|
The Saint |
Today’s message, bottom line first.
- Users spend
more time thinking up names than they do passwords.
- Worry less
about the variety of characters you use in a password (or P@$$w0rd) and opt for long
passwords, which offers far more security.
- You’ll find examples of
the
most common passwords at the end of the article.
Now, if you’re in the mood as a writer or reader to learn how passwords
are created, stored, and broken, read on.
Good Book, Bad Passwords
In managing programmers and a computing center, I was responsible for
the final line of security. Although networked, our machines faced
fewer threats than computers do now. They wouldn’t pass muster today,
but I leaned on Biblical and historical words, such as that original
password,
shibboleth.
Our discs required separate access passwords to
read, write, and multi-write, so I not-so-cleverly chose
Shadrach,
Meshach, and Abednego. Naturally you see a problem: If someone
cracked
one, they should be able to figure out the other two.
Biblical passwords still flourish throughout the internet, albeit in
the
form as first names: Angel, Daniel, David, Faith, Grace, John, Jordan,
Joshua, Michael, and the most often appearing name: Jesus. Let me tell
you, folks, you shouldn’t rely on Jesus (the name at least or that ever-popular jesus1),
to protect your private information. As
Leslie Charteris's
The Saint
might say, the ungodly never sleep.
Deep and Wide
I can’t seem to get away from
Biblical
allusions today.
We can look at a password in two dimensions, depth and length. A simple
PIN number is 10 characters in depth (0-9) and typically 4-digits wide,
although PIN lengths up to 10 digits and passwords over fifty characters aren’t unheard of. We might say an
alphanumeric upper case only password is 36 characters deep, for
example:
AARDVARK. Computer scientists use the fancy term
‘entropy’ in
reference to ‘uncertainty of a random variable,’ usually considered in
code-breaking. Mixed case greatly increases the
‘entropy’ or difficulty in guessing it, e.g,
AaRdVaRk. Allow
any
character of a keyboard, and you run up the difficulty again, i.e,
/\år∂vårk. Conversely, rely only on numbers or
single
dictionary words (or puerile swear words), and you seriously
compromise the security of your account.
The ‘aardvark’ example at right shows passwords represent a two-dimensional array. From a Chinese menu, you pick one character from
column one, another character from column two, etc. The greater variety
of characters allowed, the greater the difficulty of cracking. But
entropy increases even faster if you type longer passwords.
So, pardon me for restating the cliché, but longer is better.
Thus you can radically harden your password by increasing its length,
i.e,
Tough_nut_to_crack, assuming your provider allows
passwords that
long. The lesson here is you potentially gain more strength from longer
passwords versus short ones with special characters. Pick anything you
privately know and like, perhaps a quotation or phrase that sticks in
your head
and go with that.
Cracking the Code
How do crackers break passwords? They know the frequency of passwords
like we show below, so normally they take a few stabs at the obvious,
‘123456’ or
‘password’. If they’re serious about
cracking your account,
they use a script to run through the possibilities in the ‘aardvark’
table at right, a character at a time, just like an odometer. I
encourage you to make life as difficult as possible for them.
But the ungodly have other ways. If a malicious party can trick you
into downloading a tiny piece of code, they can monitor your
keystrokes. This works in a way similar to child monitoring software,
but it transmits your keystrokes– all of them– to a third party
somewhere else in the world.
Soft and Hard
While we’re on the subject of nanny monitoring software, you might want
to check nobody’s monitoring you! You’re vulnerable to anyone who has
access to your computer.
A client had a problem of files being deleted. Eli Lilly
thought someone was logging onto and vandalizing machines after hours, but couldn’t
figure out how. After advising the client to make personal backups of
everything, I went on the hunt for two possibilities: either a
keystroke monitoring program or a discreet hardware device called a
keystroke logger that plugs
between the keyboard cable and the back of the computer.
|
keystroke logger © CNH Tech | |
The culprit turned out to be an insecure (and in my opinion nasty)
little supervisor who didn’t want her subordinates to shine too brightly. Ofttimes a woman’s workplace impediment isn’t men, it’s other women.
In my consulting experience, such micro-espionage tricks are hardly unique. You never know when or where you might be spied upon.
Geekology
Skip, if you wish, the following explanation how letters and passwords
are stored, although crime writers might find the techniques useful in a story.
