Why a strong password doesn't help as much as a unique one

Despite the green bar, this is a terrible password.

Despite the green bar, this is a terrible password.

You may snigger when you hear that a few months after the euphemistically named AdultFriendFinder was hacked, now Ashley Madison has had its turn. The site, which enthusiastically advertises its ability to connect people to have affairs, had its accounts compromised, according to security reporter Brian Krebs and confirmed by the company.

This site breach is the latest in a seemingly endless series of attacks against sites that have millions or tens of millions of user accounts, and in which that account information gets distributed widely. Crackers and white-hat hackers immediately start looking at the data, both to attack accounts and to warn users.

The conclusion that I draw from these breaches, and especially the recent LastPass account information compromise, is that we may be focusing too much on a strong password and not enough on unique passwords.

Now, I've been banging the drum of unique passwords for years, and regular readers may be tired of hearing me rant about it again. But because people still use the same password in many locations, and often one that's not strong to boot, it's worth explaining the rationale.

Strength through numbers

A strong password is one that can't be guessed from details about you: it's not a person's name in your family, the name of a pet, a past or current address in some form, or the like. It should also be highly resistant to brute force. You've probably seen in analyses of cracked sites that many people's passwords are "123456" or "password."

I spoke to a password and security researcher several months ago who noted that most of the sites that have detailed password requirements don't really improve the strength of a password, even when the red bar that shows a bad password switches to green--including Apple's own password-strength indicator. That's because those features only analyze whether or not you've got enough differentiation (or "entropy") in character choice--mixed case, numbers, and punctuation for instance. This increases the number of brute-force combinations that have to be tried, and thus are scored highly on the red-to-green quality bar.

But "Password1!" is very easy for a cracker to crack because they now walk down selective paths that are based on information derived from previous large-scale cracks. Their tools know that people will add the least amount of complexity and the simplest choice needed. Thus, they type "Password" (upper and lower case) plus the first number on the keyboard, plus the key-cap of that number. Green? Yes, if you look at the quality bar. But it's very red in actual fact.

As I've written about before, a set of a few words uncommonly found together and sufficiently long, like "Christmas penguin haircut" is many, many, many orders of magnitude harder to crack than "B@z00ka!!" or even "JWT74PV5JVaj". That's because even if the crackers know three words are involved, the number of iterations to find them is still enormously high if the combination isn't found in typical online texts--like webpages or books--in that language. (Don't pick "Call me Ishmael.")

A strong password resists cracking at sites that have taken at least basic measures to obscure them. But unique passwords let you ensure that one breach doesn't expose you everywhere.

Like a snowflake

A weak password protected strongly is as powerful as a strong password. A strong password that's revealed by an engineering or design fault is as weak as one chosen badly.

When you pick a strong password and use it in multiple places, you're relying that each site or service with which it's paired has a well-designed process to prevent interception on its side or in transit. And that it's chosen the right methods to take your password and store it as an encrypted output, known as a hash.

If you use the same strong password everywhere, any single breach in which it's revealed that a company didn't protect password entry or storage well exposes you at every other site. The way around this is to create strong, unique passwords you don't need to memorize with software like 1Password, LastPass, or several other password-management apps. One exposure therefore exposes, at worst, access to one site.

There are some staggeringly positive examples of sites mitigating password theft. LastPass had an account information breach, but assuming that their description and implementation of how they stored passwords is correct, there is nearly zero chance that passwords from its users will be recovered in bulk. A targeted individual, combined with the password hints that LastPass stored, might be cracked before they can change her or his password, but brute force against all passwords will fail.

I just worked with one outfit for which I do some programming to migrate from an older to newer encrypted-storage methodology, prompted by an update to one module they're using that allows for better methods. The old storage was fine, and the site has no personal or payment information. But if registered site visitors use the same password elsewhere, then we face the problem described above in the event of a breach. The upgrade makes it impossible for a cracker who uses brute force on one stored password to use the same results to match identical plain-text passwords in other accounts. (The system uses salting, a random value added to a password, on top of hashing. The salt prevents two identical passwords from producing the same stored result.)

I know it sounds awful and dangerous to have unique passwords that you aren't memorizing. But it's more dangerous to have one strong one. I use 1Password, and I store my database of password in Dropbox. 1Password always leaves the database encrypted, and decrypts in its client software using the same technique employed by LastPass in its clients and on its server that create so much "work" (computational burden) that someone acquiring my password cache would take years or decades of dedicated work to crack.

The only strong password I need to memorize is the one that secures my 1Password data, and which is never typed in at any online site or used elsewhere. While it sounds counter-intuitive, cracking passwords simply relies on the weakest link in a chain. A strong chain link doesn't prevent a weak one from snapping.

Join the CSO newsletter!

Error: Please check your email address.

Tags LastPasssecuritypasswords

More about AppleDropbox

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts