Passwords - How secure are they?

My article aside, there have been numerous articles by experts on this topic. Password cracking, phishing, hacking are what most of users are targeted by. What I want to concentrate on today's article is 'Password Guessing'. This realm, though untouched and un-debated by most is a grave concern as we being humans-think and passwords are nothing but ramblings of our thought process.  If someone gets into what is going on into our mind he can easily guess the password. 
Give a thought - your mail password, facebook, G+ if you use any,  bank account password are nothing but words, letters, extracts from your thought process appended by or prefixed by some random number or special character. 

However difficult the process may be but believe me with the invasion of specialized tools for this it has become increasingly easy! In 2006 MySpace accounts of about 34,000 users were compromised by a simple phishing attack. The hackers created a fake login page and redirected about 34,000 real user-names and password to compromised servers. There are great findings about how people generally choose their passwords and what the common length of them from this data is. The following findings were made from it:
Characters
Percentage




1-4
0.82 percent


Some commonly used passwords

5
1.1 percent




6
15 percent

password
password123
iloveyou
7
23 percent

qwerty1
123456
myspace1
8
25 percent

abc123
baseball1
football1
9
17 percent


princess1

10
13 percent




11
2.7 percent




12
0.93 percent




13-32
0.93 percent






The findings are really interesting. Apart from these generally used passwords, the most common passwords were the loin id appended or prefixed by some character or number, a dictionary word, a word that can be spelled but is not in the dictionary like falloon,  sonitor, kibord etc.
Coming back to the topic of thought process, however complex it may be can be statistically analyzed and tools can then generate most probable passwords through sophisticated algorithms. With the word becoming smaller and smaller with Social networking Google+, MySpace etc, we knowingly or unknowingly scribble on the web our thoughts and emotions. Unlike word of mouth which is temporary and disappears after some time, scribbling’s on the web are permanent and have your fingerprint on it. Attempts however made are neutral to delete this data. Mail communications, facebook walls, Google profile, LinkedIn account say a lot about your personality. Not only do they say a lot, they also record a lot about you.

 Guessing a Password
According to AccessData which build forensic tools for password recovery, password recovery is based on these simple facts:
• The password will usually be in a language familiar to the owner
• The password will usually be an aspect of the owner’s life
• New passwords might be a modification of old passwords
The PRTK tool designed by AccessData works in following manner:
1.       It determined user language, keyboard layout and pattern.
2.       Searches the whole hard drive fro any written notes, words and makes a dictionary out of these words. (including tmp files, cookies, memory swaps)
3.       Further, the PRTK toolkit has inbuilt dictionary of most common suffixes and prefixes which can be appended to the words from dictionary generated by user’s personal data.
4.       Prepares passwords combining all these data.
The passwords generated like this takes a long time but are a sure-shot ways of getting into the system.  
In case of a locked file by means a file locked tool, one can easily write a script which takes as input the generated passwords and tries all of them.No human intervention is required most of the times.  But it becomes complex as we go higher. Login pages of facebook, MySpace, Google host many techniques to keep users from running such scripts. We can hoever manually enter all the combinations generated by the tool. It would be cumbersome though
Websites devise new techniqiues to handle such attacks. Two of the most popular are:
1.      Requiring the user to enter Captcha.
2.      Disabling the login of the user after 3 -4 consecutive failed login attempts.
3.      Not allowing the user to choose a new password from previous 5-6         passwords.
4.      Requesting the users to change passwords every month or fortnight.

Securing your passwords and best practices

Many of the users ask me about the safest password length and on choosing passwords. My advice to them would be to use password of length more than or at least 8.  Sometimes it is ridiculous when websites deny passwords of greater length or do not allow users to enter special characters.  However hard you try, there is no denying the fact that password will come from ideas from your thought process. Your environment, philosophy, situation matter the most when you choose a new password.
1.      Do not stick your passwords at the side of your screen or below keyboard. This is ridiculous but its common mistake.
2.      Use passwords generated by automated password generators. Such passwords are very strong and not easily guessable.
3.     Change passwords frequently. Someone rightly said, ‘Passwords are like underpants, they must be frequently changed.’
4.      Do not use dictionary words as far as possible. User words which can be spelled but are not in the dictionary along with some prefix or suffix.
5.      Best practice is to use passwords by shortening a log sentence.
E.g.:  Sentence:’ My moms name is Melinda ‘  and  suppose your age is 19
  Password: MmniM19
6.      One best practice to avoid your password from breaking is to encrypt your Swap memory. This can be easily done in Linux while installation. By doing this you can prevent tools like PRTK to get any meaningful data from your Swap Space. Also deleting /tmp before shutdown is a good practice.

The easiest way to break a cryptographic product is almost never by breaking the algorithm, that almost invariably there is a programming error that allows you to bypass the mathematics and break the product. A similar thing is going on here. The easiest way to guess a password isn't to guess it at all, but to exploit the inherent insecurity in the underlying operating system or get into user's thought process!