It is generally accepted that a strong password is better than a weak password, where strength is a function of password length, complexity, and unpredictability. A well educated user should be able to easily create secure passwords. To try to ensure users select suitably strong passwords many ICT systems force users to create passwords with a minimum length. They often also try to ensure a level of complexity by requiring users to include capital letters, numbers and symbols.
However, most people have numerous of passwords to remember for home and work, so it shouldn’t be a surprise to learn that many people re-use passwords or write them down. And when users are forced to regularly change passwords, a significant number make minimal changes – Passw0rd01 to Passw0rd02 for example.
The National Cyber Security Centre has published useful guidance on ‘Helping end users to manage their passwords’
According to the NCSC guidance, studies of user-generated password schemes have shown that they encourage insecure behaviours such as those described above. This means that systems with user-generated passwords will normally contain a large number of weak passwords that will quickly fall to an automated guessing attack.
What do users need to know?
To understand why passwords like Passw0rd! are not secure; users need to understand common attack techniques and tools. Most of the common password cracking tools can perform a number of different types of attack:
- Dictionary – using a list of common passwords
- Hybrid dictionary / word mangling – taking a dictionary of common passwords and making small changes such as changing uppercase and lowercase characters, adding numbers at the end or slightly misspelling words
- Brute force – use all possible combinations of characters
Passw0rd! is fairly common, so could well be in the attacker’s dictionary, but even if it is not, it is highly likely to be cracked using the hybrid attack.
Users should also be aware that password length is a significant factor in the time needed to crack a password when using a brute force attack. Where possible, users should be encouraged to use a passphrase as it is unlikely to be vulnerable to a dictionary or hybrid dictionary attack and would take a considerable amount of time to crack using brute force. Best of all, a passphrase is easier to remember that 21 random characters.