Passphrase 101

November 4, 2015

[Update: Last week a website apparently lost 13 million passwords (all in plain text) of users. Question for all law enforcement-friendly websites (forums, online stores, etc.): How well do you protect and store your users’ passwords?]

Today we’re going to take a closer look at email account takeovers and how they’re occurring.

When we hear about the CIA chief having his home email compromised, you can assume that you too are susceptible. Certainly I’m not familiar with this particular investigation, but email account takeovers have a particular weak point that we’re going to discuss.

Your password alone probably definitely isn’t enough.

In fact, from now on, we’re not going to use the term password any more. From now on, we’re going to use “passphrase.” While passwords we’re decent 5 – 10 years ago, we need to start making our passwords much, much longer. In Kevin Mitnick’s book The Art of Deception he tells the story of a hacker who in one case used passphrases that were routinely 100 characters long.

So how do we make good passphrases?

First pick a phrase. I will use “getlost” as an example since I used to be a motor cop (something I heard once or twice). Now, let’s plug that in to howsecueismypassword.net and we can get an idea of how good that is or isn’t. Keep in mind a good passphrase will be a minimum of 8 characters. “Getlost” is only seven. As such, it takes a whopping 2 seconds to crack this passphrase.

N ow let’s make it a touch longer. We’re now going to test “gogetlost.”

As you can see, just like that our passphrase jumped from 2 seconds to 22 minutes (1,320 seconds). That’s a huge improvement for not a lot of work.

Why?

Because math. When we get over 8 characters, guessing passwords gets immensely more difficult.

Next, we add in some capital letters. “GoGetLOST”

And just like that we took another leap from 1,320 seconds to 691,200 seconds. Again, a huge jump in complexity.

But we can do better.

Add in numbers and we get this passphrase: “GoG3tL0ST”

Just like that we made our password so difficult it would take about a month to crack it. So, let’s take it a step further! We’re going to add in special characters now: GoG3tL0$+

And just like that we took a simple passphrase that took two seconds to rip through now takes almost a year to guess.

The Exceptions …

Now this is all fine and dandy except you’ll sabotage yourself if you do a few things:

Including parts in your password that are easy to guess about you including
- Kids’ names
- Badge numbers
- Spouse’s badge number
- Important years/dates
Accidentally divulging your password
Your password being stolen in a data breach

The last two points definitely are worth some extra explanation.

Phishing sites are all about creating what looks like a safe website in order for you to accidentally hand over your password. Because remember, I don’t need your credit card number or bank account details – all I need is your email password and in most cases I own the keys to the kingdom.

This screenshot from a website that looks like chase.com is actually a part of the domain rok78xx.com.

It also has Facebook for some reason. Why? It’s a fake website that’s going to steal your password. The moment you enter your password here, it is no good. Start over on a new passphrase!

Second, a lot of people reuse passwords across multiple websites. That’s just asking for trouble. There are certain websites that routinely post the compromised passwords and associated email addresses/usernames. If you use the same email and password for your banking as you do at your online poker website, guess what? When that little poker website gets compromised and your password with it, it’s now getting posted online and the whole world can now try you email and password at every single website they choose.

The perfect example of that this week is the Ashley Madison password list.

After the Ashley Madison breach a few months back, the internet has been nice enough to start cracking the passwords and posting them online.

This obviously raises some HUGE concerns for all of those government/military/law enforcement/defense contractor email accounts that were used to sign up on the site. This now means that if they used the same password for their work accounts as they did their AshMad accounts, those passwords are completely compromised.

Which is why we need to change our passwords religiously!

Conclusion

In summary, here’s what we (you) need to do: