There are many people who say that they don’t trust some version of online business, whether it be passwords, password wallets, or some other version of encryption security. They claim that by keeping their passwords on paper, that this is a higher level of security than storing it on their computer. They are right, and they are wrong. The answer to this lies in the way that encryption works. I am greatly simplifying this, so it will be a bit easier to understand.

All digital encryption works using the same basic principles. Digital encryption is simply a very complex math problem where there is a formula that permits only one answer to a problem posed by the number that is put into it, the password. The output that results from the password being run through the algorithm is called the hash. There can only be one hash for each password. Password hashing is typical on the server side when the server operators don’t need to know the plaintext password, they just need to demonstrate that the user knows the plaintext.

A common hash function is Message-digest algorithm 5 (MD5), which takes a message of any length as input and converts it to an output of a fixed 128-bit hash value length to be used for authenticating the original message. Here are a few examples of what a hash looks like:

md5(helloworld) = fc5e038d38a57032085441e7fe7010b0
md5(hell0world) = 0a123b92f789055b946659e816834465
md5(helloworld) = fc5e038d38a57032085441e7fe7010b0

When you enter your password into a website, it is converted into a hash. If the hash matches the one that is on file, the website grants you access.

Small changes matter a lot – Take a look at examples 1 and 2. Just one digit has been shifted, from an “o” to a “0.” This is a very small change, and yet the second output is unrecognizable from the first.

The output length never changes – The input in example 3 is considerably longer than the other examples, yet it produces an output of the same length (32 characters). You could input an entire book into the md5() hash function and you would still get a 32-character string as the output.

Repeatable – An input will always give the same output when hashed using the same function. If this weren’t the case, they would just be generating a random output, which would be useless for passwords. (I included the same function in example 1 as example 4 just to see if you were paying attention.)

Knowing that hashes are the same length regardless of the password you choose, you might be tempted to pick a short, memorable password. In fact, you should do the opposite. The password you choose is critical for keeping your data secure. Why is that?

MD5 isn’t the only hashing algorithm. There are others, like the SHA-2 hash code family, one widely used today, with algorithms that are longer and harder to break. The names of SHA-2 algorithms are connected to length, so SHA-224 represents 224 bits in length. The same format works for SHA-256, SHA-384 and SHA-512. The more bits in the hash, the more complex and difficult it is to break, and the longer an input password that can be used.

If a website is hacked, cybercriminals don’t get access to your password. Instead, they just get access to the encrypted hash created by your password. It’s impossible to reverse a hash function, so trying millions of combinations to try and produce the same hash (a brute-force attack) is the way that hackers have been attacking passwords.

So that’s what they do. They breach a website because they want the hashes. Banks, Home Depot, Amazon, all of the breaches that you hear of where passwords are compromised, that’s what they are after. That’s what happened to LastPass, as well. They got the password wallets, which included the hashes for the master passwords.

Once a cybercriminal obtains password hashes from a website, the real process of password hacking begins. This process happens offline, on the cybercriminal’s computer. Cybercriminals put combinations of characters into a hashing function until a hash that matches yours is created.

Because the functions themselves are well known, password cybercriminals can easily calculate hashes for known words and other commonly chosen combinations. Then they scan for known hashes using commercially available cracking tools. These dictionaries go far beyond simple words. They include prefixes, suffixes, the practice of changing letters for numbers (e.g. 1 instead of l), and much more. This means weak passwords can be broken very quickly. Humans suck at random. That’s why human created passwords are garbage.

A long password is better, because it takes more to guess a long password than a short one. A random one is better, because this foils dictionary attacks. Not reusing passwords is a way to keep a hash found on one website from being matched with others.

• 71% of people admit to using common passwords like p@ssw0rd, their pets’ names, or children’s birthdays
• 72% of people admit to reusing the same password on 4 or more accounts
• 56% of people claim that they would not use passwords at all if they could
• The average user has 25 online accounts but uses just 6.5 passwords to protect them

So why does all of this matter? If you write your passwords on a piece of paper and then burn the paper, no one will ever get the passwords, but the hackers don’t care. They want the hash so they can brute force your passwords. It doesn’t matter if YOU use electronic password storage, because any company that you do business with does, but in the form of hashes. Using a password notebook like this one keeps the password out of electronics, but that doesn’t secure the hash.

Remember that a password cracking tool uses different methods to attack a hash. It will guess common passwords, and paired with a handful of inexpensive GPUs, can make 88 billion guesses per second. In fact, one hacker has a 25 GPU server that guesses 350 billion passwords per second. Ten years ago, a white hat used a GPU driven machine to crack 90 percent of the 6.5 million password hashes belonging to users of LinkedIn in less than six days. Computers and their cracking software are considerably faster today.

They are so fast, that number-only passwords are useless. Even if you choose a good combination of letters, numbers, and special characters, passwords of eleven characters or less will be brute forced before a company even notifies the public of the breach. A series of leaks over the past few years containing 100 million passwords have given hackers dictionaries of passwords from people in different walks of life. The ever-growing list of leaked passwords allows programmers to write rules that make cracking algorithms faster and more accurate; password attacks have become cut-and-paste exercises that even script kiddies can perform with ease.

That’s why I was so pissed at LastPass for not disclosing the breach for months. How long is your password, what does it consist of, and how would it fare if the black hats had the hash to play with for 3 or 4 months? What if the black hat uses more than one computer?

That’s why, for now, I recommend that you use a randomly generated password comprised of numerals, special characters, uppercase, and lowercase letters, and your password should be no fewer than 17 characters long. Do not use words, even with common misspellings. Dictionary attacks live on words like p@ssw0rD123.

Diceware has a flaw in that it is susceptible to dictionary attacks. There are only 7,776 words in the diceware word list. Using that list to generate 4 words results in 3.6 quadrillion possible word combinations. That’s a lot for a human to guess, but a trivial exercise for a computer making a few billion guesses per second. If no other randomness is inserted, a 4 word password generated by diceware would be cracked in less than 3 hours. There was a time when diceware was a good idea, but increases in computing technology have made it useless.

That same technology makes other schemes just as useless: fingerprints, facial recognition, and others. A strong, random password and a hardware key are currently the only secure methods for identifying valid, authorized users.

There are new hashing algorithms that complicate the process of cracking, like SHA512, Bcrypt, or PBKDF2. The complexity of the math involved limits the speed of those cracking computers to less than a 10,000 guesses per second, which greatly increases security. However, it costs money for a business to stay current with this kind of technology, and many companies just aren’t willing to spend the cash. That means it is up to YOU to keep your password long and complicated.

Don’t be complacent. There was a time when an 8 character password was nearly impervious to attack.

#### Bill Copel;and · April 23, 2023 at 8:56 am

After one of your previous posts on this subject, I decided to add Yubi key to my password setup. But, looking at all the 1- and 2- star complaints about the Yubi 5Ci, \I don’t think think that particular device is for me. So, which similar device is the best for use in both USB and Lightning devices? Thanks. Your posts are very helpful!! Bill in Sarasota

#### Divemedic · April 23, 2023 at 9:07 am

I use the Yubikey 5C NFC. It works on my NFC enabled cell phone and in my laptop, which has a USB-c port.
My wife’s laptop doesn’t have a USB-c port, so we bought an adaptor on Amazon.
If that is too inconvenient, you can also think about more than one key.
Without more information as to your specific needs, that’s all I’ve got for you at this time.

#### D · April 23, 2023 at 2:30 pm

Fortunately a lot of the “offline work” is already done.
It’s a fairly simple matter to go through every word in the dictionary with varying upper case and lower case iterations, adding in numbers, etc….and pre-hashing all of them.

The result is a “rainbow table”.

He’s an example of generating a very simple sha-512 rainbow table for the lower-case letters ‘a’ through ‘z’. You can see it takes a fraction of a second:

\$ time for password in {a..z}; do mkpasswd -m sha-512 \$password; done
\$6\$yNJAn92MvpdseFSz\$JHkkrJQ4iC1kPI8GD3zSmDE9ctVtGs8VI1yc2g5J6kuileG9sFNkarBEIYgV6PunaohliCKyluM3FTOiRsDJv/
\$6\$2ZuogZzVedYJJM3z\$1o9YjrAZ25tF0Kwo9tN0JCT0ppkv.0qg/5WZHBdesytobRffKSR7PykYYRUODDFlGj5Wk0efm7aOKAr8lodUA0
\$6\$ilug4AhNaxov3dp5\$OZwNlvcYkf95RlQkdiNvz6AC2oJRzSTg7HyHcKBocpr.8CH9JzTr5bmoggpoYSHsmWwkvp08iZZLJSekjJrMl1
\$6\$E7vUURGyjKR9rJNl\$YC3GRm1ha1pSZJSrVjJSwVrbGlSJKOQb/wVLqlATnWfrmZTRvfXRUAJweN./zgItpF3e/VkRedYpBSX1ZLvmp0
\$6\$co28djfmebfhS.Ci\$wMH6TNPNciMM3BxRVLP6jEiSYb9odhXWfHwa4u0STKq.G/R0sFjjdzFtlPejn38xhdeAKY6P7QiDexqw4EO0f/
\$6\$FZ5Rgvm5OfVIRJ2Q\$NhrFFztbDyo57s1h.8MBQG.LfNLCISGo/fS8X0.oc/0P.9tN.j1kbzY7dPUrZkRmoSrohVWafdW9IddNqKykt.
\$6\$j/bKaWBBPCCRBX2P\$vLdCDHif4dS/4CJpj9fq/KD0t1xapg8nuwNdrWqDCmmXJZthStFvPV6KpEIGqW5e2RVDhyJnlEGJvO8cZr3pS.
\$6\$96tVJvUKoeKlV/T3\$EG.y4Q9w/TVN4BKr8meYZ1b.W/YsxjTuehPxl08AaUbw1fElSZn997xh4E22KvJuvTkm2dZ1vYV3NuRQIuGEE1
\$6\$rzqJ4k2.1gGxyMW/\$jR.2y62xqqc8FpqCYqaYiB7cPyq8ZVdKSn0yF.Wo7edRniGh2alBiJP6bXoz5ISl9civb.zKvVYBHR/WHfyto1
\$6\$Xxlh3/JWkWhKCO9q\$VxlA95iZqUONCVaS.SxV1hHLV.u7LreYGGr9.MwxgZeWIzMp9.AO7cxBearwvSaW9WNRKg/HOCWMbQOGXR3ia0
\$6\$bmNjtv9nijib1k7p\$6PKsVvg1gOM0SZ1Ht1TTMHq3Ku8yW6mlIgtMVXpXxd5WIW8.pDdytkA6YjMvj09pf1LMqp6wIzF.B/KuBDxVC.
\$6\$2ipHDHBDlx9hddDR\$8GqNtuxN5GA28pHM9YYpOYZT0nmUhHawfqAiqYyN8aU2NMDe4AC4mmpAZmffCYJu2BlnepSDfakYFoZt9isuI1
\$6\$OWx52fXhzA2CI6iu\$x9dIcqTBxdTJLqug93b54.A0jaobqPyDcNx7TlsxobILPF0TslRMIFeI4inIdCpruejEjlONXg5bGwMWJHvx10
\$6\$W3GLq5zNACRVQdsl\$sDfaVjGa16xGu0.awUKoEqxOtXCEJ.aGtmAl..UAyF1d/OVzqk25YTFtXmJtN./AXLXWdXX3/n9Jfp6wlHEag/
\$6\$Sd0IKnrHmsX9Jklo\$6pRwNropxF74I9U1mGVX0QZnmvpm.x7vnJRtBnkFLZCJdwLuwc3n7RLHwuJAlJGE5S1wz3mRfNTGrJ/77dmua1
\$6\$hn3sQb.ZlCx5bmcj\$zUO9.cZQgwCFu2caMAWiHKdW57YnFWNOB2NZPxA3cs5CfuL52uXna6r9KSjpg/3u14NIVBqI9h8jlWw81/vDd1
\$6\$R4xpiQPZZPTLbE8i\$.Ezb5.e.xsAxh1eul3ZoouIZTBkxX2QB/DWSxqoa1izB8Ira1dB0QYU02lUBjuDyQRpdBvgByW4G9JgpaGxdq.
\$6\$gbrt2pzejm60y2Vs\$FeG/54lvlgFMqq9Rnn68s43QRZu1jsfr/JtUpPeUiETEY1XaXfatO5Hy6/XU39h9YpA1p.66CWieJUZRGSBhg/
\$6\$OuQrEnymhTbaczJV\$6RsLMWWhT0FZskG/oP4.QiQ8fo3xPWqn3jCPn6AkxGtOMq0XU3McuYH0zXCx5bqTa/g/v0d3UFSTP4WnA.otg.
\$6\$40rMtndosy5aAFfP\$8OL/yMsIh824mw6OG9.3iunvzVgOeO7T4mJaOw/Szhvb02PrXHcJhSaw8Yoq4mJTPpLVDimGlCUno9p2VWQzD0
\$6\$NR8ONiGPG6dnIZjq\$vgZBlKOAGwJE2OB7U0IYi3T9Xx9MNIEtljKW3EfQTSCkmL.XCR9FpnPELy11U2FboYrRicqZvzO3nQjdDImi30
\$6\$lAwT9QrlfzkP5vds\$LPbEvRUPYMYd889odHaTabiuNfYHs9vQP4o37A/wLaYMIc/3n0L2j6atOu.NpO/8EQ0XkLdvPdm1T.8zUTUvV0
\$6\$vbWOhdnpRKFxB6SG\$fnQTjgNdGwHV/3YMzjsZ5VOSczLqnvv7x0hNgzFiJl.qSVRDtdS9hjGzmpQT67x3prRRKbfgAvNR5kQL1K8T5.
\$6\$6YurMrOpRI7yLfZQ\$BXxffZh4Th6t6w71H7xt4hRce4RIIw/Rowqehul5zI9NoeWn4Or.spq/P1SxAcUNR75i1BX6KNniwBTCfoQIt.

