Everything you need to know about password strengh

Principles

We are currently living in the digital age, where many of us still don’t care about the 3 basic pillars of information security: Confidentiality, Integrity and Accessibility. In this article, we will cover the first one, confidentiality, the main form of protection of confidentiality being our passwords. Defining a password creation and maintenance process is essential for us to protect our personal and professional information within a growing scenario of cyber attacks involving data breaches from large corporations.

Threats

Within a wide horizon of attack surfaces, one of the most fragile and attacked is your password.
A very widespread method of cracking passwords is the brute-force attack method, which consists of using dictionaries of combinations of words, numbers and other characters, for massive and successive attempts at authentication based on trial and error. When an authentication is valid, the process stops and displays the user’s correct password.

These attacks are classified in 2 types:

Online Brute Force Attack, in which the service is attacked directly, as a user trying to authenticate;
Offline Brute Force Attack, through which the attacker already has a copy of the target service database (or password hash) that allows him to carry out the attack without any alerts for the user or the service provider.

Such dictionaries (or wordlists) used are generated through specific tools which human words can be compiled in a specific language or created infinite combinations of letters, numbers and special characters in order to create a list of possible passwords that will be used by tools of brute force attack. As a result, these dictionaries are often very large plain text files, usually starting in tons of GB to more. Mostly, passwords like god, love with numbers at the end are the easiest to guess and are often at the beginning of this type of wordlist.

Password criteria

Unfortunately, many users use password generation criteria of 15 years ago, when cryptographic keys and processing power did not allow breaking a password via brute force in a humanly timely manner. This scenario has changed and it can now be quick to crack an 8 character password. Nowadays, we need to keep in mind that cryptographic keys have evolved, as well as computational power, and we must follow this trend so that our data remains protected.
Currently, we have the following difficulties:

- Difficulty remembering the password;
- Difficulty typing it;
- Difficulty breaking it;

We will now go into technical details about the strength of a password, if you do not wish to dive deeper technically, skip the next section.

Entropy

Password entropy is a measure of the unpredictability (or strength) of a password. It is calculated based on the character set used, and it is possible to expand this set using lowercase, uppercase letters, numbers and special characters, as well as the length of the password. A password entropy is usually represented in terms of bits. A password already discovered has entropy 0, while a password that can be discovered on the first attempt usually has entropy 1. The entropy calculation of a password is done based on the entropy for each character used, calculated by the base logarithm 2 of the characters map, numbers and symbols of the set multiplied by the length of the password.

We currently have the following password length standards and their bit complexity level:

Password Entropy Reference .: https://en.wikipedia.org/wiki/Password_strength

In this table, we will focus on the Alpha-Numeric column, inside Case Sensitive (since passwords are usually differentiated between upper and lower case characters). In this column, note that passwords below 11 characters are considered extremely weak and vulnerable since the nowadays computational power that military forces and intel agencies already has, it allows breaking passwords below 128 bits relatively fast. Therefore, we have to focus on at least 3 levels of password complexity:

128 bit encryption: 22 characters (Minimally satisfactory, but will fall out of use in the coming years due to its fragility, since the coming of quantum computing)
256 bit: 43 characters (Good for medium-term use)
512 bit — 86 characters (very good)

I agree, it is not trivial to generate and memorize such long passwords, but I will expose some techniques and tools that can assist you in this process.

To begin, we have to devise a new concept of password. Some time ago, in English, the term password (pass word) was used, literally translated into Portuguese “access word”. Today, international literature has left that term aside and passphrase is used, literally being a pass phrase. This is an important concept so that we can create stronger and harder to crack passwords.

Leetspeak

It is the technique of representing letters through numbers, generally used to satisfy minimum security criteria in a given service. As an example it is quite common to exchange the letter A for 4, E for 3, O for 0 and so on. It is a good technique but use with caution, often the misuse of leetspeak decreases the entropy of a password. I recommend using password entropy calculators or attack estimation tools to measure the strength of a password, I leave some links below:

https://apps.cygnius.net/passtest/
http://rumkin.com/tools/password/passchk.php
https://www.grc.com/haystack.htm

I will use the first one link to demonstrate the strength of different types of passwords. You can try it for yourself. Always check the “crack time (seconds)”, “crack time (display)” information to see how weak the password is.

Anti-rules: What not to do when creating a password

Rule # 1: Never register passwords that are composed in whole or in part by any of your public information.

This also applies to data of close people such as dates, document numbers, telephone numbers, etc. A person does not even need to have technical knowledge to discover his password. Never relate any part of your password with your login.

Rule # 2: Do not use word patterns beginning with capitals and numbers at the end. Example: Love123

It is a standard widely used among users and widely applied in password cracking methods. Note that the estimated time to discover this type of password is instantaneous.

Rule # 3: Do not use increasing or decreasing sequences of numbers or keyboard patterns.

Ref: https://wpengine.com/unmasked/

With respect to the positions of the character keys, the closer they are, the greater the predictability of the password, and less entropy. That is, the faster you enter the password, the lower the entropy.

When testing the effectiveness of this type of combination, we see that it is a popular and predicted pattern. Here are some tests:

Rule # 4: Avoid placing special characters (symbols) only at the end. Example school123!@#

Spread out the special characters in the middle of your sentence, which should be as random as possible, containing lowercase letters, uppercase letters and numbers and special characters.

Rule # 5: Minimize or avoid using Leetspeak (mentioned above)

The use of this technique may be harder to memorize than to assist in the strength of the password, especially when it is below 22 characters. In that case, prefer long sentences that will be easier to memorize and have the same strength.

Rule # 6: Absence of multi-factor authentication. Whenever possible enable 2-factor authentication (2FA) on the sites you have accounts.

Although there are flaws in mobile network protocols (outside the scope of this article), enabling 2-factor authentication prevents unauthorized access to kiddie scripts or ill-prepared people. No system is 100% secure, so the goal is to make access to your information access as difficult as possible.

PS: Note that this password validator is for a specific application, and treats a password shorter than 16 characters as a problem. Ignore this alert and always use the maximum allowed in the registrations.

Rule # 7: Never save your password in browser

Malicious extensions can capture passwords saved in browser and compromise your accounts. Third-party plugins have become an exponent vector of attacks against end users.

Rule # 8: Never use the same password on different sites.

Commonly, the crossing of leaked credentials from one site is tested on other sites with the same email or login. You can check if your account data has leaked on the website https://haveibeenpwned.com, where the query is made by email. If there are any leaks in your email, change your password immediately.

Password generators (Offline / Online)

There are countless password generation tools on the internet, which you can configure the character map to be used, thus generating a random (and possibly strong) password with which you can use it more safely.
These tools can be used by the browser or even have offline versions that you can install and use on your computer or cell phone.

https://passwordsgenerator.net
https://www.lastpass.com/password-generator
https://www.dashlane.com/features/password-generator

The tools listed above are reasonable options: You can select the maximum randomness of the character set by generating a sentence with strong entropy. I recommend enabling the use of uppercase, lowercase letters, numbers, special symbols and everything that is allowed with at least 42 characters. Remember that the links above do not store the generated passwords, you will need a password management tool to be able to access them again.

Password managers

Good password managers usually come with parameterizable password generators (reinforcing the parameter recommendations above), but they have the ability to store all your passwords in a database. This database is encrypted and protected by a master password (and sometimes also allowing the use of additional cryptographic keys).

Classic password managers include the different versions of Keepass (Keepass, KeepassX, KeepassXC, etc.) that have versions for download on various platforms, including mobile versions to facilitate their use on different devices.

In addition to these offline managers, there are also password safe services in the cloud, such as LastPass, TeamPass and PasswordSecurity.

However, the Master Password application is noteworthy for its password generation method. It does not store any data locally or in the cloud, it simply generates (always the same) password based on the hash of the website along with the hash of your master password. The result is always unique and you must remember how you placed the website address when generating it. Always use a default without https: // and without www. The results of this utility are usually passwords good enough to use and acceptable on most sites without having to truncate the password.

https://masterpassword.app

Rules: What to do to generate a more secure password.

Rule # 1: Base Phrase — You can (and should) use a base phrase, extracted from books, poetry, music, movies, etc.

I am Your Father, Luke

Rule # 2: Quotes — Cite the author or character of the base sentence. You can use acronyms too.

DV: “I am Your Father, Luke”

Rule # 3: Ending sentences with a capital letter increases the complexity (entropy) of the password:

Rule # 4: Padding — Add numbers at the end of your sentence until you fill in the registration field. Be careful not to discover a flaw in the service you are registering with :-D

DV: “IamYourFather, Luke” 000000000000

Rule # 5 — If you don’t speak English, use your source language

There are more English password dictionaries on the Internet than in other languages.

Rule # 6 — Ease / speed of typing

When creating a new password, keep in mind that it must be easy to type on a regular keyboard from notebooks and smaller devices such as cell phones and tablets. Passwords that are difficult to type can be a deterrent for you to adopt secure methodologies for using in your passwords or even for other people to memorize your password when you type it.

Rule # 7 — Access notifications

Additionally, activate all access notifications to your account. When you have information about attacks and thefts / data leaks or any notification of access or attempt to your account, change your password.
According to Microsoft’s data , 99.9% of people are hacked for not having this active service, as you can check here.
https://www.windowscentral.com/microsoft-999-people-get-hacked-one-ridiculous-reason

Rule # 8 — Use a Password Safe / Manager

Organize your passwords in the aforementioned password vaults, protecting the password database with the highest level of complexity (you can combine several passwords into one) that you can get for a master password, along with a private key for the safe.

Rule # 9 — Create passwords with different levels of security.

Divide and manage your passwords in layers, for example:
1. Most basic passwords for social networks, emails with low confidentiality, etc.
2. Medium complexity passwords related to work, systems, corporate emails, etc;
3. Complex passwords: Bank, financial, confidential information, master passwords, etc;

Use the following list to define the entropies of your different levels of entropy:

<28 bits = very weak; can alienate family members
28–35 bits = Weak; should keep most people out, generally good for desktop login passwords
36–59 bits = Reasonable; very secure passwords for network and company passwords
60–127 bits = Strong; can be good at protecting financial information
128+ bits = Very strong; often exaggerate

Always remember that the more critical / sensitive the information to be kept confidential, the greater the complexity of the password. You can follow the layer-based recommendation as I exemplified or you can create your own methodology, how to compose a passphrase with 3 different passwords, alternating their order according to the site / service, separating them with symbols and so on.

Conclusion

We were able to see our passwords’ weakness and how easy and fast it can be broke. The black hat community (crackers, who use their knowledge for malicious and criminal purposes) increases significantly each year, as they updates their technical skills and equipment with greater processing power.
I have been working with information technology for 20 years, since then following the evolution of defensive and offensive cybersecurity, feeling the need to expose this information through this article (which I consider a manifesto), I really hope to help people having safer identities in a digital universe that becomes more integrated and vulnerable each day.

Software Architect, Security Researcher and Pentester