Passwords Redux Deluxe Revisited
Revised January 16, 2024
New Password Rules for a New Age of Hacking
What's My Risk?
"I'm not a likely target."
Yes, you are the target… and so is everybody else!
Hackers don't care who you are; they just want the money from any accounts they can breach. Most hackers target everyone's accounts equally.
Funds in all computer-based account systems are hackable. This includes the accounts of people who don't setup online banking themselves. Financial institutions all used compuer-based systems. They seldom recover hacker-stolen money, and rarely restore funds that were removed using the account owner’s own credentials or password. This includes everything from debit cards and savings to retirement and brokerage accounts.
Accounts protected by password systems have widely varying levels of security. Some still don't even implement Two Factor Authentication.
Who are the Bad Guys?
- Nation-states have teams of hackers, sometimes their security services or military units, breaking into financial accounts all around the world to finance clandestine activities or to prop-up weak revenues.
- Criminals gangs are organized as international businesses which do nothing but steal money from foreign citizens. Hackers world-wide see the U.S.A. as the perfect target — crimes against U.S. accounts are rarely prosecuted elsewhere, and the average American has more personal wealth than 90% of the World's population — a large and profitable target.
- Some hackers are entrepreneurs — taking what they can from accounts, or simply selling the hacked credentials on the Dark Web to others who do the actual stealing. That way the hacker makes some easy money without stealing from accounts themselves.
All Passwords Can Be Hacked
There is one certain fact about Passwords: given enough time, they can all be hacked.
My goal is to help you ensure that hacking your passwords would take so long that no hacker will crack them during your lifetime — too long for the hacker to profit!
A Brief History of Passwords
Knowing how we got to our current sorry state with passwords will clarify both why and how we must update our password crafting to survive today's risks.
Early Computer Passwords
The use of passwords on computers began in the 1960s, to implement time-sharing on mainframe computers. Multi-user mainframe systems needed to segregate users’ files and limit each user’s time in the system. Because terminals for mainframe computers were few and computing power was limited, each users’ time was restricted.
First-Ever Data Breach
The very first computer password system was soon hacked. Some guy figured out where the Passwords file was stored in the computer, and printed it. He could then login as any authorized user to see anyone's files and use their allotted time instead of his own. It didn’t matter how strong or weak those early passwords were because he didn’t have to hack them. He simply printed them out so he could login as anyone in the system. Stealing a copy of a system’s entire password list is now called a Data Breach.
Multi-user password systems later came to personal computers to segregate user’s files on shared devices, but it’s still common for personal computers and smart phones to be preset to auto-login without requiring a password, giving anyone who powers it up access to all of the email accounts, files, and even stored passwords kept on that device. Setting up passwords is all-to-often bypassed for ease of use or to speed up the computer setup process. Apple's security documents warn that leaving any computing device set to "auto-login" means having… No Security At All.
Passwords Come to the Internet
Since the mid-1990s, internet services and computer systems have used Account Name and Password systems to restrict access to email, banking, and retirement accounts, as well as most other online services. When setting up a new online account, the user is prompted for their User Name (usually an email address) and a Password. Incredibly short passwords were common in the early days of the Internet. It was just something to show it was you, and, one hoped, it wouldn't be guessed by anyone pretending to be you.
Passwords Before Rules
Most people picked short simple words that were easy to remember but hard for friends and family to guess. Many chose passwords such as: 123456, password, monkey, iluvyou. Even a simple "hello" would do. Occasionally, some rebel would pick "I am the Walrus!" — which is actually fairly strong. (It’s not good, but it was much stronger than most passwords then being used.)
Online Systems Administrators assigned short little passwords — M[sXP# — to manage web servers and email systems because they were extremely hard to guess. I remember being pleased when my web-hosting company assigned me a 6-character password nobody would guess, but I became irritated that it was nearly impossible to recall it when needed because I didn’t use it often. That 6-character password gave full access to my website and email server back in 1999. Six characters wasn’t any real protection against an intruder beyond being hard to guess.
Early Password Rules
In 2003, to improve security as Internet use exploded worldwide, the National Institute of Standards and Technology (NIST) commissioned a report by William Burr which became the go-to reference for both business and government in setting password policies. Burr’s guide was well thought out but entirely speculative — there was no existing data on password usage for him to evaluate. His lengthy report was reduced to a small set of rules which could be easily implemented:
- Passwords must have a minimum length of X characters. (X being 6 or 8) *
- Passwords must include multiple character types, not just lowercase letters.
- Passwords must be changed at regular intervals.
- Passwords must not be reused when changing a password.
- Passwords must not be written down; they should be memorized.
These rules had unexpected and unintended consequences for real-world password choices as people struggled to memorize passwords for their ever-growing list of online accounts.
- Passwords were kept to the minimum length allowed, or very close to it to be easier to remember and enter.
* Curiously, nobody’s rules ever required “at least 7 characters” instead of 6 or 8.
- Passwords were chosen for readabillity and pronounceability for ease of memorization, but with a capital letter and/or some character substitution to satisfy rule 2.
- Having devised a memorable password which passed all of the required tests, computer users frequently reused favorite passwords across multiple accounts rather than creating and memorizing a new one for each account as they were supposed to do. Because each online system sees only its own password data, it can't stop anyone from reusing a password they used elsewhere. This became especially common when Rule 3 was enforced requiring users to change passwords frequently.
Hackers Adapt & Change Tactics
Meanwhile, hackers were learning new skills. Those good old days when most people’s biggest security worry was that someone might piggyback on their broadband connection were fading fast. Before long, international criminals began digitally raiding bank accounts. Password systems were facing new and more costly risks, while those password rules remained unchanged, and online security systems failed to keep pace. The real-world results of the 2003 password rules ended up being so unfortunate that, 15 years later, NIST’s author, Bill Burr, publicly apologized, saying: Much of what I did I now regret.
If that first hacker in the early 1960s hadn’t located the password file, he might have tried guessing passwords, as so many amateur hackers did when sniffing for a free broadband connection. Even now, Password Guessing is the threat people still fear — so picking passwords that no one will guess feels safe.
Hackers changed all that as they harnessed compuers to automate their hacking process. It became faster and easier to have a computer run millions, billions, or even trillions of possible passwords in less time than a person could manaully enter one password guess on a keyboard. Suddenly the very concept of what made a strong or weak password had nothing to do with it being guessable.
The question became: Is it hackable?
Every Password is Hackable
Given enough time, all passwords can be hacked. With Time being the critical element, hackers have devised strategies to discover passwords more quickly, based largely on how people responded to the 2003 password rules — doing only the minimum required by those rules.
Here are the main types of current password attacks:
- Credential Stuffing
- Breached Passwords
- Dictionary Attacks
- Brute Force Attacks
Let’s take a look at each of these just to understand what it accomplishes for the hacker and what its risks are for your password depending on how you've implemented any password rules.
According to security specialists, Credential Stuffing generates more internet traffic than all other internet uses combined, including the billions of daily emails, internet searches, online shopping and banking connections, and website viewings. An entire server is targeted rather than one specific user's account. For instance, a hacker may decide your bank is a good target — that’s where the money is — without caring whether you personally bank there. Credential Stuffing takes billions of Account Names and Passwords from past data breache, and digitally stuffs them all at that bank’s server to see which of them match any accounts at that bank. The hacker’s system reports which ones got in. The hacker can then take funds from those account, or sell those credentials for others to misuse, or both.
The tendency to reuse passwords across multiple accounts guarantees enough matches with Credential Stuffing to reward such attacks. If you reuse a password, you will eventually be hacked via Credential Stuffing, even if you follow all the other rules. Reused passwords and credential stuffing have lead to some of the largest data breaches on record, including the 2023 exposure of personal health data for nearly 7 million users of a DNA tracking system where some 14,000 members (less than 1%) reused passwords which had already been compromised in unrelated breaches and didn't think to change them on the DNA site.
Credential stuffing works because account owners reuse passwords, ignoring a basic password rule.
The number of accounts exposed in Data Breaches has passed tens of billions. Hackers have lists of those passwords and use them to automate attacks against specific accounts such as email addresses or account names. Using advanced computing systems, this type of attack may take less than one second per account — yes, just one second for billions of password attempts. (Ain’t computers amazing?)
If any breached password matches your account password, the hacker gets in, whether its your email or your retirement savings.
Breached Password lists open many accounts which hadn't previously been breached because people are really really bad at picking original unique passwords. Your account doesn't have to have been previously breached itself if you chose a password that's the same as a password stolen in another system's breach. It still unlocks your account.
This is similar to a data breach attack, but instead of using lists of exposed passwords, it compiles all of the words in the World’s dictionaries, including likely character substitutions. Though there are hundreds of languages, the total number of different letter combinations that spell actual words is only about 6 billion — an even shorter list than the Breached Passwords list. These dictionaries are sold and traded among hackers. Unlike a Breached Password attack, these dictionaries even include words and substitutions that nobody has yet been caught using as passwords.
Dictionary attacks work because it's easy to pick a word as your password, just making substitutions for some characters: numeral one for a lowercase L, Zeros as capitol "o" or even 4 for A… etc. These kinds of substitutions are predictable so hackers anticipate them in their Dictionary Attacks.
BRUTE FORCE ATTACK — BFA
The BFA is a hacker’s last resort, though it is fully capable of cracking every possible password. The hacker automates running all combinations of keyboard characters starting with the shortest allowed by that site’s password rules, up through longer and longer combinations until it eventually finds the exact character-string that matches your password. Brute Force Attacks will eventually find it — unless the hacker runs out of Time!
A computer’s speed vs. how long the hacker is willing to wait to hit a winning combination are the only things that can end this attack before your password is reached, so the length of your password matters. You need to survive all of the other attacks while also having a password that is too long to find before the hacker moves on to easier victims.
BFAs always work if your password is short enough. Most people pick passwords that don't take too long to reach. That makes them the "low-hanging fruit."
The Hollywood Hacker Doesn't Exist
All of these attack types except the Brute Force Attack can be run against an account system in a matter of seconds. Contrary to the movies, no competent hacker will ever attempt to guess a password when they have the computing power to run passwords at millions of times the speed of using a keyboard enter one guess.
In our brave new world, you need passwords that won’t be found by the first three attack methods, and are so long that a Brute Force Attack will be abandoned before your password is reached.
The password rules of 2003 encouraged people to pick passwords that will be cracked in seconds by modern attacks; after all, hackers devised these attacks based on how people responded to those old rules!
New rules still must pass the 2003 password requirements, because they are still being used by most systems. However, new rules can help our passwords defeat modern attacks.
New Password Rules to Survive Modern Hacks
- Never reuse any password, ever!
- Always include all 4 character types.
- Password length should be as long as possible.
- Use only unique passwords.
These sound a lot like the old rules, but, in fact, they are quite different, so explanations are in order.
Never reuse any password, ever!
No matter how strong you think your password is, use a different password for each and every account. If you change a password, don’t pick one you’ve ever used anywhere, even if you no longer use it elsewhere. This reduces the risks from both Credential Stuffing and Breached Passwords attacks.
Include All 4 Character Types
Using all 4 character types — uppercase, lowerecase, numerals, and symbols/punctuation — ensures that a Brute Force Attack will take much longer with 95 possible characters instead of just 10 for numbers or 26 for lowercase letters. Basic math says the more combinations are possible, the longer it will take to try them all.
For example, hacking a 12-character passcode takes about 1 second if it’s all numerals (10 keys), and around 15 minutes if it’s all lower case (26 keys). However, if all 4 character types are included (95 keys), it could take years to crack!
Forcing a hacker’s Brute Force Attack to take way too long is the only defense against its eventual success, so the number of character types matters. This also leads into our next rule…
Password Length — As Long As Possible
With current computer speeds, anything length less than 12 is already too short to be safe against Brute Force Attacks. If your bank won’t let you use 16 characters, change banks. (Not a joke!) Make your passwords as long as you can stand. By 2020, the minimum recommended password length was 12, and that minimum will keep increasing as computer processors continue to speed up. As I revise this in 2024, my recommendation would be at least 15 or 16 characters.
Future-proof your passwords now by making them significantly longer than the minimum lengths or recommendations, and review your passwords annually to be sure they remain safe in the future.
Use Only Unique Passwords
This is an expansion of the first rule — never reusing passwords — putting it on steroids to never use anyone else’s passwords either! This requires some explaining because you don't know all of the passwords ever used. Here's some real world examples.
Your Perfect Password Just Died
Let’s imagine you’ve come up with a great 16- or 24-character password that you’ve never used before. It has all 4 character types and doesn’t look anything like a dictionary word. Now suppose that just by chance that same string of characters was used by someone else — just once anywhere in the world — and their server had a data breach and its passwords were stolen. So now that perfect password is lurking in hackers’ attack kits, ready to open your account in seconds when it's targeted!
How can you avoid a password that someone else might have used, including passwords others might pick in the future? (Data breaches continue to happen daily.) It requires a new level of cunning to create a password that is unique right now, has never been used by anyone before, and is unlikely to be used in the future with billions of people creating new passwords daily. That's what’s required to stay safe from Breached Passwords attacks.
What is Unique?
- Unique means one-of-a-kind — unlike any other.
It’s an absolute quality. A thing is either unique or not unique. There is no third option or sliding scale."Nearly Unique" means Not Unique at all!
- Beware of Entropy
The term Entropy is bandied about in password discussions. The more chaotic anything is, the less likely it is to repeat. That chaos is Entropy. However, nobody agrees on how to measure entropy. When you encounter the word entropy in a password discussion, just accept that it's useless as a measurement and move right along to the next paragraph… like right now.
- The words Unique and Random are often used interchangeably in password discussions, but they have entirely different meanings and have nothing to do with each other. Picking something randomly does not make it unique. For example, computer-generated random numbers repeat frequenty. They are numbers, and all numbers have a predictable sequence, so no number is unique no matter how randomly you chose it. Similarly, randomly generating a password does nothing to assure uniqueness. While any system can generate a value that is unique within that system, no system can assure another system won't generate that same value for someone else.
- Words are never unique. Substituting numbers and symbols for letters won’t make the result unique either. Because the human mind does pattern recognition, many of us will pick the very same substitutions, and those substitutions are predictable instead of unique. Cleverness won't create something unique from dictionary words with substitutions.
- Phrases are rarely unique. Phrases are organized words. Remember this phrase:
“Great minds run in the same ruts.”
The odds of coming up with a unique phrase are tiny-to-nonexistant. You need something even less predictable and less likely ever to be repeated than a phrase if you want to avoid the risk of duplication on a worldwide scale.
While there is no guaranteed test for uniqueness, I do have some ideas that can get you well along the road to crafting unique passwords.
- Pick two, three, or more unrelated words — not a phrase, not song lyrics, not a quote or saying — but words that really are not related so you cannot imagine them being used together. Don’t assume these words are unrelated — you’ll usually be wrong. After all, something made you think of them together. (Our brains Continuously and unconsciously do pattern recognition.)
- Search for your words together on the internet to make sure they haven’t been used together. When you finally find words that don't return any matches from a search engine, you’re ready to go. (You may have to intentionally misspell one or more of your words to get this far.)
- Now slap them together and add a symbol, punctuation, or number separating them, then stick another character type at either or both ends. Capitalize one or more of the letters, but not at the beginning of a word.
You should now have a password containing all 4 character types, more than 12 characters long, that you’ve never used before (and won't ever use again), and probably nobody else will either. You’ve given it your best shot, so it's ready to use — unless you want to make it even lo-o-o-o-onger.
Longer is always a good afterthought. Heck, if your new password is still under 20 characters, even adding a repeating letter to the backend just to make it longer improves its strength against a Brute Force Attack.
You’ve Come a Long Way
We’ve moved your passwords from monkey to something closer to filBerg2bargain_sfff.
It takes some conscious effort, but it’s satisfying when you finally get a “No Results Found” in your search engine just before you add those final refinements to satisfy both the old password rules and our new ones.
