Password Complexity

1. Task 1 Presentation

1. A. Rationale

Purpose:

        At the end of my presentation, the audience will understand what makes a password strong and why password complexity is no longer enough.

Audience:

        The appropriate audience is anybody using passwords to secure web, network, or other computer accounts.

Significance:

        For many years, users have been told repeatedly that complex passwords (those utilizing uppercase and lowercase letters, special characters, and numbers) are more secure than use using plain English words. These short, complex passwords are no  longer secure when considering the advancements in password cracking and hardware. In addition, they are not user friendly. As artist Randall Munroe (2011) put it, we've spent decades training people to use passwords that are difficult to remember and easy for computers to crack. The solution is longer, less complex passwords – the length makes them less vulnerable to cracking efforts and the lowered complexity makes them easier for people to remember them.

B. Presentation Plan

        These days the average person has a ton of information in the cloud. With the phone in my pocket I can check my email, catch up with friends on Facebook, pay my car insurance, find out the balance in my bank account and much more. And we use passwords to secure all of those accounts. Having a weak password is like leaving the front door of your house unlocked while you go to get groceries. Strong passwords are essential in this day and age and what constitutes strength is evolving. For many years, experts have relied on the idea of complex passwords – those utilizing a mix of upper and lowercase letters, numbers and special characters. Unfortunately, these have always been hard to remember and are increasingly susceptible to cracking. Research has shown that longer passwords are more secure, even if they are less complex (and thus easier to remember.)

        By the late 90s, nefarious folks were starting to use things like dictionary and brute-force attacks to help them crack passwords. In a dictionary attack, common words are placed into a database and encrypted in the ways that passwords normally are. Then the cracking software can compare the passwords that it is trying to crack to the list in the database. Brute force attacks systematically compare passwords to every permutation of letter, number and character in existence.  As seen in this image from Thomas Baekdal (2007) this served to drastically reduce the amount of time needed to crack many passwords.

[pic 1]

        [pic 2]

As a result of this, many web sites and companies began to enforce a minimum amount of complexity to passwords. An example would be something along the lines of this: at least six characters, one letter must be capitalized, must contain at least one number and one special character. These requirements have led to passwords that look like this: P@55w0rd.

        At the time, this fixed the problem of dictionary and brute force attacks. However, it created a whole new issue – these kinds of passwords are harder to remember. Did I use an at sign for the first “a” or the second? Which letter was capitalized?  Where was the zero? Combine this with companies that forced people to create new passwords three or four times a year and that may cause another issue. As stated by Komanduri, et al. (2011), it “may also lead users to write down their passwords more readily, or to become more averse to changine passwords because of the additional effort of memorizing the new ones” (pg. 1).

        Another problem is that technology it getting better all the time. CPUs are getting faster and video cards can now be used to do thing like calculate hashes. This is great for things like Bitcoin mining, but it also means that they can be used to calculate password hashes.  According to Goodin (2012) “A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second, depending on the algorithm used to scramble them. Only a decade ago, such speeds were possible only when using pricey supercomputers.”

        So what can be done? How do you keep yourself safe? Passphrases.

        A passphrase is made up of three, four, five or more random words. Instead of something like “P@55w0rd” you would use something like “mason roll wide fit” or “swan snook full hose.” The primary reason that passphrases are more secure than passwords is mathmatics. When a program is trying to brute-force crack a password, it must go through every possible combination of letters, numbers, and special characters. The longer your password, the more combinations that are available and the longer it would take for a brute-force attack to be successful. With four to five random words, it should take hundreds of years for a successful guess by a cracking program.