real 0m0.099s
user 0m0.075s
sys 0m0.026s

\$

It increases significantly for each character added, but there are machines that are much faster than mine…or even thousands of machines in a ‘cloud’ that can do it. Plus, my example method is pretty inefficient.

Here’s two characters:

\$ time for firstchar in {a..z}; do for secondchar in {a..z}; do mkpasswd -m sha-512 \$firstchar\$secondchar; done; done

\$6\$Zb5EOPhfPVf8V.oj\$Lk2VLniIVxwo6cC4Uz97NNcazp6/GBaiIxH7oeJNNns1RvAKHW/7rUARfRlb0iAyqQBDfDgNdTNHe/Ac7Yc8c/
\$6\$UBy3C1zdUqgB0naB\$/UmAqSUlfHwqLY4GXD2luSoc8Olk31etvPQq7MRRrZzEvITnocDiniwOsNBPf3v.TEd77XzbsIw7O9G/qr0zg1
–snip–

real 0m2.645s
user 0m1.763s
sys 0m0.890s

\$

If I can generate aa through zz in 2.6 seconds on my machine using an inefficient method, you can imagine what it takes to generate every possible 8 or 16 character password on a nice cluster of machines in the cloud.

#### Outlier · April 23, 2023 at 3:01 pm

At 12 characters is where it gets computationally expensive to brute force hash/crack passwords. Ideally you want a password that’s at least 12 characters long, has a mix of upper and lowercase letters (they count as different letters to a computer), and a digit and/or a punctuation mark. But most of all it should be easy to remember. If you’re really concerned then use at least one word that’s not in the dictionary (e.g. Hu instead of Who )

I have found that phrases work really as passwords because they can easily fill the above requirements. For example:
ILoveBacon!!!
ILoveMySexyWife:)
MyFavoriteSongTitle! (e.g. WereYouThere?)

Misspelling a word helps too. For example, replace Es with 3s, or Os with 0s.
IL0veBac0n!!!
Lov3MyS3xyWif3:)

If you do something like that then you will be safe from probably all hackers unless you have something they specifically want and they focus on you.