Is there any way to guarantee that nobody else will ever come up with that same text string to use as a password? No, but it’s far less likely if you followed the suggested steps.
Record Your Passwords!
That old rule about memorizing passwords and never writing them down encouraged people to react in really stupid ways like keeping passwords as short as possible, picking easily-memorized passwords, and reusing them. Now we can securely and easily use Password Managers to keep track of Passwords we can't memorize.
Well-reviewed Password Managers:
- iCloud Keychain — for Apple ID users using Apple computing devices
- 1Password from AgileBits Inc.
- BitWarden from BitWarden.com
- Dashlane from Dashlane Inc.
The list above is not exhaustive nor an endorsement, just a good place to start.*
The first is included in Apple's iCloud system for all Apple computing devices. It even handles PassKeys. The next two are the most-frequently mentioned by techies as their personal favorites, but people tend to recommend whichever one they currently use as long as it works for them.
Review them all to see what they offer you and compare subscriptions. They are available online and on Apple’s App Store, and they can be setup to work across multiple computer platforms and devices.
* Older versions of this document also listed LastPass and Remembear. They were removed early in 2023 because LastPass had a major security breach, had allowed weak encryption, and lacked transparency in reporting their breach, and RememBear was slated to be discontinued that year.
Beyond Passwords — What More Can We Do?
There are several ways to secure your accounts beyond what passwords alone can do:
- Two Factor Authentication (2FA)
2FA generally relies on one-time-use PINs sent by text message or email for a user to verify they control the email or phone number associated with the account. Though not foolproof if your phone is cloned or stolen, or your email is hacked, they offer a huge security improvement over passwords alone. Without access to your device or email account, a hacker with your password will still be unable to access your account. 2FA can still stop 99+% of attacks where the password is hacked. If your account offers 2FA, USE IT! If any of your financial institutions don't offer 2FA, complain and/or change companies. 2FA is essential security on any account accessing your money.
PassKeys use 2 separate bits of code — one on the server and one on the user's device — which must be used together for the account to be opened. A hacker who manages to steal either code will still be unable to open the account. PassKeys are activated when a user authenticates biometrically, allowing their local code to activate the server. Someone other than the account holder will be unable to use the device for access. PassKey technology became more available in 2023. It does not require or use passwords, but PassKeys are mainly being added to existing systems where users already have passwords, so those accounts remain vulnerable to password attacks if the passwords are still able to get in. New accounts setup with only a PassKey but no password are much more secure.
These are special Apps or security-dongles which can provide a coded response to verify the legitimacy of it connecting to the system. Authenticators are used by some businesses to restrict access so anyone who lacks the secure dongle or App isn't allowed in, even with a valid password. Some Authenticators are customizable by users, while others are preset by the issuing company. With Authenticators, the access to the system resides with the hardware device or dongle, not the user.
Are We There Yet?
Probably not. Coming at us head-on are AI and QC — Artificial Intellligence & Quantum Computing.
AI has given hackers new tools to predict the most likely combinations of characters people will choose for passwords. Having been trained on billions of known passwords, AI systems could greatly speed up all of the attack types described above so that any attack might take far less time to run.
QC has been in development for decades, with prototype testing from the late 1990s. It has been predicted as "highly likely in the next 2 years" for most of that time. QC processors are capable of multiple operations in the same instant, rather than per second, as current processors are measured. An attack which currently takes an hour could theoretically be completed in less than a second with a Quantum Computer. There will be some upper limits to Quantum processing speeds, but nobody knows what those will be or how fast QC password attacks could be. A recent prototype lab-tested at many times the speed of the fastest conventional processors. Quantum Computing appears to be getting much faster without getting any closer — still being described as "highly likely in the next 2 years" — but with major obstacles still restricting it to laboratory testing.
It appears that PassKeys will be resistant to both AI- and QC-enhanced hacking attacks described herein because PassKeys don't use passwords. However, older PassKey-adapted account systems with passwords lurking as backdoors on the servers will remain just as vulnerable.
In the meantime, do your best, protect yourself,
"…and remember, Don't Get Caught!"
— The Scarlet Pimpernel
Updated January 16, 2024