Intelligent Password Cracking and Why Password Strength Requirements are not Enough



Websites implementing standards regarding password strength has become the norm. And although this is an opinion, password strength requirements is not enough. This article will attempt to explain why.

One capital letter required. One lowercase letter required. One punctuation mark required. One digit required. Minimum of 8 characters long. On the surface, it seems like this would make a brute-force password cracking attempt become very infeasible. But the problem lies in the not-so-obvious fact that, even given these requirements, it seems people have a natural tendency to create passwords that - while they do conform to the password requirements that have been set forth - follow a predictable format that makes them easy to crack with brute-force guessing.

I have experienced this both with myself as I retroactively think about the passwords I have used at various websites, and also as I examine the passwords that I know others to have used. While no study has been done to confirm what percentage of the time a person will use a password that follows a predictable format, it anecdotally seems to be quite common. And the pattern is this:

[capital letter] + [the rest of the word, in lowercase] + [punctuation] + [1 or 2 digits]

Assuming that 1 or more capital letters are required, people tend to make it be the first letter(s) of the word. The rest of the word is usually lowercase. And then comes the punctuation. Typically, people limit the punctuation to some combination of an exclamation mark, a question mark, or a period. Typically, only the bare minimum number of punctuation marks is used. And it seems that people tend to avoid the more obscure forms of punctuation, such as | or - or $ or ^ or @. And lastly comes the digits.

To make matters worse, most of the passwords people use, primarily revolves around 1 word (with capitalization, punctuation, and digits added), such as:

Stupid!1

or

TAXES?10

And if that weren't worse enough, the password is often something that is related to the thing that is being password-protected. I can see this tendency also in myself. As an example, I think that being forced to pay for auto insurance is a legalized scam. It is a scam that anyone who wants to drive on the public roads without risk of being arrested is legally forced to participate in and fall victim to. Therefore, on my auto insurance website, the word that my password revolves around, is "unethical".

For a number of years, I have also worked in a warehouse that distributed power tools. All of us employees had accounts on the company's intranet site. And while technically, we were supposed to keep our accounts private to ourselves and not share the login credentials amongst each-other, this was inconvenient for us to do so, and we all trusted each-other with using our accounts. Because of this, I was able to observe the fact that people tended to use passwords such as:

DeWalt10!

or

tools!!!123

It seems consistently the case that the underlying word in which the entire password is centered around, seems to be related to the function of the thing that is being password-protected. Therefore, it is highly likely that, for example, on social media sites, many people will have passwords that will contain predictable words, such as: social, friends, family, photos, connect, e.t.c.

And regarding the digits, people typically insert a digit into their password simply because the password-strength security requirement makes them do it. And so, predictably, people tend to just append "1" to the end of their password. I know that I myself, as well as many of my former co-workers at the aforementioned warehouse, were prone to simply changing the digit from a "1" to a "2" and then a "3" e.t.c, every 3 months when the company made us update our passwords. So the digits used in the password are both limited and predictable in that sense, as well.

Because of all of these inadequate tendencies of the human psyche, let us conduct a thought experiment, in which we will make an educated guess of how difficult it would be to crack a password that follows this format.

Let us say that there are 100 "words" which people will tend to use as the words upon which their passwords for a given target application (e.g a social media website) will revolve around.

Then let us assume that they will always use one - and only one one - of three punctuation marks; a period, a question mark, or an exclamation mark.

Then let us assume that the digits that follow will always be no more than 2 digits long, and since people typically start with "1", it can vary between "1" and "99", for a total of 99 possible digits.

This means that, if their password follows the aforementioned format, there will be (100 * 3 * 99), or 29,700 possible combinations of passwords that a person is likely to use.

Of course, the odds that a single account will have a password that follows this format is relatively slim (maybe a 1/30 chance). But if these 29,700 passwords are all tried on, say, 100 usernames, one still only has to guess 2,970,000 passwords, and it is very likely that at least 1 account will be compromised.

An executive who is thinking about cyber-security may think that that is a lot of guesses to make and so guessing should be infeasible. But any web-developer or cyber-security expert will know that roughly 3 million login attempts can be iterated through in a matter of hours or less, if the attacker has a moderate amount of Internet bandwidth and is willing to spend 30 minutes to type up an automated brute-forcing script.

So what to do? It seems that no amount of password-strength requirements is actually enough to secure people's accounts. It seems a bit like how traffic engineers attempt to implement safety features to protect incompetent drivers from their own incompetency. But no matter how obnoxious the warning signs on the roads are, if a person wants to be careless, no signage or threats of punishment (traffic tickets) can dissuade them. So it is also with passwords.

At the end of the day, cyber-security cannot be something that is implemented without user awareness. To be digitally secure, an individual (or an organization) must be educated, aware, and care enough about their digital security to be careful. No amount of anti-virus software will protect a careless 90-year-old who is still running Windows XP and has no idea what a "trojan horse" is. No password-strength requirements will protect a person who wants to use "Password1!" as their password.

The moral and lesson of the story is that, while systems provide a safe-guard that may sometimes save the day, it is not a substitute for relying on the trust of people, and that people must not be complacent in thinking their automated systems in place will protect them from their own lack of concern.