Your Passwords: To Be Or Not To Be… Safe?

To be or not to beThe idea of this post came after I read another blog post from Light Blue Touchpaper. Picking a good password is a never-ending story. You can find multiple recipes, tips & tricks. One of the way, also promoted by Google is to create passwords based on quotes or common sentences. The example provided by Google is the Hamlet’s quote: “To be or not to be, that is the question“. Take the first letter of each words to start your password: “tbontbtitq“. This is still an easy crackable password. Replace some letters by numbers (“i” = “1”, “o” = “0”). The new version will be: “tb0ntbt1tq“. Replace some common English words by a number (“to” = “2”, “for” = “4”): “2b0n2bt1tq“. And finally, add a special caracter: “2b0n2bt1tq!“. Strong password isn’t it?

If quotes are well-known, there are chances(risks) that people use it as said in the Light Blue Touchpaper article: more people used “tbontb” as password! Despite the method used to generate your passwords, they must remain unique to you!

Again, Internet is your best friend: they are plenty of sources to download famous quotes, proverbs, lyrics. I also downloaded my copy of the RockYou passwords list and started to play. Let’s search for the string “tbontb“:

  $ grep tbontb rockyou.txt
  tbontbtitq
  tbontbtit9
  tbontbtit
  tbontb65
  tbontb2
  tbontb18
  tbontb04
  tbontb
  rytbontbtitq

As you see, in some cases, a suffix has been added with number. By experience, this is often something like:

  • The password owner’s age
  • An office number
  • A week or month number (classic when password policies force to change passwords at regular interval – people are lazy)

Also some letter have been replaced by their number equivalent (“q” = “9”) to make the password more “l33t“. Another exercise: I downloaded a list of 523 English proverbs and converted them in simple strings (Example: “A chain is only as strong as its weakest link” –> “acioasaiwl“). Let’s search for the strings:

  cat proverbs.txt | while read L
  do
    egrep ^$L$ rockyou.txt
  done

Results: 30 occurrences found! Not bad isn’t it?

Worse, but certainly not from an attacker point of view, the choice of the sentences is often directly related to your target. Ex: gamers or teenagers will use lyrics from songs in the charts or popular quotes (Do you remember the famous “All Your Bases Are Belong to Us“?). The Perl script I used to generate the password is available (“as is”) here. A long time ago, I wrote a “Social Dictionary Generator“, the link is here.

To conclude, for me the best way to handle passwords is to generate them randomly and store them in a password manager. In this case, you only have to take care of your master password. Of course, this last one must be super-strong or better based on a two-authentication factor…

3 comments

  1. Hi Xavier,

    I’m happy some people like you see this. Using a sentence as a mean of remembering a password is not bad as long as this sentence is not in a dictionnary.
    Also, why do we still advise to use numbers instead of letters ? Do we really believe that hackers have not figured out l33t encoding ?

    I agree with the fact passwords should be random and stored in a secure medium. However, the problem of access to the password manager worries me – either you’re using some kind of tamper-resistant device and you can easily use two factor authentication (let’s say your passwords are stored in a pin protected smartcard or in a TPM chip, either they’re stored in an unsecure storage (hard disk, cloud) and the only way to protect it reliably is a passphrase.

    I dream of a world where passwords are a thing of the past, and we all use smartcards for authentication and encryption.

    Aris

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.