How to keep your passwords healthy with a little green tea

Over 23 million people use 123456 as their password. The issue with this password, on top of the obvious, is it’s only six digits long and when it comes to creating the passwords that are tough to crack – length trumps complexity. Being numbers only, 123456 has neither length nor complexity and has been used too many times. 

How are passwords cracked?

Passwords can be cracked a couple of ways. At its simplest are brute force attacks, where different passwords are tried on a system one at a time in the hope that the correct password is stumbled upon. Limits are usually set on systems so that an account will get locked out after a certain number of failed attempts. Like entering your PIN incorrectly at an ATM four times – the ATM will take the card and then you will need to prove your identity to retrieve it. 
 
Why you need to use account lockout best practices

The adoption of account lockout best practices reduces the risk of a password being guessed unless you use something silly like 123456, or other easily guessable passwords like password, password1, welcome etc, or passwords shared across accounts (more on that later). These guessing-game attacks are categorised as online attacks, because the live system is being probed. Some systems do not lock an account out after many failures – this means it will be relatively easy to break short and simple passwords given enough time.

Why offline is the biggest threat to password security 

But the method that really poses a risk is done offline. This involves the stealing of a password list from a server, (or the dark web, where all things ghoulish and interesting live), and the relentless matching of stolen passwords against known or cracked passwords. In these attacks, there is no way to lock out accounts, because you are working on a standalone file.

Systems usually have a database or file which contains user names and passwords. When there is a match of a valid user name and password, authentication occurs. That is how a system asserts that you are who you say you are. 

Conceptually you could think of a password file being like this:

munro_blog1.JPG

Now you can imagine the risk of having that password file stored in human-readable language. Once anyone gets a copy of that file, they have the keys to the kingdom literally spelled out in front of them. To overcome this, passwords are generally stored in an encrypted — or scrambled— format to make them difficult to read. 

The idea is that there is some operation applied to a password to encrypt it. There are many sorts of operations (or algorithms) that can be performed to scramble, from something terrible like simple character-shifting (a becomes b, b becomes c and so on), or transposing (swap every second letter), to some really advanced techniques that underpin today’s stronger encryption methods. The formula in most cases needs to provide the same output for a given input (i.e. – a password will be encrypted to the same value each time). 

Let’s pick a simple (and not used) example – reversing the order of the password characters. The resulting processed (hashed) password is stored in the file to make it harder to guess (unless you know the algorithm).

Original Password: 123456
Algorithm: (reverse the characters) 
Hashed password: 654321

A password file might then look like:

munro2.JPG

If I know the formula used to hash the password, then it is easy for me to work out what the original password is. I can solve it two ways. I can grab my stolen password file and re-process each hashed password to get the original password, and then use that password to log in.

Hashed password: 654321
Algorithm: (reverse the characters) 
Original Password: 123456

I could also save myself a bit of work, and pre-complete an entire set of hashed passwords and password pairs. This time all I need to do is search for the hashed entry contained in the stolen password file (654321), and look up what the corresponding password is (123456), and boom, we’re in.

Big (reversed) List of passwords:

Munro3.JPG

That’s called a hash table, and these are lethal because modern computers are really fast at looking up entries in tables like this. 

The examples above are two-way hashes. You can run the rule both ways 123456=654321 and vice versa. But that’s only because we know the actual hashing rule (reverse the characters – which is not at all robust), and because it’s two-way. 

Proper encryption uses one-way functions, where you can’t just reapply (or “undo”) the formula to deduce the original. While it’s easy to multiply 76 * 45 to get 3,420, it’s difficult to work out what numbers were used to get 3,420 without knowing what either one of them is. 

Strong encryption takes this much further and is typically done by performing a complex mathematical function on a password and extending the length of the stored hashed password to a variable or fixed length to make it harder. 

Using an older Microsoft Windows algorithm called Windows NTLM (the algorithm has been figured out some time ago), hashed passwords are stored as follows:

Conceptual NTLM hash file:

Munro4.JPG

Note above how very different Password1 and Password2 are after being hashed, even though the original passwords differ by one incremental number. Likewise note the similarity in appearance of a hashed two letter password and the hashed short sentence below it – they are stored as the same length, so you can’t tell that one is heaps shorter than the other. 

While these are very long entries to work back from, there are freely available hash tables that can be searched really, really fast. All I need to do is take the stored (hashed) version of my stolen password list, and find a match.

For this reason, using known-bad passwords is a really, really bad idea, because they have already had their hashes calculated and can be looked up in seconds using a hash table.

How Complex Passwords Protect Your Data 

It’s kind of interesting to think about what makes a password hard to brute force (or guess). If I had a one-letter password and could use only lowercase letters, then there’s 26 possible choices (a-z). That’s called a 26-letter character set. That is a bad password, because on average (or half the time) I’d expect to be able guess it in 13 guesses. 

If I expand it to two lower case letters, then there are 26 choices for the first letter, and 26 choices for the second letter. 26 x 26 possible combinations. This can also be written as 26^2 or 262 and it equates to 676 possible combinations. On average I’d expect to guess this in 676/2 = 338 guesses. And while that’s a fun game to play on a long car trip, it’s going to take some time. But a PC will solve this near instantaneously.

Expanding the character set to include 26 upper-case letters (A-Z) and 26-lower case letters (a-z) then I have 52 combinations per slot. In the case of a two-letter password that is 52 x 52 (or 522) combinations, which equals 2,704 combinations. Sydney here we come!

If I extend this to a length of 4, then I have 52 x 52 x 52 x 52 (or 524) combinations, which equals 7,311,616 combinations. Now we’re getting somewhere.

