The Myth of the Unbreakable Password

Complete books have been written about the topic of security and the correct way to create passwords. Each expert claims that if you only adhere to the conventions that he or she sets forth, that your computer will be safe. Let me say up front that the unbreakable password is a myth. Yes, you need to come up with something a lot better than “Secret” or your birthday, but be assured that any password you use is breakable. In fact, in the real world, what you’re striving to do is create a password that takes longer to break—realizing that anyone who really wants access to your system will gain it. Computer hardware has become so powerful that seemingly unbreakable cryptography is quite vulnerable today.

Many security experts want you to use completely undecipherable passwords such as @f*/L12-X]. If you can’t come up with a good password of your own, PCTools actually provides a generator to create one for you. If you’re unsure about the safety of your password, you can have it checked to determine how long it would take to crack. (Unfortunately, the number you get isn’t completely realistic because computer technology for cracking passwords improves all the time, as does the capability of the hardware used to crack it.) Of course, it would be absolutely impossible to remember such a password, so anyone having such a password is going to write it down. All someone has to do is pose as a janitor and pick up all the yellow stickies that have the password printed on them (or write them down as they pass through to avoid suspicion). For that matter, social engineering attacks can often yield passwords through a phone call in a few minutes.

Because truly secure passwords are the stuff of science fiction, other experts have come up with the passphrase. A passphrase such as “My yellow car is gr8!” theoretically has a long crack time and are easy to remember. Unfortunately, recent advances in cracking technology seem to make passphrases a bad bet too. It seems that the crackers now use grammar as part of their strategy to figure out your password. They use applications to figure out the most common words that would come in a sequence of words.

The advice today is to use unrelated words separated by special characters—something I have advocated in any book I write that contains information about security. A password like “Elephant*Green?H3llo” is infinitely easier to remember than @f*/L12-X], but still quite secure. Even so, if someone is determined, they can combine a dictionary attack with some brute force techniques and discover your password in a reasonable amount of time—assuming you don’t simply give it to them as part of a social engineering attack.

There are technologies that promise to make it harder for crackers to gain entry to a system, but they’re usually complicated. For example, you can add a retina (iris) scanner or thumbprint reader to improve security, but that means an additional purchase, specialized software, training, and other costly changes to your setup. Security cards are another option, but again, you have additional costs to consider and the use of a security card is open to social engineering attacks (unlike a person’s thumb or retina, which are firmly attached). Most organizations still rely on passwords or passphrases in the interest of saving money, so creating usable, easily remembered passwords that truly are safe should be the focus of administrators whenever possible.

One new method of securing systems does appear in Windows 8. In this case, the system displays a picture when you start it up and you use gestures to circle or otherwise identify pictorial elements in place of typing a password. There are some experts who are already saying the feature is easily cracked. It seems as if the technique would be unwieldy with a mouse and it has already been said that most people aren’t buying touch screens to use with Windows 8 (see my Some Interesting Windows 8 Information post for details), so this security feature may be a non-starter for most organizations.

Passwords and passphrases won’t likely go away soon, so the best approach for most users and administrators is to create a system where passwords are complex, easily remembered (and therefore, not written down), and changed relatively often. The combination of these three elements should make your PC safer from crackers. However, the best security is vigilance. Check your system for intrusion often. Rest assured, someone who really wants to get in will do so and without too much effort. Let me know your thoughts about passwords at [email protected].