are encouraged. Using items found in any Dictionary nullifies the long term protection of the password. 
     
  2. Strength:
    50% of passwords are lower case only. Use upper and lower characters to add complexity which makes your password more difficult to crack, unless it is in a Dictionary. Consider
    adding numbers and/or special characters for password complexity. The importance of this is discussed below. 
     
  3. Complexity:
    99% of passwords do not contain a non-alphanumeric character. Adding Special Characters increases your chances against a successful crack. Special characters are:
    ~  `  !  @  #  $  %  ^  &  *  (  )  -  _  +  =  {  [  }  ]  |  \  "  '  :  ;  ?  /  >  .  <  , plus space
    Unfortunately not all providers or companies allow all special characters, allow one or more
    spaces or allow any special characters at all. This reduces your ability to protect yourself.
      
  4. Random:
    64% of passwords CAN NOT be found in a Password Dictionary. For the remaining 26% of you, the hackers of the world thank you. You are giving the hackers so many easy targets they are leaving the rest of us alone. Never include your name or User ID in your password.
     
  5. Unique:
    80% of passwords occurred only once. If this 80% uses all of the above types, you most likely have never had the headache of being hacked. Congratulations!
  6.  

----------

 

 TOP 25 BAD PASSWORDS THAT PEOPLE CONTINUE TO USE
 
This is definitely the list of passwords NEVER to use yet so many people do. Hopefully making this list public (again and by many different groups) will encourage others clean-up their security. The good news:  only 3 are not in a Dictionary. The bad news: this list is well published!
        seinfeld        password        winner        123456        purple
        sweeps        contest            princess      maggie       9452
        peanut         shadow           ginger          michael      buster
        sunshine      trigger             cookie         george        summer
        taylor           boxco              abc123        Ashley        bailey

In a 2015 study conducted the Top 25 Bad Passwords evolved somewhat to be:

        123456        password        12345678    querty        12345

        123456789  football            1234            1234567    baseball
welcome    1234567890     abc123        111111       1qaz2wsx

dragon       master              monkey        letmein     login
         princess     qwertyuiop        solo             passw0rd  starwars    
                    6 of the 25 are trival hacks. The others are automatically tried by most hacking tools.

         The study also revealed some alarming statistics using basic hacking tools:
    • 89,872 leaked passwords were examined.
    • 22,324 were duplicates.
    • In under one hour, 54,473 passwords were cracked or about 80% of the non-duplicates.
    • 20 of the passwords were simply the e-mail address being "protected" - a bad practice.
    • 11,593 passwords used 6 or less components for the password.
    • Most contained dates, months or days of the week in the password.

---------- 

 

Other Bad Passwords


If you are using any of the following for your password, stop doing so and change them now. The following are frequently used, are known to people around you, and can easily be found frequently at no cost:
    - spouse's name
    - children's name
    - your phone number
    - your pet's name
    - city where you (or close family) live, were born, visit for business or pleasure
    - name of high school, college or university, social group
    - milestone dates (birth, an anniversary, graduation, divorce, date hired, etc.)
    - abbreviation in any form of your name
    - anything that can be found on or in your home or office, especially your desk
    - model and/or make of your computer, car, boat, or aircraft

To simplify the above ...
never use anything that can be found out about you from any source 
including:
-  pictures in your home or office,
-  information on Facebook, LinkedIn, Public Records, Social Media in 
general,
-  any publications in print, microfiche or on-line,
-  birth or death records,
-  real estate records,
-  tax records,
-  Voter 
Registration or Voting Records,
-  Drivers License Information,
-  Library Card,
-  Telephone Books,
-  
anything you rent or own, were awarded or recognized for, etc., etc., etc.
---------- 

 

Case Study of Cracked Passwords

    
    
This this study is dated, and recommended lengths are a minimum of 12 characters, the basic
     message is still very relevant as people just don't listen to good advice if it slows them down.
 
     A 2010 study examined 100,000 passwords consisting of the recommended 8 character
     length that had been cracked and revealed over 80% (exact number not revealed) of the
     passwords cracked fit the following pattern:
  
  1. The first password character was a capital letter
    (Computers and people sometimes start with a capital letter due to habit)
     
     
  2. The letters used spelled an entry found in a dictionary (could be any language)
    (words, abbreviations, acronyms, etc.)
     
     
  3. The last character was the number 1, 2, 3, 4, or the special character $ or !
    (This fills the requirement for a number or character in the password by placing it at the
     end of something personal and easy to remember add only a smaller challenge to the
     Bad Guys.) 
     People hate passwords. Therefore, we create passwords that are easily remembered and
     thus even easier to crack. The passwords that were cracked have less than 1.73% of the
     protection strength it could have had based on possible combinations.
 
     Individuals who need a secure password are significantly enhancing the chances
     they will be successfully attacked. We are own worst enemy when it comes to
     security. So ... how do we stop deceiving ourselves and create strong passwords?
 
----------

 
Suggestions for "strong" passwords:
 
               Self Created Passwords
1.   More characters yield more protection.
      Use passwords with a MINIMUM of 12 characters in length.
      Why:    Most password systems will accept upper and lower case characters plus
                  numbers.
 
                  Good password systems will also accept special characters
                  (e.g., ~ ` ! @ # $ % ^ & * ( ) _ - + = { [ } ] | \ : ; " ' < > ? , . /), and space.
                  Do understand the power of a strong password I'll use some simple math
                  to reveal the reasons why this is recommended:
 
                  -  If you are limited to upper and lower case characters plus numbers
                     selecting just 12 of these creates a password having an approximate
                     3,226,266,762,397,900,000,000 possible combinations.
 
                  -  Use only 8 characters plus numbers and your combinations strength
                     plummets dramatically to 281,474,976,710,656 possible combinations.
                     Larger numbers suggest stronger protection! How much better?
                     In this example 1,146,200 times better!
                     (3,226,266,762,397,900,000,000 divided by 281,474,976,710,656)
 
                  Criminal enterprises reportedly use thousands of computers to hack
                  passwords by using frequently used passwords and finally resorting to
                  a "brute force" approach by guessing sequential combinations. A brute
                  force attack can be done quickly using a computer but it takes time and
                  most computers will not lock out an account after multiple failed attempts
                  or report last time access was attempted or last successful access. This
                  provides the attacker protection from exposure while doing their work.


2.   For Good Security, Be Predictably Unpredictable
      Why:    Crackers have all the time in the world and, like a terrorist, they only
                  need 
to get it right once.
 
                  -  Crackers use dictionaries of various languages (including Klingon from
                     Star Trek) to attempt hacks
                  -  Crackers may use readily available personal information from various
                     sources, legal and illegal, to get to you through a weak password

 

      Why:    People are predictable.
 
                  Dictionaries offer a foundation for shortening attacks. There are about
                  30,000 words in the Oxford dictionary. Using the above study, this reduces
                  the potential number of attempts for an 80%+ success rate down to
                  about 180 Thousand tries versus a potential of about 6.634 Quadrillion
                  tries (representing potentially 36.856 Billion times more effort) where all
                  possible letters, numbers, and special characters can be used.
 
 
      How:    Think of something easily remembered with at least 12 characters in it
                  (more if that’s easier for you). Let’s say you want to use "New York City".
                  First, if the first character is a capital letter, make it lower case.  Next,
                  substitute a number for each vowel (such as zero for A, E=2, I=3, O=5,
                  U=8). Substitute a 9 for any space. Finally, insure the last character is
                  not a 1, 2, 3, 4, $, or !. "New York City" quickly becomes "n2w9y5rk9c3ty"
                  meeting the recommendations where special characters are not accepted.
                  After a few times keying the password in you begin to remember it and
                  you can easily and quickly reconstruct the password. If you don’t like this,
                  change it up but seek a comparable safe outcome.
 

 

3.   Save Your Work.

      Why:    Most people forget things they infrequently use so record the
                  password 
and how you created it in at least two safe places.
 
                  Not all systems will provide hints to figure out your password or will e-mail
                  the password to you. Given the frequency some people change e-mail
                  addresses that by itself can become a significant challenge to keep track of.

 

      How:    So what are some ideas of a safe place?
 
                  a)   avoid from putting it on your computer (inside or outside). If your
                        computer is compromised the password is there. Executives have
                        kept their passwords under their keyboard. Bad AND big mistake.
 
                  b)   avoid putting your password in a password protected safe or vault on
                        your on your computer. While it reduces the passwords you may need
                        to remember to 1, forgetting that 1 password will haunt you!
 
                  c)   write your password in black ink on a small piece of paper placed
                        inside a re-sealable plastic bag. Store the plastic bag in two controlled
                        locations in different parts of the house one of which should be a
                        fireproof safe or a better safer storage.
 
       Some very UNSECURE places to keep your password includes:
 
       -  the top right desk drawer
          (most people are right-handed, top left drawer is a good second guess)
 
       -  a Post-It note placed on their monitor or above the computer's power button
 
       -  a Post-It note on the bottom of their keyboard
 
       -  the desk calendar's first page, last page, January 1 or December 31
 
       -  a place that is easily reached while seated at the computer yet is not always
          visible to those around the computer ... being lazy is a exploitable weakness
 
      Having someone access your computer and/or files can have long term impact to
      your life whether the data consists of personal e-mails, financial information,
      resumes submitted, or other personal and confidential information. Once these
      items are outside of your control the damage can never be reversed or contained.



             Prose or Lyric Based Passwords

This approach often provides a very complex password of great length yet it is easy to rememberThe "down side" is that you want to select a portion of literature, play, movie, or music that you know well but is not well known in the general public and should not be an opening line of anything to help insure limited knowledge thus reducing your risks.
Many will remember the first few words of a song, but not much else.
 
First, start with something that has a meaningful total number of words. A movie line such as "The Truth? You can't handle the truth!" is too short to be very effective. On the other hand, you do not want to be entering 47 characters for a password even if these may only be upper and lower case letters plus special characters.
 
Think of a song you enjoy, know the words well and can avoid from humming the tune or singing it suddenly before others (a tattle on yourself to your likely password). This sample is a portion of the words from "Walk of Life" by Dire Straits which gained a second life from TV Commercials. The passage we'll use in this example is:
    He got the action, he got the motion
    Oh yeah, the boy can play
    Dedication, devotion
    Turning all the night time into the day
 
The process is simple: Use the first letter of each word, including any capitalization, and build your password. Note the yellow letters and how they build your new password:
    He got the action, he got the motion
    Oh yeah, the boy can play
    Dedication, devotion
    Turning all the night time into the day
 
This one would be:
    Hgta,hgtmOy,tbcpD,dTatntitd which is a password length of 27 that is easy to
    remember not by remembering the letters but remembering the lyrics!
 
    This password quickly provides a security weight of 52 possible characters (26 lower
    case letters plus 26 upper case letters) multiplied by itself 27 times for the 27 used or
    52 x 52 x 52 x 52 x 52 x 52 x 52 x 52 x 52 x 52 x 52 x 52 x 52 x 52 x 52 x 52 x 52 x
    52 x 52 x 52 x 52 x 52 x 52 x 52 x 52 x 52 x 52 which equals, approximately
    4,300,611,178,255,534,000,000,000,000,000,000,000,000,000,000,000,000
    which is a MASSIVE NUMBER making a VERY SECURE PASSWORD!
 
 
    How big is this number in regard to security protection?
 
    If you had a computer that could attempt 100 Million Password Tries per SECOND
    against one computer (which is improbable) and had zero delay in receiving a reject or
    acceptance and zero time to get that message at zero delay in determining the
    validation of the password, it would potentially take multiple lifetimes to sequentially
    hack this password on a single computer. Are you tired of being hacked?

Are you required to use special case characters?
 
Put one between each line of the lyrics which adds just 3 additional characters creating a stronger password.      Hgtahgtm$Oytbcp$Dd$Tatntitd for a password length of 28. This strength is now 85 possible characters (26 upper case characters, 26 lower case characters, and 33 Special characters) multiplied by itself 28 times or ...
  105,616,049,754,871,800,000,000,000,000,000,000,000,000,000,000,000,000
 
Need some numbers also? Replace any occurrence of the letter "o" or "O" with a number.  Your length remains the same but your strength increases by the inclusion of numbers making your password more complex to crack. Now the calculation from the above example becomes 95 times itself 28 times or
1,278,268,852,553,325,000,000,000,000,000,000,000,000,000,000,000,000,000
 
You don't like Rock? Try Children's songs, holiday songs, music from the crooners" (Frank Sinatra, Perry Como, Bing Crosby, etc.), "Swing" tunes, the Roaring 20's, etc.
 
How big are these two numbers in terms of security for me?  MAJOR MASSIVE!
If you had a computer that could achieve 100 million Password Hack Attempts SECOND
against just one computer (which can't happen), and it could get the information there with zero millisecond delay (which can't happen) and a reject or accepted message in zero nanoseconds (which can't happen) it will take multiple lifetimes to hack this password.  There is "dumb luck" but this will require potentially millions of tries easily to hack and the more complex your password is the longer it takes to hack. So does the hacker keep trying to attack you or move on to someone who uses only words in a dictionary is well defined and finite in number? Put another way, do they want to win by cracking your password or spin their wheels in hopeless effort to go nowhere?


----------

Explaining the Math Involved

First, do not panicThe math is simple counting and multiplication; 3rd grade math.
Mathematics is a word that casts fear in many adults while the words Math Test causes many students to pay while in school. Fortunately in this use of math, the only fear that is present, as Winston Churchill reminded us, "if fear itself." If you understand basic addition and multiplication and can use a calculator, your math worries are over.

Strong passwords should consist of six simple components:
1)  lower case letters
2)  upper case letters
3)  numeric digits
4)  special characters, and
5)  how you create your passwords
6)  keeping your passwords safe and secure from loss and exposure/disclosure
The first four are very simple.
-  There are 26 lower case letters in the English Alphabet ("a" to "z")
-  There are 26 upper case letters in the English Alphabet ("A" to "Z")
-  There are 10 numeric digits (0 to 9)
-  There are 33 special characters on a typical modern keyboard
   (~ ` ! @ # $ % ^ & * ( ) _ - + = { [ } ] | \ : ; " ' , < . > ? / plus the space)
If we use all possible items we have 95 possible items for each "item" in our password.
You will see the higher the possible items and long the password the better your protection.

A GOOD PASSWORD SHOULD CONSIST OF NO LESS THAN 12 ITEMS IN LENGTH

Common mistakes in creating a good password:
  1. You use a dictionary of ANY language including the Star Trek Klingon Dictionary.
    Dictionaries have around 30,000 words which are used by crackers as a "seed" to select from to guess your password. 
    Do not use any dictionary of any language.

  2. You use something you are fond of: spouse's or children's names, name of your car, boat, aircraft, cities you like to visit or vacation at, your college, kid's high school, things you talk about ... if it is personal to you it is a potential password others can guess by doing research. Do not use personal info on people, places or things.

  3. A date that has special meaning: birth of a child, spouse's birthdate, anniversary of any kind, dates of events (first job, discharged from military, won the big lottery, etc.)
    Do not use dates as these are often a matter of public record.

  4. You are a busy person thus crackers are busy people. Crackers have all the time they want to guess your password using computers, research, books, etc. Crackers come from many walks of live, a wide range of financial means, but share the thrill of beating someone by cracking their passwords and often taking information, some will seek to do damage. Never assume The Bad Guys have less time than you.

