Be a Cyberhero: Fight Cybercrime With a Better Password!

November 30, 2011

I’m a sucker for stories about lists: The Top 10 Ways Red-Shirt Guy Dies in Star Trek! The 25 Most Horrifying Parasitic Diseases! The 100 Greatest (Novels, Films, Albums, TV Episodes, Action Figures) OF ALL TIME, etc. Recently, I ran across a report from the company SplashData entitled The 25 Worst Passwords of 2011. Being a list, I had to read it. Here, from the report, are the 25 worst passwords of 2011, compiled from lists of stolen passwords traded online by hackers:

• password
• 123456
• 12345678
• qwerty
• abc123
• monkey 
• 1234567
• letmein 
• trustno1
• dragon 
• baseball
• 111111
• iloveyou
• master
• sunshine
• ashley
• bailey
• passw0rd
• shadow
• 123123 
• 654321
• superman
• qazwsx
• michael
• football

I think you should see a pattern here. That’s the same pattern that hackers and cybercriminals see: proper names, things that are popular, things that are easy to remember, things that seem tricky (qazwsx: look at your keyboard) but aren’t. Thinking about this led me to do some research on password strength and how we as citizens can use it to fight the scourge of cybercrime. In doing so, I found myself drawn back to a recent blog I'd written.

In order to make your password better, we’re going to revisit information theory. I told you it crops up everywhere you look! In information theory, a very useful property of any string of characters is its Shannon entropy. Yes, that’s our old friend Claude E. Shannon, father of the science of information theory.

While the true meaning of Shannon entropy is beyond the scope of this blog post, it does serve as a very good measure of password strength. The higher the Shannon entropy, the harder the password is to crack. How do you get a password with a high Shannon entropy value? Use a large pool of possible characters (charset), and make the string very long or very random. Combining all of these factors can create passwords that are essentially uncrackable.

For example, let’s take a look at some examples of passwords using an online password strength test. Most commonly, people mistakenly use a proper name. There are two problems with this. One, most names are fairly short making them very vulnerable to a brute force attack, a simple method of simply generating all the possible combinations of a number of characters. Two, because hackers know of the tendency to use names, they simply use a very extensive list of potential passwords (known as a dictionary in cryptography) because a computer can fill in blanks very rapidly. This is known as a dictionary attack. We’ll start out with a name, in this case our fictional daughter named Katie, in all lower-case letters. This means the charset equals 26.

katie – 14.9 bits of entropy. Mere child’s play. I could crack this very quickly via the dictionary attack, and I’m not a hacker; it's one of the 940 most-used passwords. It's equally vulnerable to brute force cracking. There are 11,881,376 (26⁵) possible combinations of five lower case letters. That sounds like a lot, but computers can do billions of calculations per second. Even a desktop PC could crack this in less than 0.05 seconds! To weaken the dictionary attack and make the brute force attack harder, let’s combine my child’s name with my dog’s name.

katiespot - 31.1 bits of entropy. Now we’re getting somewhere. This will keep out amateurs because it's unlikely to be in a dictionary. But you’re still at risk to a brute force attack, with a desktop PC computational time of only 6 hours. Let's add in capital letters and increase the charset to 52.

KatieSpot -37.7 bits of entropy, meaning most hackers would pass on rather than waste time (128 days on a PC) trying to crack it. Let’s move up to the big leagues with a very strong password by increasing the charset to 92 by including upper and lower case letters, numbers, and symbols.

k4T13$pO+ - 39.9 bits of entropy. No hacker is going to waste 12 years on a PC trying to crack this.

Did you see what I did here? It still looks like katiespot and is easier to remember than a truly random string of letters, numbers, and symbols. You could get even more secure by simply making this type of string much longer. However, this makes it much harder to remember. I’m going to let you in on a little secret that will allow you to create a practically uncrackable password that will be easy to remember.

Go find a book and find a sentence of 32 characters or less, including spaces. Make sure it's not something like "I love my dog." I picked up a book and selected the following sentence: Popular girls said hi to me. Entropy is now a whopping 126.8 bits, even though the charset is only 47. Cracking time using a desktop PC? A staggering 867 decillion years!

As a bonus, because this is a series of characters that makes grammatical sense, it’s also easy to remember. You are now secure from anyone who is not a cryptographer with access to very high-powered supercomputing facilities. If the site won’t accept spaces in a password, simply substitute a dash (-) or the underline (_). This will have the benefit of increasing the entropy even further.

If the site absolutely requires a number and a symbol be included in your password, find a way to substitute them for letters in a way that’s easy to remember, like P0pul@r_girls_s@id_hi_t0_me. Now the entropy has increased to 146.8 with a charset of 92. Frankly, this is overkill, as a PC would require 4 duodecillion years to crack this password! In fact, it would take a very powerful supercomputer and a great deal of time to crack this password by a brute force attack. Any dictionary that contained this exact string would be, for all practical purposes, the same as an infinite dictionary. This turns the dictionary attack back into a brute force attack. I'm sure the NSA could crack it, but why would they be concerned with your Facebook account?

Despite the strength of this password, you shouldn’t rely on it for all of your online accounts. It’s better to have a stable of such passwords, and you should rotate them out for new passwords on a regular basis. You might even look into one of the password management applications available. Of course, all of the tricks we discussed above are null and void if you type in your username and password on a computer that has been infected with a keylogger spyware program. We will discuss how to secure yourself and your computer/devices against such malware in my next blog post.

-Jeff D.

Grandview Branch

Image credit: artwork by Flickr user ssoosay via Flickr's Creative Commons. Bonus points if you know the identity of the cyberhero portrayed in the picture.