What's the !%$k9A^ point?

Introduction

Well ... that article title got you hooked! Sorry to disappoint you, but this is a blog on using characters in passwords which are not letters or numbers.

Don't you get sick of adding a password with a number and additional characters in your password, and have an upper case letter? Here is my prediction for you:

• You make the first letter an uppercase. Correct or not?
• You add a number at the end. Correct or not?
• The number you add it a 1. Correct or not?
• For the additional character you add it at the end. Correct or not?
• The character you add is '!". Correct or not?

So you might end up putting the same number at the end, and also putting the funny character at the end too. Your password that was meant to be "applecore", so I would guess you would end up with:

Applecore1!

Not exactly the quantum leap from "applecore". Why? Because "1" is the first number, and "!" is the first sqilly character on the top row of the keyboard. We are all lazy, and want to remember our password, so we just go for the easiest option possible.

And then you get really annoyed when Paypal tells you that you can't use two characters beside each other on the key. Aghhhhhh!!!!!!!!!!!! There goes "qwerty123".

The reason for these things is that users will often use the small and easiest password possible, for example, Adobe Hack, nearly two million people selected:

123456

closely followed by half a million people selecting "123456789" ... which really confused intruders. With almost 200,000 users then selecting a sneaky password of "12345678" ...we really see the problems we have:

Goodbye to standard passwords

So, where are we with passwords? Basically most of the well-known passwords have been hashed, and available either from Google or in rainbow tables. For example if we search in Google for "59745C97DF966D170393C14009D9916C" which is the hash of "billbuchanan" (here), we get:

and even "billbuchananatnapier" has been hashed (doh! ... there goes my password):

12177264 billbuchananatnapier "20 Chars" ff944a52eb7edd89d7e3b5f2eb0ac28e Not Rare

I'm at bit worried that it's "Not Rare" :-)

So if you have used a password which is already hashed then an intruder just matches it against a list that they have. Hashing techniques like MD5 and SHA-1 are superfast, so it doesn't take long for an intruder to add more. 

So what is the solution? 

Well salting the password is the solution, where the same password comes out with a range of hashed values:

hash = md5 (salt + password)

While many systems don't even use salting, there are many others who use it. Unfortunately the salt is stored with the hashed value, so the intruder just goes through the passwords, and adds the salt onto it, and checks the results.

In the Ashley Madison hashed password database, a fixed salt was used, which meant that once the salt was known (from Github analysis), the intruder just creates a new table with all the hashed values [here]. Few developers, unfortunately, ever get training on cryptography, thus the methods they use can be sloppy.

Hash crackers making a mockery of passwords

So what about the rest? Well GPUs, with their 4,000 processes, love hashing values, and 4,000 passwords can be hashed, all at the same time. With speeds of 10 gigahashes per second, the devices can do 10 billion password hashes in a second!

So here's my password strength calculator:

https://asecuritysite.com/encryption/passes

For 1 billion hashes per second, and with upper/lowercase and additional characters, an eight digit password is cracked in 3.66 minutes:

Even a 9-digit password only holds out for 4 and a half hours:

A 10-digit password lasts for 10 days, so my advice for passwords ... go for at least 13 digits! Make it as phrase that only you use, such as:

MyGoodnessItIsRainingAgain!

Of course, as soon as I write this, the phrase will be hashed.

In the example I used:

!%$k9A^

would be cracked in three seconds!!!!!

Conclusion

Passwords are rubbish! Passwords are dead!

Hashed passwords are often not a barrier!

They should only be one factor in proving your identity. Your location, your device, the colour of your eyes, and so on, are other factors that improve your identity checks.

Passwords are so 1990s, and a legacy of when we need to login to main frameframe computers. Your mobile phone now has four cores and is millions of time more powerful that the computers we used in the 1990s. Our password system was designed in times when systems did not connect to open systems, and where computers had the processing capabilities of your fridge.

Often we would be better with simple PIN numbers and other forms of authentication that these ever increasing strings.