What is a strong password anyway?

red LED signage

Background

Fellow Microsoft MVP Troy Hunt (blog | Twitter) has been operating the website Have I Been Pwned (HIBP) for a number of years now. For the record, “pwned” is pronounced like “owned” but with a “p” in front of it. Don’t use the term in public unless you’re in a room full of information security (infosec) people, or you will have to spend ten minutes explaining yourself.

The word “pwned” is an intentional corruption of the word “owned.” If you have been pwned, it means that something under your control has been compromised. HIBP informs you if your email address and password for a particular system have been made public. Considering that over 9 billion (with a “b”) accounts are currently listed on that website, chances are good that the password you use for everything has also been compromised.

Stop using tricks to come up with new passwords

I know you. You’ve got a special formula for generating a password. You take the first four characters of your parents’ names, do an XOR on that, then add the current year. Then you add on two characters for the website you’re on, and then add on two random characters. That’s ten characters and it’s easy enough to remember while being complex enough to avoid a brute-force attack. Your mistake is trusting that the information you’re securing with that password uses the very latest in password technology.

Here’s a little thought experiment. Even if we use the very latest Windows 10 build, and we’re not joined to a domain (or we’re joined to a domain that doesn’t enforce Kerberos authentication for reasons of backward compatibility), our passwords are encrypted using NTLM. Commence screaming.

NT LAN Manager was invented before a lot of us reading this were born. It forces the password to uppercase, and then pads the password with NULLs to a length of 14 characters if it isn’t long enough (if it’s longer than 14 characters, it is effectively truncated to 14). Then, it breaks the password up into chunks of seven characters each (56-bits) and performs a one-way mathematical function on each segment to hash it, using the MD4 or MD5 algorithm, depending on the version of NTLM. This hash is not salted. The two segments are then stuck together and stored on the hard drive, and in memory if you’re accessing the network.

If I have physical access to your computer or can analyze your network traffic, I can read that hash. Do you ever “just quickly” use your work laptop on a public Wi-Fi network without a VPN? Don’t do that.

Both MD4 and MD5 were deprecated a long time ago for many reasons, one of which being that they suffer from hash collisions. This means that I can generate the same hash value for completely different strings. While other hashing algorithms also suffer from collisions, this problem is far more severe in a shorter key space. In other words, you don’t need to know the original password because a collision can be generated in milliseconds. On modern hardware, it is almost faster to generate an NTLM collision than it is to look up the value in a rainbow table (a list of key-value pairs containing all the possible hashes for all the possible passwords).

What this thought experiment demonstrates is that the illusion of security is destroyed by poor password management, both at the client and the server. Unless your domain administrator has enforced Kerberos on your network, this is how your computer’s main account password is being stored. And many of us think we can save our other passwords in a text file on the desktop. If you reuse passwords anywhere, you can bet that an attacker will find out sooner rather than later. This is called credential stuffing, where your email address and cracked password for one system are used on a bunch of others to see what works. It’s how high-profile attacks take place even if the target system uses state of the art security.

Luckily, like Kerberos, SQL Server is a bit more serious about password security than NTLM.

SQL Server passwords

According to Microsoft Docs, passwords can be “the weakest link in a server security deployment.” This is because people reuse passwords all the time. And people reuse passwords all the time because they’re difficult to remember.

A strong password, according to Microsoft

Using the previous Microsoft Docs reference, here is what is considered a strong password for SQL Server:

  • Is at least 8 characters long
  • Combines letters, numbers, and symbol characters within the password
  • Is not found in a dictionary
  • Is not the name of a command
  • Is not the name of a person
  • Is not the name of a pet
  • Is not the name of a user
  • Is not the name of a computer
  • Is changed regularly
  • Is significantly different from previous passwords
  • Is not a combination of the name of a pet and the year you were born

That is, frankly, a long list of things to remember what a password should not be, and security people are tired of explaining this to everyone. I added a couple of items to see if you were reading closely, because often when we see lists like this, our eyes glaze over.

A strong password, according to Randolph

My two three rules for a strong password are as follows:

  • Is at least fifteen (15) characters long, and preferably 20 or more
  • Is significantly different from any other password
  • Should not be known

How do we manage these passwords?

Not knowing a password makes it a lot easier to manage it, because you free your mind to remember the two passwords that matter. The first password is your Active Directory account that logs you into your Windows machine, which is protected by Kerberos authentication. This password should be more than 8 characters long (and preferably longer), but it is one you need to memorize.

The second password is for your password management tool. I use 1Password, and my personal vault passphrase is 27 characters long, because it is a complete sentence with punctuation and some random string thrown on the end. It’s going to take several years for someone to crack that password. By the time I’m dead, it won’t matter because all the passwords I’m storing will have been changed ten times over.

Use a password manager for everything: personal, work, social. Systems like SQL Server have a modern hashing and salting algorithm that can store passwords up to 128 characters in length. Password managers do this as well. It makes sense to generate your passwords using a password manager and store them in a password vault. There’s nothing stopping you from also storing important passwords physically in a fireproof safe.

Stop memorizing passwords. You don’t need to do that anymore. If you know more than two or three passwords, you’re doing it wrong. And please stop reusing passwords, because it limits the damage caused by credential stuffing.

Share your thoughts in the comments below.

Photo by Matthew Brodeur on Unsplash.

9 thoughts on “What is a strong password anyway?

  • Great advice. I randomly generate my passwords from a list of ~13,000 words, add numbers, and special characters, and use unique ones for *each and every* login I own – average length is around 18 to 20 characters.. I like passwords that consist of compound words since I can easily manually enter them on air-gapped machines, or machines I don’t own And, I use Two Factor Authentication, or 2FA, where possible. I use KeePass, with an OTP plugin which allows me to duplicate my 2FA tokens on my PC and my phone.

    Having said all that, I have a bank account where the mandatory password length is 6 characters, FFS. No more, and no less, and they don’t support a 2nd factor. My cell provider thinks texting me a 2nd factor is a good idea, which is downright asinine considering several of my friends have had their SIMs hijacked recently, and texting the 2nd factor to them clearly does not help.

    • Good point on MFA, although that’s not really supported on Windows logins for example.

      On the bank account thing, six characters is an odd call. They may limit you to three login attempts, which definitely reduces the risk, but six is too short.

    • Thanks for your comment. You’ll note in your link that it says password managers are a good thing. Everything we do carries risks. Using a password manager is far less risky than password reuse.

  • “If I have physical access to your computer or can analyze your network traffic, I can read that hash. Do you ever “just quickly” use your work laptop on a public Wi-Fi network without a VPN? Don’t do that.”
    Physical access, yeah you could get the hash, but only if the computer is not encrypted. You’re not going to get the hash from sniffing someone browsing reddit on public wifi.

  • That’s cool, but you’re way overstating the ease of capturing a hash. 3 of the methods are for *file shares* and the other one pops up a super suspicious log-in prompt on *HTTP*. This is all a step beyond “if I can analyze your network traffic”.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: