Consulting firm Deloitte is warning that 8-character passwords will be obsolete this year. Sound familiar? Of course, the Slashdot crowd blamed it as security “experts” (their words) creating hype to make money.
Well, I’m a certified security professional who doesn’t have a dog in this fight, except that I don’t want your accounts getting stolen. So here’s the problem with many of the solutions the Slashdot crowd posed.
Online comic XKCD once suggested using four-word passwords instead. Here’s the problem. Many people’s vocabulary is about 10,000 words. That gives 10,000 x 9,999 x 9,998 x 9,997 possibilities. We’ll round that off to 10,000,000,000,000,000.
A 25-GPU cluster can guess 350 billion passwords per second. That means it can cycle through every possible password built from the 10,000 most common words in about 8 hours.
What if you force capital letters? Chances are most people will capitalize the first letter of one or more of the words. That multiplies the possibilities by 24, so now it’ll take around 8 days for the machine to cycle through the passwords. Still not good enough.
So you can add special characters and numbers to the mix. Most people will intersperse those between the words. There are 42 numbers and symbols on the keyboard. Figure 42^4. By my math, that type of password will last multiple lifetimes. For now. Or, use random words that may not be in your vocabulary. The GCHQ says that’s good enough.
Why passwords are such a moving target
The problem is that every large password dump that happens adds more passwords to the pool to analyze. Brute-forcing is getting a lot smarter. Last week, attackers stole a password dump from the U.S. Federal Reserve. The Federal Reserve has stringent password requirements–I don’t know this for certain, but I’ve heard it’s 12 characters, no dictionary words, 2 uppercase, 2 lowercase, 2 numbers, and 2 special characters, minimum.
Once that dump gets cracked, attackers can start analyzing how people create passwords complying with that strict policy, and finding patterns, and guessing smartly. Then, things get worse from there. To go after 16-character passwords, you just extend the logic, since most humans probably use exactly the same thought process to generate longer non-word passwords.
Since the chances of something like CISPA getting passed are about nil, because everyone assumes it’s a piracy bill–it’s not–these dumps will keep happening. Password-guessing algorithms will get smarter, GPUs will get faster, and enforcing good passwords will become nearly impossible, because merely enforcing lengths isn’t going to be good enough.
I suspect companies will have to start building password-cracking machines themselves and using them on their employees’ accounts, making them change any password they manage to break. Short-term, that may be the best answer. Or, do away with passwords altogether and implement smartcards.