Cracking The Key To Passwords

The Origin of Current Password Creation Guidance

The complexity of current passwords largely stems back to an eight page document authored by a manager in the National Institute of Standards and Technology – the document “NIST Special Publication 800-63. Appendix A” advised that “passwords should contain irregular capitalisation, special characters and at least one number” It also indicated that passwords should be changed regularly, at least every 90 days.

This advice changed slightly over the years, with it eventually landing on choose a word and then swap letters for numbers, add some digits to the end or the start and throw in a few special characters for good measure. All that we have done is made it hard for people to remember passwords and easy for computers to guess them

Whilst this advice was reasonable based on the computing power of the time, technology has marched on and passwords created using these techniques, such as “D1seng4g358!” (Disengage) can be cracked by brute force, on a standard desktop computer in about 3 days.

The author of what was considered the de-facto guide to passwords now says that he regrets the advice:

“Much of what I did I now regret … In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”

Bill Burr, Author of NIST Password Guidelines

Government Guidance

Both UK and US govermental guidance from the Centre for Protection of National Infrastructure (CPNI – UK) and the National Institute of Standards and Technology (NIST – US) have updated their guidance on password usage and they share the majority of recommendations.

One of the most recognisable departures from their previous guidelines is password expiry. Both organisations now recommend that passwords do not expire but that they are changed when there is evidence that account has been or may have been compromised.

How Your Passwords Get Discovered

There are several ways that passwords get exposed and compromised –

  • Social Engineering – tricking users into devulging their passwords
  • Manual Guesswork – Using information about the user to manually guess likely passwords
  • Interception – Intercepting passwords that are sent in plain text by email or by post
  • Stolen – A significant number of people use the same password in multiple places, if one of these is compromised (TalkTalk, Yahoo, AshleyMadison etc.) then their password can be retrieved
  • Shoulder Surfing – As simple as someone looking over your shoulder (in person or via a camera) when you are entering your password
  • Keyloggers – A hardware or software device that is attached or installed on your computer that stores every keystroke entered which is sent to a remote system or retrieved later
  • Automated Guesswork – using a computer (or multiple computers) that guess passwords thousands of times per second.
  • Searching – If a 3rd party has physical access to where a user works, they can often find clues to the users password, or even the password itself written down somewhere, often nearby.

Alternatively, your password doesn’t need to be compromised if you have chosen a weak password to begin with.

Top 25 Passwords In Use By Year (that you should never use)

Rank 2011 2012 2013 2014 2015 2016
1 password password 123456 123456 123456 123456
2 123456 123456 password password password password
3 12345678 12345678 12345678 12345 12345678 12345
4 qwerty abc123 qwerty 12345678 qwerty 12345678
5 abc123 qwerty abc123 qwerty 12345 football
6 monkey monkey 123456789 123456789 123456789 qwerty
7 1234567 letmein 111111 1234 football 1234567890
8 letmein dragon 1234567 baseball 1234 1234567
9 trustno1 111111 iloveyou dragon 1234567 princess
10 dragon baseball adobe123 football baseball 1234
11 baseball iloveyou 123123 1234567 welcome login
12 111111 trustno1 admin monkey 1234567890 welcome
13 iloveyou 1234567 1234567890 letmein abc123 solo
14 master sunshine letmein abc123 111111 abc123
15 sunshine master photoshop 111111 1qaz2wsx admin
16 ashley 123123 1234 mustang dragon 121212
17 bailey welcome monkey access master flower
18 passw0rd shadow shadow shadow monkey passw0rd
19 shadow ashley sunshine master letmein dragon
20 123123 football 12345 michael login sunshine
21 654321 jesus password1 superman princess master
22 superman michael princess 696969 qwertyuiop hottie
23 qazwsx ninja azerty 123123 solo loveme
24 michael mustang trustno1 batman passw0rd zaq1zaq1
25 Football password1 0 trustno1 starwars password1

What to do about passwords – our top tips

  • Long pass phrases are better than strong shorter passwords
  • Change your passwords if you think they have been compromised
  • Don’t use the same password everywhere
  • Change any default passwords
  • Allow users to securely record and store their passwords
  • Don’t allow password sharing
  • Use machine assisted password generation
  • Use accound lockouts and monitor for unusual activity
  • Don’t store passwords as plain text
  • Password managers can help but should be treated with caution