Passwords: how to make them and break them

Hardly a day passes without an announcement of newly stolen passwords, or an internet listing of actual stolen passwords. They remain the primary method of access to our personal accounts at work and on the internet; so their safety is paramount. This involves the user, who must create strong and unbreakable passwords, and the IT department, who must keep them safe.

Dell has released its advice (primarily) for the user. For example, the company should have policies to force the user to use long passwords: 12 characters or more. “Each additional character,” says Don Jackson, a director with Dell’s SecureWorks Counter Threat Unit, “vastly increases the work a hacker, or his supercomputer, must do to deduce the password.”

His second tip is to use a different password for each site. This is important. If you use the same password all the time, your security is reduced to that of the weakest link. If that site gets hacked, the criminals will have access to all of your accounts, including the more important and sensitive accounts. This cannot be done by force, says Jackson, but “it is possible to educate users about the harm in doing this and to force their passwords to expire every three months.”

Other advice to the user, especially the home user, is to employ security software such as anti-virus and a firewall, “to prevent passwords from being stolen by spyware and viruses.”

But while there is much good advice from Dell, one recommendation does raise the eyebrows. Don’t use database to store passwords, it says. “Rather they should store the hashes, or hash values, that are created by the characters in a password. That way, if a hacker breaches a database, he won’t find the passwords, only the hashes.”

Imperva’s analysis of how passwords are broken takes a different view. “Hashing isn’t enough,” it says in its Enterprise Password Worst Practices report. Many organizations store passwords using a form of encryption, called cryptographic hash functions, often comprising the password’s sole security measure. However, attackers do not attempt to directly attack the strength of the cryptographic measure. Rather, different methods exist which allow attackers to bypass the cryptographic measures.”

The culprits are ‘rainbow tables’ and dictionaries. Rainbow tables are pre-computed data sets containing hash values from nearly every combination of alphanumeric character up to a certain length. “One hacker website,” it writes, “developed 50 billion values for public use.” Dictionaries are “lists of common passwords together with a pre-calculated hash value. In this manner, a hacker can compare a digest with the pre-computed values.” These dictionaries are particularly useful for the hacker since many users have simple passwords that will inevitably be included – Imperva’s research has shown that the most common password is ‘123456’.

However, Dell’s advice to use long passwords will make hashing more effective against both rainbow tables and dictionaries. This can be improved, says Imperva, by ‘salting’, the use of a random value pre-pended to the actual password prior to hashing. “For example,” says Imperva, “a salt of just a three bit length increases the storage and pre-computation time of rainbow tables eightfold.”

What’s Hot on Infosecurity Magazine?