Let’s take an easy word, say
EASY itself. Normally each letter of the
alphabet and punctuation character is stored individually as a number.
The letter E stores in binary as 0100 0101. This happens to be 69
in decimal, but programmers look at it in base
16,
hexadecimal, which works out to 45
16
or x45. If a program stored
this in ‘plain text’, it would be easily readable by anyone familiar with
the encoding, say ASCII or UniCode.
word: E A S Y
dec: 69 65 83 89
hex: 45 41 53 59
#: 1,161,909,081
Normally, companies and government agencies deal with sensitive data in
two ways. One is to encrypt it. When you provide a credit card, the
program should take a great deal of effort to obscure your card number
while allowing it to be retrieved when the time comes.
They could also encrypt passwords, but why store passwords at all? When
you think about it, all the computer needs is a yes/no answer whether
the password you give now matches the original you made up long ago.
So programs create a different number that represents the
password– a polynomial, a hash, or a modulus. Rather than look at
EASY as a string of letters or even digits, we view it as one long
number, just over a billion or precisely 1,161,909,081. This number
looks large, but it’s minuscule in security terms.
To obtain its modulus (remainder), computers divide it by a huge prime
number, though we’ll use a small one, say 33,331:
1,161,909,081
÷33331
—————————————
34859 r.23752
We don’t care about the quotient, only the remainder, 23,752, which we
save as a user key code, rather than the user’s password, which could
be subject to hacking. The program then deliberately ‘forgets’ the
original password, information too vulnerable to keep around. Thus, a
well-behaved database of users won’t contain any passwords, and because
the program uses large numbers, especially the prime divisor, it makes
cracking the code by anyone other than the NSA or a pimply-faced nerd
in Ukraine extremely difficult.
How does it work? When a member logs in, he provides a password.
Because the computer no longer remembers the original, it divides the
given password by that large prime and if the result matches the stored
key-code, it allows the user in.
Adapt and Adjust
Final tip: Use the longest possible password you’re comfortable with.
If you have
a difficult time with special characters and weird spellings, rely on
this simple trick: Use a ‘pass-phrase’, not a password, or better yet,
make up a sentence. For example: ’23 Valley of the shadow of death’. If
your account provider doesn’t like spaces, then use underscores or omit
them. If they severely restrict the length (like my stupid bank), then
use the maximum and consider special characters. Adapt and adjust.
Following are the most common passwords harvested from four different
internet web sites. Some of them aren't pretty. Learn and avoid!
|
MySpace |
FaceBook |
Singles.org |
phpBB |
rank |
|
% |
password |
|
% |
password |
|
% |
password |
|
% |
password |
1 |
0.24 |
password1 |
1.46 |
password |
1.02 |
123456 |
3.03 |
123456 |
2 |
0.16 |
abc123 |
1.18 |
123456 |
0.61 |
jesus |
2.19 |
password |
3 |
0.12 |
password |
0.39 |
12345678 |
0.41 |
password |
1.45 |
phpbb |
4 |
0.09 |
iloveyou1 |
0.26 |
1234 |
0.29 |
love |
0.94 |
qwerty |
5 |
