Image via CrunchBase

On 12th July 2012, more than 400,000 emails and passwords for Yahoo! Voices were stolen via an SQL injection and published online. The passwords were reportedly stored in plaintext, making this security breach even more serious. If you are a member of Yahoo! Voices, change your password immediately, and if you use the same password on other sites, make sure to change them as well.

I performed the following password analysis with the help of pipal, a very popular and powerful password analyzing tool. The full pipal report is located here, with a longer report (showing the top 100 of each category) here.

10 Most Popular Passwords

123456 = 1667 (0.38%)
password = 780 (0.18%)
welcome = 437 (0.1%)
ninja = 333 (0.08%)
abc123 = 250 (0.06%)
123456789 = 222 (0.05%)
12345678 = 208 (0.05%)
sunshine = 205 (0.05%)
princess = 202 (0.05%)
qwerty = 172 (0.04%)

Despite numerous warnings by security professionals, the most popular password is still “123456″, followed by “password” in second place. These are highly insecure passwords, not just because of their length or complexity (which is very low), but because they are at the top of most password lists that attackers use to try to compromise an account. Remember, brute-forcing a password is always a last-ditch attempt at gaining access to an account; a clever attacker will always try common passwords first, and if your password appears in a password list online, you should never use it!

The fact that these passwords were even allowed reveals substandard practices in Yahoo’s password policy. To boost security, a user should be required to have a password that contains both upper and lowercase letters, as well as numbers and symbols. For additional security, the chosen password should be rejected if it matches one found in common password lists.

Password Length

8 = 119214 (26.92%)
6 = 79650 (17.99%)
9 = 66058 (14.92%)
7 = 65654 (14.83%)
10 = 54815 (12.38%)
12 = 21785 (4.92%)
11 = 21261 (4.8%)
5 = 5325 (1.2%)
4 = 2748 (0.62%)
13 = 2585 (0.58%)
14 = 1433 (0.32%)
15 = 773 (0.17%)
16 = 442 (0.1%)
3 = 303 (0.07%)
17 = 252 (0.06%)
20 = 169 (0.04%)
18 = 116 (0.03%)
1 = 116 (0.03%)
19 = 78 (0.02%)
2 = 67 (0.02%)
21 = 6 (0.0%)
22 = 4 (0.0%)
29 = 3 (0.0%)
30 = 2 (0.0%)
24 = 2 (0.0%)
28 = 2 (0.0%)

As you can see, most people are still using short passwords. Indeed, a whopping 61.66% of people are using a password that is 8 characters or shorter. If you include passwords with a length of 9 or 10, then the number jumps to 88.96%. When a dictionary attack fails, the main thing stopping a brute-force from succeeding in a specific amount of time is the length of the password. For each additional character a password has, the amount of time needed to brute-force it increases by a factor of 95 (assuming the brute-force is trying all types of character). Even if the password only contains lowercase letters, an additional letter will increase the time required by a factor of 26.

8 characters and longer is usually cited as the recommendation for password length, but with cracking speeds up due to improvements in processing power, that number should probably be closer to 12, if not more. Remember, a long complex password need not be hard to remember.

Complexity

Only lowercase alpha = 146512 (33.09%)

This small statistic shows a staggering lack of password complexity. Almost a third of passwords only contained lowercase letters, making the task of brute-forcing them much easier.

loweralphanum: 224085 (50.6%)
loweralpha: 146512 (33.09%)
numeric: 26080 (5.89%)
mixedalphanum: 23233 (5.25%)
loweralphaspecialnum: 6053 (1.37%)
mixedalpha: 5122 (1.16%)
upperalphanum: 3416 (0.77%)
mixedalphaspecialnum: 3327 (0.75%)
loweralphaspecial: 2103 (0.47%)
upperalpha: 1776 (0.4%)
mixedalphaspecial: 489 (0.11%)
upperalphaspecialnum: 233 (0.05%)
specialnum: 189 (0.04%)
upperalphaspecial: 51 (0.01%)
special: 20 (0.0%)

As these additional statistics show, more than half the passwords only contained lowercase letters and numbers (the numbers only increase the brute-forcing attack by a factor of 10). Barely one percent of the passwords could be considered “complex”, containing upper and lowercase letters, numbers, and symbols.

