Data breaches are a dime a dozen these days. But when hackers steal databases full of customer info, login names and passwords, the passwords themselves aren’t usually sitting out in plain sight. Typically the passwords will be cryptographically hashed.
Hashing a password is the process of taking a string of any length (the password in this example) and producing a fixed length hash value. Password cracking tools can be used to try and guess that password that converts into these hashes. This leads to a need for strong passwords to make the guessing process time consuming and hopefully infeasible.
I asked a friend of mine, IT security expert Josh Kaldor, about what makes a good password and he had quite a lot to say on the subject. Josh did some research, creating hashes using various combinations of passwords with different attributes, then went to cracking them and comparing the results against a benchmark. Here are some of his conclusions:
Common methods used to create “strong” passwords
Phrases are a great way to meet password requirement length and complexity requirements.
A common problem here is that users will be apt to choose non-random (guessable / relatable) phrases or pop-culture references such as ‘TheHungerGames1’ which are subject to obvious dictionary attacks. The words have to be non-relational.
Strong Example: SpaceTrunk!=SeaElephant
Weak Example: TheHungerGames1
Using acronyms to create a password is a handy way to hamper Dictionary Attacks on your password and creating a password hard to remember for the person who doesn’t know the acronym behind it.
The issue here is that it’s hard to create a long string and if a user adds digits to the end, is incredibly weak (as crackers assume digits or modifiers at the start or end). Make these passwords stronger by combining with a phrase.
Strong: Iu2w4acw3e (I used to work 4 a company with 3 employees)
Weak: IgfHSi93 (I graduated HS in 93)
Like the acronym method, a pattern method is great for creating a seemingly illogical string that is hard to remember and will foil Dictionary Attacks. The issue in this case are people’s tendency to use similar patterns (like QWERTY), which in turn play right into the Dictionary Attack’s hands.
Considerations for the Auditor
PCI-DSS requirements for a strong password include the password being at least seven characters long and include uppercase, lowercase, numerical, special characters, and more. Other compliance standards require very similar sets of attributes.
As an auditor, you should look to go above and beyond by providing recommendations like educating end users on what makes a strong password, common characteristics of weak passwords and being sure other strong preventative controls are in place. Controls might include:
- Checking for the adoption of a Clean Desk Policy and adherence to it.
- Checking for passwords being passed in support tickets or emails.
- Verifying that new users are required to change passwords when they first login.
- Verifying that passwords are not stored unencrypted within databases.
- Verifying that even internal systems (such as ticketing and help desk systems) utilize encrypted communications since users on the network could be packet sniffing and capture passwords that might be passed in plain text.
My IT Security guru friend Josh hopes the industry will push for further adoption of two-factor options such as OTP keys.
For more information on how password cracking works, check out this amazing article! A special thank you to my friend, Josh Kaldor for sharing his insight with us for this post!