0.09 |
iloveyou2 |
0.25 |
qwerty |
0.20 |
12345678 |
0.82 |
12345 |
6 |
0.09 |
fuckyou1 |
0.21 |
12345 |
0.20 |
christ |
0.60 |
letmein |
7 |
0.08 |
myspace1 |
0.20 |
pussy |
0.17 |
jesus1 |
0.59 |
12345678 |
8 |
0.08 |
soccer1 |
0.18 |
monkey |
0.16 |
princess |
0.53 |
1234 |
9 |
0.07 |
iloveyou |
0.17 |
baseball |
0.16 |
blessed |
0.51 |
test |
10 |
0.06 |
iloveyou! |
0.17 |
football |
0.15 |
sunshine |
0.43 |
123 |
11 |
0.05 |
football1 |
0.16 |
letmein |
0.13 |
faith |
0.38 |
trustno1 |
12 |
0.05 |
fuckyou |
0.15 |
696969 |
0.13 |
1234567 |
0.33 |
dragon |
13 |
0.05 |
123456 |
0.15 |
abc123 |
0.12 |
angel |
0.32 |
hello |
14 |
0.05 |
baseball1 |
0.15 |
michael |
0.11 |
single |
0.31 |
abc123 |
15 |
0.05 |
soccer |
0.15 |
shadow |
0.11 |
lovely |
0.31 |
111111 |
16 |
0.05 |
123abc |
0.14 |
111111 |
0.11 |
freedom |
0.31 |
123456789 |
17 |
0.04 |
hello1 |
0.12 |
master |
0.10 |
blessing |
0.30 |
monkey |
18 |
0.04 |
qwerty1 |
0.11 |
superman |
0.10 |
12345 |
0.29 |
master |
19 |
0.04 |
summer1 |
0.11 |
harley |
0.10 |
grace |
0.23 |
killer |
20 |
0.04 |
monkey1 |
0.11 |
1234567 |
0.10 |
iloveyou |
0.22 |
123123 |
21 |
0.04 |
password2 |
0.11 |
fuckme |
0.09 |
7777777 |
0.22 |
computer |
22 |
0.04 |
nigger1 |
0.11 |
fuckyou |
0.09 |
heaven |
0.22 |
asdf |
23 |
0.04 |
fuckyou! |
0.11 |
trustno1 |
0.09 |
angels |
0.20 |
shadow |
24 |
0.04 |
nicole1 |
0.10 |
ranger |
0.09 |
shadow |
0.20 |
internet |
25 |
0.04 |
cheer1 |
0.10 |
buster |
0.09 |
1234 |
0.20 |
whatever |
26 |
0.04 |
asshole1 |
0.10 |
hunter |
0.08 |
tigger |
0.20 |
starwars |
27 |
0.04 |
fuckyou2 |
0.10 |
soccer |
0.08 |
summer |
0.17 |
1234567 |
28 |
0.04 |
blink182 |
0.10 |
fuck |
0.08 |
hope |
0.16 |
cheese |
29 |
0.04 |
poop |
0.10 |
batman |
0.07 |
looking |
0.16 |
pass |
30 |
0.04 |
dancer1 |
0.10 |
test |
0.07 |
peace |
0.16 |
matrix |
31 |
0.04 |
jordan23 |
0.10 |
pass |
0.07 |
mother |
0.16 |
tigger |
32 |
0.03 |
football |
0.09 |
killer |
0.07 |
michael |
0.15 |
aaaaaa |
33 |
0.03 |
bitch1 |
0.09 |
hockey |
0.07 |
shalom |
0.15 |
pokemon |
34 |
0.03 |
orange1 |
0.09 |
love |
0.07 |
rotimi |
0.15 |
000000 |
35 |
0.03 |
soccer2 |
0.09 |
michelle |
0.07 |
football |
0.15 |
superman |
36 |
0.03 |
123456a |
0.09 |
andrew |
0.07 |
victory |
0.15 |
qazwsx |
37 |
0.03 |
baseball |
0.09 |
sunshine |
0.07 |
happy |
0.14 |
testing |
38 |
0.03 |
eagles1 |
0.09 |
jessica |
0.07 |
purple |
0.14 |
football |
39 |
0.03 |
volcom1 |
0.09 |
asshole |
0.07 |
john316 |
0.14 |
1 |
40 |
0.03 |
chris1 |
0.09 |
6969 |
0.07 |
joshua |
0.13 |
blahblah |
41 |
0.03 |
monkey |
0.08 |
daniel |
0.06 |
london |
0.13 |
654321 |
42 |
0.03 |
flower1 |
0.08 |
access |
0.06 |
superman |
0.13 |
fuckyou |
43 |
0.03 |
summer06 |
0.08 |
123456789 |
0.06 |
church |
0.13 |
11111 |
44 |
0.03 |
ashley1 |
0.08 |
654321 |
0.06 |
loving |
0.13 |
joshua |
45 |
0.03 |
love123 |
0.08 |
joshua |
0.06 |
computer |
0.12 |
helpme |
46 |
0.03 |
princess1 |
0.08 |
starwars |
0.06 |
mylove |
0.12 |
thomas |
47 |
0.03 |
love |
0.08 |
hello |
0.06 |
praise |
0.12 |
michael |
48 |
0.03 |
nigga1 |
0.08 |
123123 |
0.06 |
saved |
0.12 |
biteme |
49 |
0.03 |
fucker1 |
0.08 |
ashley |
0.06 |
richard |
0.12 |
forum |
50 |
0.03 |
angel1 |
0.07 |
666666 |
0.06 |
pastor |
0.12 |
secret |
• Credit for table: Jimmy Ruska