Why good passwords go bad....

longpasswordscrack.jpg

I have have an ongoing love hate relationship with passwords and security. I love the process of creating new and interesting passwords, but I worry that it may not be enough in the end. It is something of a cat and mouse game between keeping up with what is a good password that is easy enough to remember, while trying to stay ahead of the people and technology trying to crack these passwords.
ARS Technica has a series of articles on their site about password cracking. They started off with an article on how easy it is to become a password cracker with a few tools and a moderately fast computer. In a new article they turn the password cracking over to the pros and let them show just how easy it is to crack a password. They started with a list of 16,000 hashed passwords and within an hour they had cracked about 82% of those hashed passwords. Some of these passwords would normally considered good passwords. They are long and have the requisite mix of upper case letters, numbers and symbols, but fell to the crackers in a less than an hour. What gives? These were some pretty meaty passwords and include passwords like: "k1araj0hns0n", "Qbesancon321" and "qeadzcwrsfxv1331". All of which would normally be thought of a good and safe.
It turns out that using leet (l33t) for every word in a password like "k1araj0hns0n" is bad, as that is one of the techniques used by the password crackers. Most successful password crackers use dictionaries of special words that they have assembled over the years to crack passwords. So they may have leet-ed words in their word lists, so things like names where some of the letters are changed to numbers might fall easily if it's a common enough name. If you do use leet, use it sparingly on just a few letters in the password.
The second thing that password crackers look for would be patterns. So, a password like "qeadzcwrsfxv1331" would fall pretty quickly as it is regular physical pattern on a qwerty keyboard followed by a group of numbers. It looks complex, but would be broken as fast as a 4 letter password.
The one that bothers me the most is "Qbesancon321". I would have thought this was a good password, but because of the capital letter at the beginning and numbers at the end, it falls into a common pattern that people use all the time and therefor something that the password crackers try first.
The take away from the article is to use sage advice and use 4 to 5 truly random words for your passwords, have a different password for EVERYTHING and use a password manager to keep track of your passwords. Enough said.