How do mere mortals create secure, memorable passwords?
Instead, we tend to come up with something we can remember that's utterly feeble, crackability-wise. The Philips breach is the most recent example of pathetic passwords, with Sophos's Paul Ducklin cracking 20% of the hashes within the first second of running them through the open-source John the Ripper cracker software.
"123456," anyone? Or how about "12345678," or "999999?" Ducklin found multiple instances of these devoid-of-imagination passwords, as does any researcher who analyzes data sets of passwords from large breaches, such as the LinkedIn one.
Lamentably, we humans also reuse passwords, both strong and weak, in every cyber spot we stumble into, ensuring that the breach of one password means our gooses are potentially cooked in all. In a landmark study (PDF) from 2007, Microsoft Research's Dinei Florencio and Cormac Herley found that the average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them.
The consensus: Things have certainly not improved vis-à-vis password reuse since 2007. They have probably gotten worse.
How should we come up with secure, memorable passwords? Perhaps we shouldn't. We should, to paraphrase the poet Charles Bukowski, play the keyboard drunk like a percussion instrument until the fingers begin to bleed a bit.
Herein, some input on creating (to a degree, more or less) secure passwords that's a bit more specific. But first, one must address the question of whether one should bother, given that, according to many, passwords are dead.
Passwords are so not dead
Rob Shein is one of the people who consider password strength to be largely irrelevant. He's the Cyber Security Lead for the Cyber Security Practice at Black & Veatch, a global engineering company.
The original point behind strong passwords, Shein says, was to prevent predictability and brute-force attacks. Brute-forcing isn't much use nowadays, given account lockouts and the amount of resources that effort takes, time-wise. "When each login attempt takes 2-5 seconds, brute forcing even a 5-character password based on all lowercase letters becomes too time-consuming," he says.
On the other hand, the other form of brute forcing—cracking hashed password stores—is easy, thanks to a few things: the speeds of password-cracking tools optimized to work with SSDs, which back in 2010 achieved speeds up to 100 times quicker than previously possible (The Register called it "password cracking on crack"); rainbow tables, developed in an effort to help crack passwords by looking only at hashed values; and Moore's Law, which has created an exponential rise in computing rocket fuel to power all the cracking.
"Password strength is of limited use in resisting [all that]," Shein says. "Not to mention the fact that if the attackers have the stored hashes of your passwords, you're already hacked in the first place."
LinkedIn's breach was a case in point: 5.8 million passwords were stored as unsalted hashes, which made it easy to decipher them using pre-computed rainbow tables. A salt is a string added to a password before it's hashed, which keeps it from being pre-computed in, for example, a dictionary attack.
With endpoint security that's as feeble as that used at LinkedIn, password strength does, in fact, become irrelevant: If it's unsalted, it can be cracked pretty easily. One would hope that most of the places that store our passwords do, in fact, salt the hashes, but the fact that some, like LinkedIn, do not, underscores the need to use different passwords at every point.
But what are we supposed to do if we can't rely on passwords? Use biometric authenticators, such as voice pattern recognition, or facial recognition, or fingerprints? They've all got issues, whether it's that they're too pricey or they can be fooled (2D pictures trick facial recognition, and fingers are just nice, portable little authenticators that can be cut off).
Beyond all that, passwords are embedded too deeply into how we function for us to call the pall bearers.
"There may come a time when everybody's using some other technology, and it may be cheaper than passwords, but pretty much everyone's using passwords now," says Dr. Lujo Bauer, an Assistant Research Professor at Carnegie Mellon University's CyLab. "If you're a new company or website, you're not going to make your users' lives harder by making them jump through hoops they haven't seen before."
At any rate, password debates get bogged down with the straw man argument of whether a given password, cooked up with a given scheme, can be cracked. Of course any password can be cracked, given infinite time and computing power, Dr. Bauer says, but who's got infinite time? "In general, an attacker's not going to spend infinite time," he says. "He'll spend a day or week or month, and if he doesn't succeed he'll move on to something else. Our goal as people trying to make passwords better is not to make them uncrackable, just to make it not worth the time."
An explicit thumb's-down on implicit passwords
Meanwhile, interesting new password research has gone into the realm of neuroscience. It has to do with implicit learning, which is a cognitive psychology term that refers to learning patterns without conscious knowledge of what you've learned.
Think of learning how to ride a bike: A part of your brain—neuroscientists think it's the basal ganglia—learns by repeatedly performing a given task. Can you explain how to ride a bike? Experiments designed to trigger implicit learning show that you can't access the knowledge consciously.
