Why your favorite web site’s password strength meter is full of hooey

Last Updated on November 29, 2018 by Dave Farquhar

Ars Technica talked three password crackers into doing their worst to a leaked database of 16,000 passwords, to see what they could learn.

They learned a lot, and we can learn a lot from their experience as well. “qeadzcwrsfxv1331” isn’t a good password. Neither is “Philippians4:13.” Neither is “correcthorsebatterystaple.” Neither is “Qbesancon321” or “Qbe$@ncon321.” Password guessing has too much intelligence built into it now.

And not only that, by continuing to use the password “popcorn,” you make it easier for those guys to guess other passwords too.

Most password strength meters assume that a password guesser will start with “a” and try every possible password up to 16 characters in length, and that’s just not how people do that anymore. Maybe some do. But that’s not who you have to be afraid of. It’s the people using sophisticated password guessers you have to be afraid of.

Bad passwords contain dictionary words, the letters and numbers and symbols at the end, and common substitutions like “@” for “a,” “3” for “e,” and so on.

The most sophisticated password guessers use statistical analysis on known passwords to mimic the patterns they see to guess other passwords. That’s why someone can guess 14,000+ passwords in a mere 20 hours. Computing power is cheap and continuously getting cheaper, and as fast as those prices are dropping, the software is getting smarter at an even faster rate.

But the news isn’t all bad.

Many Fortune 500 companies tightly control the types of passwords employees are allowed to use to access e-mail and company networks, and they go a long way to dampen crackers’ success.

“On the corporate side, its so different,” radix said. “When I’m doing a password audit for a firm to make sure password policies are properly enforced, it’s madness. You could go three days finding absolutely nothing.”

That’s what I want to hear. I want to hear that these guys who can crack thousands of passwords per hour go for lengths of three days not cracking passwords in a corporate environment, where the rules are more strict.

Here’s what that tells me: It’s not a bad idea to use the rules you have to live by at work all the time. Don’t use your work password on Amazon, but use one that would pass the muster at work there. I won’t tell you to use your old, expired work password there, but I know that’s probably what you’ll do. It’s better than using “popcorn,” at least.

So, how does using a dead-simple password like “popcorn” hurt others?

Good password storage practices include a bit of randomness in their cryptography, called “salts.” Then, the attacker has to guess not just the password, but the salt as well. Generally, there are a finite number of salts.

When the password file contains simple passwords like “popcorn,” the password guessers get not only that password, but also the salt. They can then apply that salt toward all of the others. Since they now have a valid salt, even stronger passwords become easier to guess.

If I had to place a bet, I would guess that’s part of the reason it takes so much longer to crack internal corporate password lists. With no trivial passwords to guess, it takes a while to get that first salt and build momentum.

Give the article a read. It’s definitely worth your time. And here’s how to pick a good password.

If you found this post informative or helpful, please share it!