P.S. Now if the “hackers” are state sponsored and/or government entities then they’ve got access to back doors in most, probably all, operating systems and phones. In that case passwords have no protection value at all.

True story. Back around 2015 when I was teaching I heard about this program used by the government that’s like Google maps. You can focus on a geographical area and then apply filters (e.g. names, addresses, IP address, etc) and the program will show you in real time all the computers and devices in that area. The program will allow the user to click on any one of the computers/devices and bring up an administration console that will allow them to do basically anything they want.

When I heard about it I told my students in my programming classes. One of the students later approached me and confirmed that the program does exist. He had seen it on his father’s laptop with his own eyes.

This was back before 2016 so I’m sure the technology has evolved greatly since then.

P.P.S. I’ve heard good things about NordPass. No affiliation. I think they have a free 30 or 60 day trial.

#### Divemedic · April 23, 2023 at 3:30 pm

Using dictionary words, or variations thereof, are a very bad idea. Likewise, trying to create randomness with intentional misspellings or changing letters for symbols (like @ for a, 3 for E, or o for O) is a bad idea. The reasons for this were covered in the above post. Dictionary attacks already know and use those in cracking passwords.
Humans absolutely suck at random, I also pointed that out in the post. A great example of this: 90% of human generated passwords capitalize either the first or last letter of any word in a password.
The password “IloveBacon” is in the compromised password dictionary found here. Thinking you are clever by adding a ! or three would be cracked fairly quickly.
But hey, you do you.
_________________________________________________________
As far as the story about “taking over” any and all computers in a geographical area? I’m gonna have to call BS on that one without seeing some kind of evidence. It isn’t hard to monitor traffic coming and going through a router, and at least some people would notice mysterious packets and activity passing through their routers and/or modems. Not to mention people using VPNs.

#### Gryphon · April 24, 2023 at 3:16 pm

ANYTHING that you do using SOMEONE ELSE’S Computer Network exposes you to “Hacking”. EVERY DEVICE and “Encryption Program” has a government-mandated ‘Backdoor’ to Hack it- and a lot of those ‘backdoor hacks’ are in the public domain, for anyone to find and use. Computers are Stupid – there’s No Such Thing as “Artificial Intelligence” and a Computer will Do whatever the F someone tells it to.

The ONLY effective way you can ‘safeguard your information on-line’ is to Not Put It Online in the First Place – “messages that aren’t Sent can’t be Intercepted”. Everyone using a “Smart Phone” or other Computer On-Line to do Business/Financial stuff is at Risk of “Hacking” and Theft.

p.s. this computer is a ‘throwaway’ that has no personal/financial data on it- connected to a wi-fi that isn’t “public” but the business that has it used the default password on its administrative function. no, that e-mail has no connection to me, and is on a russian server.

#### Winterborn71 · April 25, 2023 at 5:02 pm

Thanks Dive, Great article/write up per usual. Literally just finished a Sans.Org 401 network/system security class last week, and you summed up about 15 hours of class in one article and a picture.

Passphrase length, length and complexity, Surprise and fear, our chieft weapons are… Queue the Spanish Inquisition.

#### Steve · April 26, 2023 at 4:12 pm

For the record, the chart does not quite mean what it appears to mean. It’s not whether your password uses special characters, upper, etc. It’s whether the black hat assumes you do. If the black hat knows that you must use a password with numbers, upper and lower, and special characters, there’s no way he’s going to be able to crack the password “1” unless the hash function happens to be the same as something more involved than he’s testing. And he still hasn’t broken your password. He’s broken something that hashes to the same thing.

I’m still unconvinced that a random password is “better” than a memorized good one. The absolute greatest “random” password is worse than most things you can come up with if LastPass is managing things. Same for literally anything else. If the security at the hardware dongle company is breached, dongles can be enter the black hat world and you will never know until too late. But unlike with memorized passwords, they now have access to all your accounts, rather than just the one they guessed/hacked.

Though a black hat could do things with letter frequency, it’s going to be almost impossible for him to make something of you using some arbitrary book on your shelf to make a single “1-time pad” that you can memorize to use as a base password, and because of the way hashes work, site-specific salts make it unlikely that even if he cracks one password he cracks them all.

#### Divemedic · April 26, 2023 at 4:33 pm

A lot there to parse. Let me explain why you are so very mistaken.

It would only be true if the password cracker were trying every single password in order. That isn’t how cracking works. Modern cracking software looks at hashes for common passwords and their variations first, then begins with other combinations.

I don’t understand your claim that breaking a hash doesn’t give him the password. If I have a set of MD5 hashes that I have stolen from a company, every time I see the hash fc5e038d38a57032085441e7fe7010b0, I know that your password is ‘helloworld’. Why, because that hashing protocol will always return that result with that input.
The fact that lastpass was breached has nothing to do with the strength of passwords.
For hardware keys: If Yubikey for example were to be breached, the black hat would still need to simultaneously compromise your password. It’s called MFA, not using the dongle as the only method of account security. Anyone who hasn’t stolen both will still find themselves with only part of the puzzle.
Your “one time pad” idea actually gives you fewer combinations than a random password. It has the same flaw as the “diceware” example from above.

#### Steve · April 26, 2023 at 9:27 pm

Sorry. I edited out too much trying to be brief.

My point in the “difficulty” in breaking the password “1” in a system which requires 12 alphanumeric characters+symbol is exactly that “1” does NOT meet those requirements, since it does not have upper, lower or a symbol. If he knew all passwords have those characteristics, “1” would “unbreakable” unless there is a valid password string that just happens to hash to whatever “1” hashes to. It’s not that he got your password. He just got a password that also fits the lock.

You maximize the combinations by allowing each position to be anything within the acceptable character set. For argument, say a 12 character password comprised of 26 allowed specials, 26 lowers, 26 uppers, 10 numbers. That’s 88 possibles in 12 positions, or 88^12 combinations. Permutations, really. If you say one of them must be a number, you reduce the number of combinations to 88^11*10. By imposing that rule, you make it easier to crack a good password, because the software can skip anything which does not have at least 1 number. Same with each such restriction on what comprises a valid password.

“Your “one time pad” idea actually gives you fewer combinations than a random password. It has the same flaw as the “diceware” example from above.”

Yes there are fewer combinations (again, permutations), but it does not matter UNLESS he knows you are doing that. On average, he is going to have to crunch through half the total possibilities, including all the upper, lower, numbers and specials, not half the possibilities of your subset unless he knows you are using a subset. It also assumes the “one time pad” uses only the characters on the page, not a transformation of those characters. If, for example, you set the rule to shift whatever the 3rd character is up to the number row, and whatever the 8th character is to the symbol on the top row, plus whatever other rules you apply, you get most of what you could get with full random, so long as only you know your transforms.

However, you are correct in that at this point, anyone who used any of the above rules would be easier to crack. You need to make your own transforms and keep them to yourself.

An example of a salt that hides the base password would be hashing the site name || username || favorite number and just appending the 4th-9th digits of the MD5. You never have to remember it — just copy/paste the URL into your hasher and copy/paste whatever part of that you use as salt. Again, don’t use exactly that. I ruined it for everyone by posting it.

I get that is not as convenient as having a password file but I really doubt the password file is more secure, even with MFA. There is simply no digital copy anywhere in the entire world of your password. It exists only in your head, albeit what you memorized was a formula for obtaining that password, not the password itself. In practice, in fairly short order you will be typing it without thinking about it anyway. Insert salt where needed, go.

#### Divemedic · April 27, 2023 at 6:15 am

You’re still thinking like a human and not a machine. Anything not random is, by definition, more easy to solve than anything that is random.
A password wallet isn’t less secure because the passwords are in it. The hackers don’t need your password. All they need is the hash. The key is whether or not the hash for your password (or an easy variant) is present in their library of hashes.
The reason why password wallets are so attractive is that they only need to solve the hash for one single password in order to gain access to hundreds of them.
Your example of “salting” isn’t exactly how salting works, but I get your idea. I still don’t recommend it. Not random enough.