Between Me, Myself and I
Riddle’s resident IT wizard turns her mind to keeping one step ahead of password-breaking thieves
Article by Tammy Orr
When it comes to protecting ourselves from a threat, the first step is to properly understand the nature of that threat. So what exactly do password thieves do? They usually start with a list of usernames and passwords for a website. It’s possible they hacked into the website and stole this themselves, or perhaps they purchased the list.
The passwords in the list are encrypted. For example, instead of the real password ‘football77’, the list shows only computer vomit: ‘8pp4Xyo3wz’. The thief’s first job is to make educated guesses at the real passwords. To do this, they use computer programs armed with the accumulated knowledge of humanity on password breaking (and believe me, it’s extensive).
Next, the thief tries logging in using numerous password guesses. As with guessing games in real life, nearly all attempts will be wrong – sometimes one will be right, though. Password guessing programs are smart, but they cannot easily guess every password.
Here are the kind of things they do guess very quickly:
* Common passwords such as ‘football’, ‘letmein’, ‘qwerty’ or ‘123456’. Other popular choices are celebrity names, movie characters, catchphrases, common pet names and so on.
* Some time ago, the popular online comic XKCD suggested making passwords from four random words, like ‘Correcthorsebatterystaple’. This was best practice at the time. The password breakers soon caught on, though.
* Many people replace letters with digits and symbols – ‘$’ for ‘s’, ‘@’ for ‘a’, ‘0’ for ‘o’, etc. It doesn’t even waste a single second of a computer’s time to decode something like ‘$tarW@rz80’ as opposed to ‘starwars80’.
* Most passwords are common passwords, except they have a 1- or 2-character suffix or prefix. For example instead of just ‘princess’, many people use ‘princess72’ or ‘princessBK’.
* Anything shorter than 12-ish characters can be broken by ‘brute force’ relatively quickly. ‘Brute force’ is when the computer tries every possible combination of characters.
The ‘guessing’ programs are now so smart, there is not much humans can do to stay ahead. But computers still struggle with breaking combinations of completely random characters. You want at least 12 characters – the more the better. I don’t know about you, but I loathe the idea of writing down, memorising or typing 12+ completely random characters. Fortunately, though, there is a better way.
The Schneier Scheme
In 2008, the security expert Bruce Schneier conceived a scheme for creating a strong and memorable password. This was a long time ago, but it remains best practice. The scheme is simple: you basically transform a sentence with personal meaning into a password. Schneier gave these examples:
Wow…doestcst = Wow, does that couch smell terrible.
WIw7,mstmsritt… = When I was seven, my sister threw my stuffed rabbit in the toilet.
I came up with these:
MdaD4B,&tuE~ = My dog ate dandelions for breakfast, and threw up everywhere.
@a4I8as&r1002tH = At age four I ate a strawberry and rode 100 mph to the hospital.
Caution: Don’t ever use a password that has been published online – so the ones above are out.
It’s an increasingly valid question. Computers have been able to break any password for a very long time. They may have to try for months to break a particularly difficult one, but eventually they will succeed.
Someone can eventually break the lock on your front door, too, though, and that doesn’t stop you locking it. So why? To discourage zero-effort criminality. To a thief, time is money. All other things equal, it doesn’t make sense for them to waste hours breaking your password, when they could break thousands of easier ones in the same time.
If you’re not particularly dangerous or interesting, my biggest worry for you is perhaps this. Most people use the same password everywhere. Will a thief who breaks into some random website learn the password you also use for your email? Is your email full of personal data and receipts with your credit card number? Will your bank always correctly detect fraud?
And so, if you take just one thing away from reading this article, it’s to use a separate password for your email.