And if I extend my character space to include upper-case and lower-case (A-z), numbers (0-9) and all the symbols on my keyboard including the space bar – I get a character set of 95. 954 (length four, any character) = 81 million combinations. But let’s go large with all-characters passwords: 

Length of 4 = 954 =     81 million
Length of 6 = 956 =    735 billion    
Length of 8 = 958 =     6 quadrillion
Length of 10 = 9510 =    somewhere around 60 Quintillion region (or 60 followed by eighteen 0’s).


I mentioned earlier that computers today are fast, but to put these numbers into perspective, a PC worth $1,000 today with an i7 processor can calculate a single hash of one of today’s strong encryption algorithm (SHA512) in about 0.0008 milliseconds. That means almost 1,000,000 hashes per second!

When using heavier hardware (supercomputers or ones which use graphics cards or GPUs to do math), it can eclipse these speeds by literally orders of magnitudes – 50 to 100 times faster. Last year, custom hardware running 16 graphic processing units managed to break every possible 8 character Windows NTLM Password in 2.5 hours. Think about that - 2.5 hours to enumerate 6 quadrillion passwords in total.

It is possible for swarms of infected PCs “botnets” to band together and obliterate passwords using this method too.

With general computing hardware it may be impractical to brute-force 6 quadrillion combinations in a reasonable time, it is however possible to break them super quick using hash table lookups described earlier. For a known algorithm, lookup a pre-hashed entry and find its original pair. Boom, you’re in.

Why People Don’t Use Complex Passwords 

When people are forced to use relatively small passwords (say 8 letters) and have enforced complexity (at least one uppercase, lowercase, number and symbol), many people will pick something easier to remember:

4nY4_*35      is complex, but hard to remember and probably not chosen often.
W3lcome!    is also complex and easy to remember but probably chosen often.


So being humans, we think of things that are easier to remember that still fit these complexity requirements. And we all use the same tricks!

Myth-busted:  “Change your passwords all the time”

Anecdotally, in the olden days of mainframe computing it was slow and computationally expensive to crack passwords, and when done using the brute force method, it was estimated that the time taken to crack an 8-character password using encryption algorithms of the day, was over 3 months. Thus, it was decreed passwords must change every 42 days because it was very unlikely that a password would be cracked before it had to be changed, and then the process kicked off again. 

Introducing password entropy 

Password entropy is a gauge of how hard a password or passphrase is to crack – there are different ways to calculate it, but generally length trumps character set size because as length grows, there are exponentially more combinations to consider (unless you use Password1 etc).

The thing is, by forcing you to create these passwords all the time (e.g., every 42 days) you will inevitably use transforms, or guessable patterns. And guess what, people tend to use similar patterns. Incremental numbers, years, months, swap letters with numbers A=4 E=3 o=0, and use punctuation – like an ! at the end!  Even using keyboard patterns (QWERTYUIOP) are out.

W3lcome! and countless other dictionary variants will have already been hashed against various encryption algorithms and will exist in easy to find hash tables ready for looking up. These attacks are termed “dictionary attacks”, because they start off with simple, common words for the language in question, and then apply common transforms just mentioned.

Check out this scary analysis and see how many common “secret methods” you use: https://wpengine.com/unmasked/  We have, in effect, engineered passwords to be difficult to remember by people and easily cracked by computers.

How to use secure passwords properly 

The new thinking by the smart folks at NIST is to use easy to remember, difficult to guess passphrases that don’t include known bad passwords.

The assumption (and it makes sense) is that it’s easier to remember a few simple words than a complex combination of letters/numbers/symbols. We are better off having longer passphrases with a smaller character set (i.e., just letters), that’s easy to remember. Feel free to use spaces too, to make it a character set of 27.

little green tea                            (16 characters)        (2716)    
my horse loves the beach         (24 characters)         (2724)  


These are computationally very expensive to crack, and much simpler to remember. The equivalent 16 simple letter little green tea strength is achieved by a 12-digit “complex” password – so add four letters and remove the complexity and make it easier to remember.  Some estimates place the time needed to crack 2716 with a regular PC as between 10-20 million years. But the beauty about these numbers is that even if you’re “out” by a factor of 1,000 or even 100,000 – the timescales are huge!

Better still, because most passwords are expecting “traditional” complex characters, the actual character set will be 95 characters, which make for some scarily big numbers. Type 95^16 into your calculator and see what comes out.

So the silly thing is that in many systems today “little green tea” will be rejected as weak, whereas Password1! will be accepted as strong.

For passphrases to be truly effective, you need to use words that aren’t commonly used together “Merry Christmas” would have a lower entropy (and therefore be easier to lookup) than “liquid car bout” which although is the same length, contains words that are rarely used together and would be unlikely to appear on any hashing tables (for now anyway).

Worse still, changing passwords like this often also leads to the terrible habit of reusing passwords across different accounts and services. You can imagine what happens when the same stolen and shared Yahoo or Marriott user name and password combination is also used for your corporate email account, internet banking, VPN or other service.

Putting best practice password security into action 

It will take some time for account administrators to change password policies to reflect this new thinking, so I’d advise you try it and use passphrases where you can, and always remember the following:

  1. Never use the same password on different accounts
  2. Never use the most common passwords 
  3. Don’t use repetitive strings like aaaaa or 11111
  4. Don’t use known-breached passwords – you can google these
  5. If you must use “complex” transforms, don’t make them obvious
  6. Read our upcoming blog on Password Managers and Multifactor Authentication.

It’s time to level up security-wise. We can provide MFA across multiple client applications and services to ensure you don’t become part of a staggering statistic, get in touch today.