Conclusions

Yahoo! is of course to blame for the passwords being accessible to hackers, as well as storing them in such an insecure way. Their password policy which apparently lets users choose single characters for a password is absurd, and a full investigation should be carried out to find out how on earth the users were left this vulnerable. There were some decent passwords in the list, and those were made completely useless through Yahoo’s ineptitude.

That said, it should be noted that regardless of Yahoo’s ineffective defences and security policies, a great deal of these user chosen passwords were highly insecure. It is up to the user to choose a decent password, rather than relying on a system which you should not really trust (as users, we do not know what security weaknesses a system has, or how it stores important data). It is best, therefore, to create a unique complex password (or passphrase) for each account you have online, and to use a good password manager to help you keep track of them.

I’ve written and published two new security articles as part of the Yahoo! Contributor Network. The first is about reducing your digital footprint, which is something I’ve been interested in for a while now. If you aren’t careful, a lot of information about yourself can be found online. Some of it might be true, some of it might be false, but most of it you probably don’t want lingering in search engine results. My article will tell you how to best map your digital footprint, and then how to go about reducing it.

The second article is on the top 5 online password managers, something every sensible person on the Internet should have. With so many different websites, you can either have the same password (highly insecure) or generate a unique password for each. Online password managers mean you don’t have to remember all your passwords, though as I’ve pointed out before, you can generate highly secure and easy to remember passphrases for the most secure sites you visit.

If you haven’t already subscribed to the WhiteHat Security Blog then you should. They produce a nice amount of articles that are easy to understand, and often provide interesting insights into the security industry. However, with such a wide range of topics, mistakes can be made (or concepts overlooked), and it is one particular error that I wanted to discuss in a bit more detail here.

Founder and CTO of WhiteHat Security, Jeremiah Grossman, wrote an article about how to keep yourself safe online, and whilst 99% of the article is accurate and good advice, there is one section on making passwords hard to guess where I think Grossman has entirely the wrong idea:

Pick passwords that are hard to guess, not found in the dictionary, six characters or more in length, and sprinkle in a number or special character for good measure. Something like: y77Vj6t or JX0r21b

Whilst having a password that is not found in the dictionary is sound advice, I disagree with both the minimum length suggested, and Grossman’s apparent meaning of “hard to guess”. From the examples given, and the suggested requirements for passwords, it seems that Grossman is trying to protect against a scenario where a malicious user performs a dictionary attack against some kind of login form for a specific user account.

This type of attack does not require the attacker to know any prior information about the target’s password, but instead simply tries various common passwords hoping for a match. The problem is, this type of attack is one of the least common, usually because it targets only one account at a time, and can be easily thwarted by a system simply by detecting multiple bad login attempts and locking the user account for a certain period of time.¹

Password Attacks 101

If you really want to get a user’s password (or multiple users’ passwords), your best bet is to either sniff the network, exploit any trust the target user might have in you (or someone you know), compromise the user’s own system with malware that records their keystrokes, or breach the password database and crack the hashes (assuming the target system uses hashes). Out of these four attacks, by far the most common (and most well publicised) is cracking a list of stolen hashes.

The advantage of cracking such a list is that all the actual effort can be done on the attacker’s system, where there are no defences that can stall or thwart the attempt(s). Cracking a hash can be achieved either by employing the same dictionary attack I described above, or by a method known as brute-forcing. Whilst dictionary attacks are not always guaranteed to work, brute-force attacks are. This is because instead of relying on a pre-generated list of passwords, the brute-force attack goes further, actively generating all possible passwords and checking them against the given hash(es).

Since a lot of people are still terrible at choosing secure passwords,² it is probably best to employ both these types of attack; first using a dictionary to weed out the weak choices, and then brute-forcing the rest.

