Jeremi Gosney is a professional password cracker. He is not a criminal who steals personal information, he is a “white-hat” hacker who is an expert at cracking passwords. Jeremi’s password cracking skills are in high demand for many reasons. For instance, an information security team may send him an encrypted copy of their password file to test the effectiveness of their corporate password policy. They want him to identify the weak passwords before someone malicious can. Or perhaps someone in accounting created a password to protect a spreadsheet and then passed away. If other people need access to that spreadsheet, the company might hire Jeremi to crack the password to make it available.
Common wisdom is that password complexity is the key to keeping your accounts safe from cyber criminals. Password complexity is a measure of how long a password is and how many different characters you use. All things being equal, it’s harder to guess a more complex password using brute force. The notion of complexity is why most password policies require a mix of upper and lowercase letters combined with numbers and special characters. However, in contrast to the accepted wisdom, Jeremi contends that password complexity, by itself, doesn’t matter.
Based on his vast experience cracking passwords, Jeremi has two reasons for his contrarian position – human nature and history. Regarding human nature, Jeremi says, “With password complexity policies that require an uppercase character and a number, 99 percent of the people on this planet are going to put the uppercase character in the first position and the number in the last position.” His point is that knowing a human has created a password, even a complex one, vastly reduces the number of guesses required to crack it. Password crackers can short-cut brute force and guess passwords more easily.
His second reason for finding fault with complexity is history. The last 12 years of computer breaches have leaked a vast treasure-trove of passwords. Jeremi points to the 2009 breach of rockyou.com as a watershed because it exposed over 30 million plain text passwords. That breach gave password crackers (good and bad) tremendous insight into how humans construct passwords. Every large breach since then has only added to the general knowledge of password cracking and made it easier to unmask encrypted passwords. For instance, 96% of the passwords leaked from the LinkedIn breach in 2016 were cracked within a week.
So if you can’t protect yourself using complexity, how should you protect yourself? The key, according to Jeremi, is never use the same password twice. That way, if one of your passwords is cracked the exposure is limited to just one site. Of course, this increases the number of passwords to remember, but the solution is simple – use a password manager. Password managers create unique passwords for every site. Even better, they generate completely random passwords that have to be cracked using brute force. A password manager will store all of your passwords securely so that you don’t have to remember them.
Ultimately, online security should move away from passwords. They are a terrible way to secure your privacy. A better solution is something like FIDO. For the time being, however, we’re stuck with passwords and users should protect them as carefully as they can.
Your IT team juggles lots of demands, high expectations, and high pressure. At Opticom Consulting, we provide the tools needed to protect your data and cyber assets. It’s our mission to support your IT team so they can stay focused on their mission. Call us today, or learn more about our Cybersecurity Assessment.