Password hell

The National Institute of Standards and Technology (NIST) has issued some "new" guidance on password security (NIST is part of the United States Department of Commerce). The previous guidance suggested complicated passwords using a mix of upper and lower case, numbers and symbols that you changed regularly and never reused from website to website (yeah, right). This guidance percolated across the internet and has been credited with producing our current "password hell".

The new guidance suggests keeping passwords simple, long and memorable. Phrases, lowercase letters and typical English words work well. You would almost think NIST had read this famous XKCD cartoon:

Unfortunately, this guidance was comprehensively debunked some years ago. Nate Anderson, a journalist writing for Ars Technica with no particular password expertise, turned himself into a password cracker using consumer grade equipment and free software in the space of a day. Experienced password crackers can crack up to 90 per cent of passwords without breaking a sweat.

The Ars Technica articles contain a much more thorough description of how and why most passwords are so easily cracked. But in summary:

  1. Password hackers don't sit down at a webpage trying to hack a single password at a time. Instead, hackers use other exploits and hacking techniques to obtain lists of all passwords from website servers (or just download them from the dark web). Even if these lists are encrypted (and hopefully they are), hackers are able to try and crack these lists in bulk using freely available password cracking or "password recovery" tools.
  2. Estimates of how long it takes to crack a password typically assume "brute force" attacks. That is, try "aaaaa", followed by "aaaab", "aaaac" and so on. But hackers aren't stupid. They know the official password guidance and how people think, including the common and easy-to-remember substitutions. Trying "horse", "HORSE" and "h0rs3" will have far greater odds of success than "horsea", "horseb" and "horsec". Why bother with brute force sequential guessing when you can feed a dictionary into your password cracking tool?
  3. Reusing passwords is about the worst thing you can do from a security perspective. Once a password has been cracked by one hacker, it will rapidly find itself on a list circulated to other password hackers to be used again and again.
  4. Finally massively powerful graphical processing units (GPUs) are now common and cheap. Central processing units (CPUs), the traditional "main" brain of your computer, are very good at doing one complicated task after another. Attempting a password isn't particularly complicated, but even so, a CPU can basically only try one password at a time. On the other hand, GPUs excel at doing multiple simple tasks in parallel. Password cracking with even a basic GPU is massively faster than even a high-end CPU.

So what's a good password then?

Electronically secure.  Image credit: Flash Alexander via

Electronically secure.

Image credit: Flash Alexander via

If you can remember a password, it is almost certain that it is vulnerable to this type of password cracking. And unless you have some kind of savant ability to remember long random strings of characters, it is one hundred per cent certain that you can't remember all the unique passwords you need in the modern internet age.

The only way to stay secure online is to pick passwords that are long and random. The new NIST guidance (and XKCD cartoon) isn't best practice. Almost anything memorable also means its crackable. 

In practice, this means you either need to write your passwords down (impractical) or use a password manager. I use LastPass (and highly recommend it), but other great tools include 1Password, TrueKey and KeePass (though I would only recommend KeePass for power users). 

Better still is to use multi-factor authentication (i.e. something in addition to just a password). Not every website offers multi-factor authentication, but using a password manager with multi-factor authentication can help this somewhat.

Have I been pwned?

Don't already follow this guidance? Your log on credentials might already be compromised. Have I been pwned, a website dedicated to tracking password and data breaches, has a list of 4.7 million compromised accounts from 231 websites that have been hacked. Plug in your email address and it will tell you if your credentials have been compromised - and at least one person that I know reads this blog has been pwned. Go and check now. I'll wait. Been pwned? Time to change your passwords.

Why does this matter for lawyers?

Virtually every website that uses account passwords will include in its terms and conditions something to the effect of "we may assume that any transaction authorised by your log on and password is actually authorised by you. You should therefore keep your password secure.  And by the way, here are some requirements about passwords that if you breach you will be liable for any losses." This is the "authenticity" infosec risk I referred to in a previous post.

Is this an unfair contractual term? There's certainly a risk of that, particularly if your password requirements don't follow current best practice. And are the systems underlying your terms and conditions really secure? Do you want to find out the answer to that question in Court or as a result of a discovery application? If I was involved in a dispute as to whether I had really authorised a particular transaction, my first step would be to demand information about the security systems deployed and whether there had been any attempted (or successful) hacks on those systems. Ross Anderson of Cambridge University has written extensively on this type of system security, including bank and ATM fraud. 

As technology becomes more pervasive, it is more important than ever for lawyers to have a good understanding of the systems underlying their legal advice. Technology, data protection, information security and ICT law are increasingly converging. Lawyers with a deep understanding of both technical and legal issues will be far better placed to provide excellent advice to their clients. Conversely, any attempt to paper over security holes or system issues with a sufficiently one-sided set of terms and conditions is fraught with difficulty.