  5. Avoid passwords using, including or based on "popular" things, evvents, fictional or real people/characters or items found on the Worst Password Lists.

Something that everyone else knows and likes. The obvious sometimes is so obvious we overlook it but crackers do not overlook anything. 
What we are working to do is prevent a "brute force" attack by directing one computer to pump IDs and passwords into another computer until it lets you in. Most computers, whether your personal computer or where your confidential information is kept, are all subject in some form or manner to these attacks.
 
Your goal is to avoid using anything that is you or your family, go complex without complexity and go long on the password length for significant added security.
 
Below we cover the impact seemingly small changes to your password can have significant impact (good or bad) to your password security strength. 
o   Each entry (letter, number of special character) adds strength. Including one from each
     group adds complexity to the cracker and strength to your security. A password of
     greater length also adds complexity to the cracker and strength to your security

     We have 95 different items using a standard keyboard:
     -  26 lower case letters,
     -  26 upper case letters,
     -  10 numeric digits,
     -  33 special characters with space
     ====
        95 possible items for this example password for each password position


o   Therefore to obtain the number of possible combinations we multiple the number of
     possible characters times itself for the number of characters we have in the password. 
 
     Thus if we want an 8 character password with all 95 possible characters available to
     us we multiply 95 times 95 eight times or:
                95 x 95 x 95 x 95 x 95 x 95 x 95 x 95 =                             6,634,204,312,890,625

 

                Assume you changed the 8th character and limited it to a number only. A number is
                limited to 10 different values:  0, 1, 2, 3, 4, 5, 6, 7, 8 and 9. The math is shown below.
                Notice how much smaller the new number is. A smaller number increases your risk
                because it reduces the complexity for a cracker:

 

                  95 x 95 x 95 x 95 x 95 x 95 x 95 x 10 =                                   698,337,296,093,750

 

                Assume you limited the 8th character had to be a number and the 1st character limited
                only a capital letter. The first number is no longer 95 (all 26 upper and 26 lower case
                letters the 10 single digit numbers) but 26 (for the upper case letters only).
                Notice how our number significantly is reduced again.

 

                  26 x 95 x 95 x 95 x 95 x 95 x 95 x 10 =                                   191,123,891,562,500

 

                If we selected to use a 10 character password with all 95 possible characters
                available to us examine the significant increase from an 8 character password.

 

                  95 x 95 x 95 x 95 x 95 x 95 x 95 x 95 x 95 x 95 =       59,873,693,923,837,890,625

 

  

           With the above four examples, the fewer the characters or the fewer choices we use for a
           a given character the less protection we receive.

 

           If you are limited in the number of special characters you can use or are not allowed to
           use any special characters you can adjust for this constraint by increasing the number of
           characters in the password length.
 
          For example, we use 26 lowercase, 26 upper case letters and the 10 numbers for a 10
          character password
 
                  62 x 62 x 62 x 62 x 62 x 62 x 62 x 62 x 62 x 62 =            839,299,365,868,340,224

 

         Our combination number is higher than an 8 character password with special characters
         including the space.

  

Crackers (or the bad guys who specifically attempt to "guess" or "crack" passwords) gather information on various e-mail systems and know what their limitations are in regard to number of characters in a password, allowed characters, and any limits on the number of characters allowed. To over come this knowledge we use more characters to increase the effort and time to crack our password. In considering all the creations you can use as the basis for your password, going from 10 to 14 is not that challenging. Most people find it’s easier to think of the word (or words) then count the number of characters rather than trying to find a specific number.
 
Above all, protect yourself! Other options exist to create secure complex passwords exist that are easy to create, easy to enter and easy to remember and, frankly, blow your risk AGAINST being successfully cracked to astronomical levels.

----------

Post-It is a registered trademark of Minnesota Mining & Manufacturing Company.