Put that to use in the service of creating authentication credentials that the authenticatee can't cough up, not for love, money, phishing, cajoling, or physical coercion, and you've got something. A group of cryptographers and neuroscientists recently published a paper (PDF) showing success at implementing implicit password learning, planting secret passwords in participants' brains by having them play a carefully crafted computer game (it actually resembles Guitar Hero).
Extreme Tech explains how it works, but in a nutshell, the researchers managed to store 30-character passwords in people's brains—passwords that they could then reconstruct when playing the game again, even after a lag of two weeks.
But who has a spare 45 minutes to train brains to remember each and every password? That's how long it took the researchers. Slashdot commenter Geoffrey.landis summed up how impractical this is: "It's easy to make one password secure against guessing it in a million years of trying," he wrote. "But I don't need to remember one password. I need to remember thirty passwords (for my most important stuff, plus another fifty for sites I visit once or twice), all different, and a large subset of which have to be changed every 60 days. If it takes 'a 45 minute learning session' for 'the 30-letter password to be firmly implanted in your subconscious brain' this is purely out of the question."
So how do mere mortals create strong, memorable passwords?
All these new research results and ongoing debates are just the tiny tip of the password iceberg.
But step out of the realm of cryptographers and researchers, and you come to the land of we mere mortals.
Here, then, are some tips on creating strong passwords for us noncryptographers. Forget making them memorable. You have so many, none of which should be reused, that one of the rules consists of using a vault to store them all in.
1. Size matters. Dr. Bauer's research group published a 2011 study (PDF) that showed that convoluted password creation policies actually make it harder to create a strong password. In fact, length was the only significant variable influencing strength. Their subjects generated the strongest passwords when told that passwords simply must have at least 16 characters.
With that said, weak passwords can still be created in this scenario. Length is just one factor in strength, with uniqueness being another important aspect.
2. Mix it up. A close runner-up in the Carnegie Mellon password policy research was a policy that instructed participants to create passwords of at least eight characters that included an uppercase and lowercase letter, a symbol, and a digit. Participants were forbidden from using dictionary words.
3. Dice and splice. Bruce Schneier, a cryptographer, security writer, and founder and CTO of BT Managed Security Solutions, recommends mixing upper and lowercase in the middle of any root word you may use in a password. Also, add numbers and symbols in the middle of the root.
4. Don't rely solely on leetspeak dictionary words. Don't overemphasize the strength passwords pick up from common substitutions, such as swapping "3" for "e." These substitutions are known as leet, they're well-known, and password crackers use dictionaries that are stocked with leet-ified words.
5. Take the passphrase religion with a grain of salt. Passphrases—random strings of words used in place of passwords—have been popularized in the xycd comic. Dr. Bauer says he'd take it with a grain of salt, however, given the lack of empirical evidence backing up the notion that people will choose strong passphrases. There are too many lists of movie titles and song lyrics to use, and password crackers have lists of these just as they have lists of words, common prefixes and suffixes, leet words, and the like. "It's dangerous to recommend [that people use passphrases] until we know better," Dr. Bauer says.
6. Stick them in a vault. Each password must be unique, and our brains just can't juggle them all, and that's where a password manager comes in. Dr. Bauer, like many people, relies on his to generate passwords so he doesn't even have to deal with all these rules. You still have to remember the master password for the vault, which should be hard to guess and therefore is likely hard to remember, but at least you only have to remember one password.
With that said, however, Dr. Bauer noted that he finds password managers "scary" when they start synchronizing data between different browsers or computers. With that kind of behavior, the integrity of your passwords depends on how well synchronization is implemented, and it's not always easy to tell. Research the tool, and make sure you're not using a password manager nobody seems to have heard of. LastPass is considered a good one.
Dr. Bauer uses a password manager that actually doesn't transfer the data. Instead, it's kept locked down on one machine, and he has to manually move his passwords if he wants to, for example, access his bank from another machine.
7. Turn on two-step verification on Gmail. In addition to username and password, two-step verification requires users to enter a code that Google sends via text or voice message when signing in. Other services are coming out with similar mechanisms, such as Dropbox, although users say the beta version has some kinks.
Don't forget to say your "no keyloggers please" prayers
Now you can lay you down to sleep, hitting every row in the keyboard, holding down the shift key during your travels, copying that ungainly, unmemorable, unpronounceable string of at least 16 characters and pasting it into your password vault. Or spare your bleeding fingers if you want and just have a password manager generate a password for you.
Just pray a keylogger doesn't crawl onto your system, because then all bets are off, and you might as well roll out "1234," since keyloggers don't really care how strong your password is if they can just suck it up straight from your typing.
In sum, keep your passwords unique. Keep them all in a vault. And for heaven's sake, to help keep keyloggers away, keep your antivirus up to date.