How secure is your password, really?
When it comes to security, patterns can be dangerous
When we do something over and over, it often becomes a habit – an internalized pattern that we can do without thinking. Take something like tying your shoes: you’ve been tying your shoes since you were 4 or 5 years old – for so long, that you can do it with your eyes closed. It’s become a habit that your fingers can do without engaging the brain too much.
Habits are like that, they have a way of taking over the way we do things. And that makes life easier, because having to think about the doing part slows us down.
But there are times when our habits and the patterns in which they reveal themselves aren’t a good thing. When it comes to security, patterns can be that dangerous crack in the armor that can be exploited by bad guys.
In the physical world, this can be the pattern of everyday activities that you typically sleepwalk through: where you walk your dog every night, patting your pocket when in public to see if your wallet is there, or something like leaving a key under the ‘welcome’ mat. How long would an observant bad guy have to watch you to discover a pattern that might be exploited to harm you or, at the very least, catch you off guard?
More and more, IT researchers are finding that subconscious patterns are revealing themselves in the darnedest places.
For example, the rhythm and cadence at which you type (i.e. the beat and strength at which you bang away at the keyboard) has for several years now been studied as a possible means of access authentication. Not only can your typing pattern be monitored and measured, but it is sufficiently unique that it can be used to IDENTIFY YOU. (I can’t help but make a gratuitous reference to Monty Python’s Ministry of Silly Walks.)
What about the way you create passwords (presuming you aren’t doing the right thing and using a password generator that creates random passwords)? Is there a discernable pattern in your passwords that might make it easier for a hacker to access one and then other passwords in your private collection?
Work by the KoreLogic team reveals that we utilize patterns even in the way we create passwords.
In a Jason Bourne-sounding project called PathWell (Password Topology Histogram Wear-Leveling), KoreLogic analyzed employee password data from several corporations and discovered that passwords within the tested companies tend to fall into patterns that reflect the password rules of each respective company.
The password complexity rules are ones you’re likely familiar with from your job as well as your personal accounts on many websites. It all starts with some minimum length plus:
- upper case (26 possibilities)
- lower case (26 possibilities)
- digits (0-9) (10 possibilities)
- special characters (! , . : “ and so on) (30 possibilities on my keyboard)
The expectation when you have multiple rules is that everyone sticking to all the rules should have a great password – right!? By forcing users to use upper AND lower case letters, you’ve doubled the available options for each character position in the password and therefore greatly increased the possible permutations. And, to make it even stronger, you add the use of numbers AND special characters and punctuation. That’s a total of 92 possibilities for each position in the password. And the strength of a password goes up significantly as you increase the length.
Oh my, doesn’t that have all the makings of a great password!?
Well… it’s complicated.
What if some of your learned traits – basically, your habits – actually override the security of the complexity rules?
To get an idea of the problem of patterns identified by KoreLogic, let’s look at a simple 5 character example. If you don’t limit yourself in any of the character positions and allow that each position can be any of the 92 possibilities, you get a total of 92x92x92x92x92 = 6,590,815,232, that’s 6.5 Billion password combinations. (That sounds like a lot but, when it comes to computing hacking power, it’s a tiny number.)
Now, let’s say you’re a typical human employee who has to recreate a new password every 30 or 45 or 60 days. It turns out that many of us have habits that we subconsciously work into the password rules:
- From childhood, we’ve been taught to follow certain writing syntax: an upper case letter (u) goes at the beginning of a word and is followed by lower case letters (l). Punctuation (s) and numbers (d) go at the end.
See where this is going?
- We’re in the habit of memorizing words. And we like to think that we can do that for our passwords, too. That’s not desirable from a security standpoint, but that doesn’t stop us from doing it. We can probably blame this on all those spelling tests we took at school.
- We want to make things easy on ourselves, especially stuff that we are forced to do over and over. That’s just human nature!
The problem is that, instead of using the full range of characters for each position, we limit ourselves with learned syntax and our personal comfort zones. In this way, instead of the 6.5 Billion possible passwords we calculated above, we’ve shrunk the pool of passwords that we actually use to 26x26x26x10x30 = 5,272,800, only 5.2 Million password combinations.
We’ve followed all the security rules, but because of our habits, the resulting pattern of passwords is 3 orders of magnitude weaker!!
If you and I were the only ones doing this, it wouldn’t be a problem, because it would be a unique instance. The problem is that many people are doing the same thing. This results in a ‘clumping’ of sorts, where lots of people use the same patterns (topologies) for their passwords, instead of a truly random spread across all possible combinations.
The KoreLogic study revealed that at one Fortune 100 company, the top two patterns used across 263,000 logins were used by 25% of the users. Think about that: every fourth person used one of two patterns.
Enter bad guys.
Just knowing the top 2 patterns of passwords used in a company can reduce the time it takes to hack 25% of the employees from a very secure thousands of years down to literally hours. Wow!
It’s not surprising that, when faced with rules for passwords, people do what people do: they fall back on habits that lead to shortcuts. These shortcuts reveal themselves as patterns that narrow the scope of options for bad guys. By narrowing the scope of options bad guys have to worry about, our patterns undermine our passwords!
So, the next time you’re prompted to create a password in the office or at home, break your pattern and use a password generator. And when it’s ready, ask yourself, “would Jason Bourne be happy to use the password.”
If the answer is no, try again.