Skip to content

Your Password Mutation Formula is Not Enough

It’s hard to come by an online service that does not utilise some form of username/password method of authentication. It’s an unfortunate (but difficult to commonly replace) system of verifying access that has been so greatly implemented in all our systems. Fortunately, we’re seeing the rise of Multi-Factor Authentication, and password security awareness but habits are hard to break.

Bad News

A survey of +3k Americans from Google in conjunction with Harris Poll found that more than 75% of respondents struggle or are frustrated with passwords. 25% of respondents admitted to using some of the most commonly found passwords (“123456″,”password”,”admin”). 27% have attempted to guess someone elses password, 17% succeeded!

Jean-Paul Delahaye in Scientific American reports that a 6 character length password consisting of only lower case characters can form up to 308,915,776 unique passwords. A 12 character length password consisting of upper case, lower case, special characters, and numbers can form up to 7212 (aprox. 19 x 1021) unique passwords, 62 trillion times greater than the 6 character password.

Yubico reports that 42% of organisations rely on post-it notes to store passwords.

Microsoft found that 44 million users had reused the same password across accounts.

How Attackers Obtain Passwords

There are various methods threat actors can obtain access to accounts. Either by breaching an authentication server, capturing unencrypted passwords in-flight to a server, or by brute-force. For the sake of complexity and to focus on the topic of passwords, let’s look at brute-force.

Brute-force methodology encompasses various levels of guidance in attempting to correctly guess a users credentials. A threat actor can be completely unguided and guess likely usernames and passwords through trail and error. Brute-force is generally speaking the most straight forward and common method among threat actors.

Levels of guidance can increase with the use of known usernames. Generally speaking emails are used to identify people and are not completely hidden either. It’s possible to locate lists of usernames from breached authentication servers, millions of valid accounts and their hashed passwords. Through the use of credential stuffing, a threat actor would take one or many of these usernames and attempt to login using relatively randomised and potential passwords.

A threat actor can further increase their guidance through the use of dictionaries. These are files that contains millions of known passwords as well as some likely passwords, much like the examples you see online – “123456”,”Welcome”,”Password1″,”London”. Does your password fall into these lists?

Various tools take these dictionaries one step further by applying mutations. These mutations are known ways people try to add a bit of extra spice to their password. Capitalising the first letter, adding and exclamation mark at the end, using inverse capitalisation, leet-speak. If “London” exists in a dictionary, then a cracker will attempt to use “l0nd0n!” too.

Have I Been Pwned?

You can quickly check now if your email address, phone number, or even password is among 11,420,802,014 publicly known breached accounts.

Thanks to Troy Hunt, he operates a website that collects breached accounts either found online or submitted to him directory. He has elegantly engineered a tool to instantly check if the username or passwords you frequently use are breached.

Making a Great Password

When making a password, there are 2 crucial things we need to maximise. We must ensure the search-space per character is as high as possible, by which I mean lower-case, upper-case, numbers, and special characters. The password needs to be as complex as possible. We also need to make the password as long as possible.

As said by Edward Snowden, it’s important to shift your focus away from pass-words and instead pass-phrases. Let’s put together a phrase of relatively randomly selected words.

deskCarries$500laptop's, carMoves120km/h, groundDirty>1Bgrass.

Here’s 3, long passwords that contain keys form every part of the keyboard. They are all incredibly easy to remember. Desk carries $500 laptops, car’s move at 120km/h, ground is dirty over 1 billion blades of grass.

I would argue that pass-phrases are easier to create, easier to remember, and stronger than remembering a pass-word that accounts for all our requirements.

bU1ld^ngs!, for “buildings”. Is that easy to remember through? It’s certainly not as long as the other examples.

An ideal password would be something truly random. No words, lengthy, and has a large search space. 9u*0Avp%khoikY&@Xm is awesome but should only be used once. To ensure each password is unique we must now store them within a Password Manager.

Password Managers

Ideally, we’d want 100% of our passwords to be completely randomised and distinct from each other. To save us the sake of memorising them all we can store them in a highly secured and encrypted vault represented as a meaningless blob of human unreadable data.

The only secure password is the one you can’t remember.

Troy Hunt – 21 March 2011

Scenario – Database Breach

Let’s say for example you have no password manager and that one of the services you use have just suffered a breach. Turns out, they were storing your password as plain text and your password was publicly released. Now threat actors around the world know your password is Sydn3y#, and your username is [email protected].

With no password manager, how could you be expected to remember different passwords for each of your services. Looks like you’re one of the 44 million Microsoft users that have used the same password twice.

Given enough time, someone is bound to discover that they can login to some other service using those same credentials. What if it was your emails? You realise that when requesting a password reset, services most frequently send an email to you? Could that mean that all of your other accounts are now breached even if they have different passwords?

Let’s say you were using a password manager, and that the breach service was using a unique password that had absolutely no relation to any of your other accounts.

Using the same password, or variation of what is otherwise a common password, means you are trusting the weakest service provider protect all of your accounts. Once one is breached, you must assume they are all breached.

Great Password Managers

I’ve seen quite a few applications go around. One of the most important elements to know is that you should expect to pay for a password manager. While most support free plans, that usually just to give you a taste of what could be possible.

Lastpass is what I have been using for the past 3 years. I have greatly appreciated the convenience and security provided from the service and would highly recommend it.

They have a free tier which features most of the cool bits and pieces but for only one device, aka no cloud sync. Pricing starts at AUD$4.50/month. I bet you spend more at McDonalds.

I’ve seen 1Password recommended quite a few times, including Troy Hunt. They have a fantastic iOS keyboard integration and proudly boast their running record of not once having a security breach.

They also have a free tier, but also have plans that start at US$2.99/month.

KeePass is an excellent solution for those who would either prefer not to store their passwords on the internet, or would like a free solution. I’ve used KeePass countless times and know security professionals who place faith in its system.

The KeePass database format is supported my hundreds of different clients, and can be safely stored on a cloud storage media like Google Drive or OneDrive.

Common Arguments Against Password Managers

I Can’t Be Bothered

I realise that there is some element of work required, but it really isn’t all the difficult. I’d argue that trying to recall your password without a password manager is more work in itself.

There is no expectation for you to methodically go through each of your accounts, and enter the credentials one-by-one into your password manager.

From my experience, I found that saving the credentials to each account as you login is easiest. Hey – while you’re there, you might as well change the password to something randomised before continuing with your usual work.

I’m Not Important Enough

Sure, I don’t feel like I’m very important either, but not all malicious entities are strictly spear-phishing or attacking specific targets. These are usually broad attempts to get away with whatever credentials they can. If you’ve published at least your email address somewhere, either voluntarily or involuntarily, you’re on some list of targets at least worth attempting to breach.

I get that the value of your account Reddit account might not be so fantastic, but if they’ve got your credentials who knows where else they might also work…

I Have a Formula

Okay so lets think about this. Lets say my password is RabbitHoles.

Let’s use leet-speak; R4bb1tH0l3s

Let’s integrate the service we’re logging into within our password; R4bb1tREDDITH0l3s

Okay, that’s pretty good. It’s got the length and a bit of complexity. What else can we do. Let’s maybe truncate to the first 4 characters of the service to switch things up. R4bb1tREDDH0l3s.

Cool nice password, I’m serious. If you were going to use that once on some random service that’s cool and all. Let’s start applying that to various other services though.

Facebook: R4bb1tFACEH0l3s
YouTube: R4bb1tYOUTH0l3s
Google: R4bb1tGOOGH0l3s

Wait, what’s going on here, a pattern! Can you guess what the password would be for my online banking?

Leet-speak won’t save you either, everyone knows that 4 represents a, and 3 represents e. In-fact, practically all password guessers use leet-speak as a common password mutation method when using brute-force attempts.

Your fancy formula is not enough, and once we know at least 2 passwords I reckon there’s a pretty good chance we’ll know the 3rd. I can assure you that there is no fancy obfuscation you can implement where it is both secure and you can remember it.

You expect me to put all my passwords in one place?

It’s in the best interest of password manager providers to ensure their security is excellent, it’s specifically their business model.

Most password managers highly encrypt your secrets and store them as a blob of data. This way even if a breach occurs, malicious entities really will only have access to random data and not your passwords. This blob of data can only be decrypted with your master-password alone. If you forget your master-password, you generally cannot recover the contents of the password vault.

It is mathematically impossible to decrypt a well designed vault without knowing it’s master-password in the first place.

Password Managers have been breached

Of course they have, I don’t doubt it. Password managers are incredibly vocal when it comes to their breaches. LastPass has various security incidents though none of which actually revealed encrypted secrets. They have an article clearly outlining there methods of encrypting and protecting your secrets. From what I can tell, 1password has never suffered a breach.

Cloud-based password managers are very enticing targets for attacks, though the protections that reputable providers take go above and beyond in affording the highest possible security for your passwords. If you are not comfortable with storing your passwords on the internet, KeePass is a widely utilised solution.

What if my Master Password is breached

This is where Multi-Factor Authentication (MFA) comes into play. There are 3 important components to validating identity;

  1. Something you know (Password)
  2. Something you have (One Time Password / Security Token)
  3. Something you are (Biometrics)

Gabe Newell had so much faith in Steams implementation of two factor authentication (2FA) through Steam Guard that he released the credentials to his Steam account. Although threat actors now had his valid credentials, they could never get into his account because they don’t have something he has, his 2FA OTP.

I enable MFA for as many services as possible, with all my tokens securely stored within LastPass. For me to login, I must enter in my randomised and unique password stored in my vault as well as my security token. There by satisfying the first and second points of our identity validation.

If you really want to push the security, you can use biometrics. Fingerprint scanners are ubiquitous, being installed in most modern laptops and mobile devices. YubiCo, a popular security key vendor is set to release their biometric enabled security key among their already highly trusted FIPS secured keys that can be used to validate your identity to many password managers and other online services.

Leave a Reply

Your email address will not be published. Required fields are marked *