Why Passwords?

People are generally good. Almost everyone I know is fundamentally a good person. However, some people are not so good. People tend to get worse as the amount of money involved goes up. This is why banks tend to have better security than my house.

It turns out that super computers involve a lot of money. In fact, when people say "super computer" the most super aspect is usually the price. Super computing facilities tend to have elaborate physical security involving electronic access, video surveillance, exotic fire suppression technology, climate control, and 24/7 operations staff watching the place. This is all designed to protect some very expensive stuff.

Normally you’d protect expensive stuff from physical theft, but with large computing infrastructure, that is not the problem. A criminal does not want to take physical possession of several tons of computer racks and they certainly don’t want to pay for the electricity to use this equipment. No, far more efficient for the criminal is to leave the equipment alone and just "borrow" it when they want to.

An unauthorized user is essentially stealing computing cycles, disk storage, electricity, and network bandwidth from legitimate purposes. This can easily cost as much as your salary. Furthermore, it’s not just opportunity costs that are at risk. All too often, bad people are rather inconsiderate with other people’s possessions and data. How would you feel if you were responsible for a security breech that caused all of your colleagues' productive output to disappear? Now you can see that there is an important need to distinguish between the criminal users and the authorized users.

There are good ways to do this and there are questionable ways. The most common way is to have legitimate users authenticate themselves using a secret shared only with the server, this is the password.

Why Good Passwords?

Take a look at this photo.

Weak Security

The person who locked up this bike almost certainly believed they were securing it in some way. What they really did was waste their time and energy. Of course they saved time for the person who will ultimately steal this bike. It could be argued that the person at least gave the bike the appearance of being secured. However, this is incorrect since an actual bike thief would instantly notice this situation just as I, an owner of expensive bikes, did. It’s not enough to just perfunctorily go through the motions of security, you actually have to get it right.

bob123

To illustrate why security must be taken as seriously as what you are trying to protect, I’ll share an actual situation that occurred on some computer resources I was managing.

One day, I got a notice from some random company asking my company to stop sending spam to them. Our company was not in the spam business so this came as a big surprise. I investigated our mail server and noticed it was very slow and busy. I realized that there was an inordinate amount of network traffic and when I unplugged the network cable it started to respond properly again. I then ran some diagnostic software designed to find what is called a "rootkit", a collection of bad software installed by unauthorized users.

Eventually I found the rootkit and I started to explore it. I discovered the source of its brute force attack strategy. This is basically a file of usernames and passwords to try if it gets the opportunity to attempt to compromise a new machine. Since this company only had about 10 users, it was practical for me to search this file for any mention of any of our usernames. We had a user whom I shall call "Bob" and, sure enough, I found a username "bob" in this file. Next to the bob username was the password to try for bob, bob123.

I went to Bob, and asked, "Say Bob, is your password ‘bob123’ by any chance?" Turns out, yes it was. Bob learned something important that day and I hope you can learn the same thing now. By using a weak password, Bob put the data of the entire organization at risk. For a software company, this could have been catastrophic. Huge time and effort was needed to diagnose this problem, rebuild our mail server, and check everything else that had been vulnerable. Also, our company’s reputation suffered due to the fact that network addresses owned by us had been responsible for sending out millions of spam emails.

Password Overload

Modern life is full of passwords and that can get irritating quickly. You may think "Nobody cares about my Facebook account." And that may be true. However there are ways to exploit Facebook accounts and attackers will try anyone’s. However, this kind of risk is up to you. It’s your account, your friends, and your reputation. At work, life is different. Whatever your motivation for coming to work will be severely undermined if you cause a flagrantly avoidable security breach. This is why I recommend that your work passwords be a completely separate realm from your personal ones. If you want to share the same password between your Gmail and Facebook accounts, that’s not too adventurous, but there are many good reasons to not bring that to work. For example, I used to administer a system where the previous admin had access to the plaintext passwords the users submitted. I personally don’t look at your passwords as a matter of policy, but you probably should operate under the assumption that I do. Ask yourself if you want your job’s technical personnel to have the ability to log in to your Facebook account.

More Motivation

You may be inclined to think that although good passwords are good, bad passwords are easier and no one will ever know. Obviously Bob, knows that’s a big risk, but there are other potential risks. First, imagine if you’re giving a demonstration to some colleagues and you need to type in a password. If you make a mistake (demonstrations aren’t what you normally do), you could accidentally type the plain text password in front of all your colleagues. How would you feel about that knowing that a weak password puts their work at risk?

Also, you might just happen to have an especially competent system administrator who is aware of certain tools for cracking weak passwords. This diligent administrator might periodically attempt to root out weak passwords with such a tool. This is what the criminals will try, especially if they have access to extraordinary computing resources like a cluster. You do not want to be the one whose password is bob123.

Password Best Practices

Good

How can you create this new system of passwords that are complex enough without going bonkers trying to remember them? If you don’t already know, and I mean after some sophisticated thought on the matter, then the best way is the following. Use a phrase you know. Song lyrics or poetry work especially well. Take the first (or last) letter (or 2 letters) from each word and there’s a decent password. Here’s a security related example from Pink Floyd’s "Run":

Cause if they catch you in the back seat
Trying to pick her locks
They're gonna send you back to mother
In a cardboard box

The highlighted letters can form this: tbsTtphl Even better, replace the word "to" with the number to form this: tbsT2phl. There are other techniques and systems, but really, why go there? This one is approved by even the most fussy sys admins and mathematicians. Ideally you want to use this system and get one or more letters (of both cases), numbers, and other symbols. But let’s not get too complicated. Work on the basic randomness first.

Bad

  • Dictionary Words - Do not use a "dictionary" word. Actually, do not use a word. Is it a word? Can you say or think it? Don’t use it. To computer security people, "dictionary" doesn’t mean the OED. It means an exhaustive list of all collections of characters that have ever been found together on the internet, anywhere.

  • Foreign Words - As pointed out previously, foreign words are words. Chinese, Russian, Romanian, etc, bad guys have collected lists of all words from all languages.

  • Names - Person? No. Place? No. Event? No. Weird technical term? No. Super adorable pet? No! Can you say it? Don’t use it.

  • Dates - It might seem cool to use something like your birthday since March13,1985 has a lot of good stuff (both cases, numbers, and a comma). But cracking algorithms know this and will streamline potential date formats. So avoid them.

  • Patterns - It may surprise you to know that poiuyt is in some cracking dictionaries. This is because it is an obvious pattern (hint: type it). Computers know just how humans are lazy and can automatically generate a list of easy to type/remember patterns and then try guessing them.

  • Transformation - You may think that something like ssastar is good, but in addition to containing the words "sass", "star", "tar", "astar", it also contains "rat", "rats", and "ass" (backwards). Good cracking techniques try these kinds of mutations. They’re more complicated for you than the computer so don’t bother.

  • Short - Although 5QF}x is a completely random password it can be cracked in minutes because it is so short and trying all combinations of 5 characters just doesn’t take that much time. A password of 8 characters that would take 10 days to crack would require only 1 second if 3 characters were removed.

Ugly

  • Any on-line sources of random characters or numbers. You could trust that these sources are legit, but why take a chance?

  • Any sources from books.

  • Any specific examples you find here or ever hear about. Ever.

More Weak Security