Password Haystacks

So how long would it take on average to crack the passwords suggested by Grossman? Well, according to Steve Gibson‘s search space calculator, around 35.79 seconds on a decent offline cracking machine. Depending on the algorithm being used, that time could be longer or shorter, but the point is, it’s not very long at all. This is where I disagree with Grossman’s meaning of “hard to guess”. For a human, a password like “y77Vj6t” would indeed be hard to guess, but for a computer, it is simple. There are only 7 characters involved, and each character can be 1 of a very small number of characters (62 since we are only using letters and numbers). That means that in a worst case scenario, the attacker has to generate and check 3,579,345,993,194 (roughly 3.5 trillion) possible passwords. That may sound like a lot, but hardware today can do literally billions of operations a second, resulting in the 35 second average.

Of course, not all attackers will have access to such hardware, but all that means is that the time required to crack a hash is a little longer, and as I explained before, time is not a major concern when the hashes are already stolen. To really create a password that is hard to guess (by humans and computers), you need to increase the amount of search space that a brute-forcing algorithm has to use. Steve Gibson uses the analogy of looking for a needle in a haystack: given enough time, you will find the needle, but the bigger the haystack, the less chance you will have of succeeding in your search within a certain time-frame. So it is with brute-force attacks. The more types of characters you use in your password, and the longer it is, the less chance that a brute-force attempt will find it in a reasonable period of time.

 Creating a Strong Password

There are many different opinions on what strong passwords should look like, and there is obviously a lot of disagreement over various different “methods” for creating them. For some the issue is one of security vs. memorability, and there is a general belief that any password that is secure enough not to be brute-forced cannot be remembered easily either. I think this is patently and demonstrably false, and I shall share with you my method of creating extremely strong and easy to remember passwords. Firstly, let me define a new set of requirements that all strong passwords should comply with:

1. At least one of every type of character (lowercase and uppercase letters, numbers, and symbols).
2. At least 12 characters in length.
3. It should not be found in any dictionary.
4. It should be unique. In other words, it should be something that nobody (not even yourself) has used before.
5. It should not be based on nor contain any personal details.

If you think those requirements would result in passwords like “Aj18!d#B6]0W”, then you have been taught to think about passwords in entirely the wrong way. Allow me to correct your thinking, with the following easy to remember and highly secure password:

I’m bathing in 34 fish, crikey!

This password (more accurately, a passphrase) has 1 uppercase letter, 20 lowercase letters, 2 numbers, and 8 symbols (counting spaces as such). It is 31 characters long, and although the individual words of the passphrase are found in dictionaries, the entire password is not. Finally, since it is a nonsense sentence, the chances of someone else having used it in the past are very slim indeed, and it does not contain any personal details. According to Steve Gibson’s search space calculator, a brute-force attempt that makes one hundred trillion guesses per second would take 65.53 trillion trillion trillion centuries to crack this passphrase.

The Science Bit

So this type of passphrase is very strong, and I hold that it is also very memorable, because it relies on the same techniques for improving memorability as mnemonics do. Remembering the 5 musical notes represented by the lines on a treble clef stave (EGBDF) is hard for most people, but almost everyone who has studied music will remember the helpful mnemonic “Every Good Boy Deserves Favour”. Science suggests that mnemonics are effective,³ and further research concluded that we remember humourous sentences better than non-humourous ones.⁴ Thus, in my opinion, a humourous nonsensical sentence is ideal as a secure and memorable passphrase.

I have proposed this before in various discussion groups, and the feedback has more often than not been positive. However, I am of course open to criticisms, and I shall go into more detail about possible objections to this method in a separate article. The real test would be for people to start using these sorts of passphrases in their daily lives and report back their findings. Were they easy to remember? How long did you make them on average? How many did you manage to recall before you started running into trouble? Any feedback will be interesting to hear.

My own prediction is that even hours after you have finished reading this article, you will still be able to remember the passphrase I generated a few paragraphs ago.

Update (30/3/2012): Added a 5th requirement for strong passwords, concerning the inclusion of personal details.