Security Think Tank: Use pass phrases and 2FA to beef up access control

In 2015 the National Cyber Security Centre (NCSC, then National Technical Authority for Information Assurance – CESG) issued password guidance that recommended moving away from complex passwords.

It was based on the research of users’ actual password strategies and the problems caused by complex passwords. However, three years later, the mandating of complex passwords is still common practice, with the risks of this approach seemingly unrecognised, or even ignored.

Any password strategy needs to ensure that there is a degree of entropy in the “code” (i.e. numerous combinations), making it difficult to guess or brute force attack by trying every possible combination.

The premise is that an eight-character password will be randomly created from a set of 26 lower case characters, 26 uppercase characters, 10 numbers and around 32 special characters. This gives a total of 94 character possibilities making over six quadrillion (6x10^15) combinations. Unfortunately, the reality is people don’t create random passwords.

When talking to users, I find that most people when asked to create an eight character complex password that they can remember, the vast majority will start with a dictionary word, while some will even use the name of someone in their family.

They will then probably capitalise the first letter, because this is the natural thing to do, with a special character and a number added to the end. Typically, people use something that makes sense to them – 1%, or @2. When asked to regularly change a password, users often simply increment the number! While this is anecdotal, so not scientifically tested, the approach is frighteningly common.

Attackers are aware of this and will prioritise their search algorithms to focus efforts on these techniques. If we say a dictionary word is used, we can assume that this gives no more than 20,000 combinations as that is the number of words typically available to a native English speaker.

The capitalisation of the first letter adds nothing, because it is predictable. The special character and number at the end is from a limited set of 32 characters and 10 numbers, or vice-versa. This reduces the options to 640 combinations. As a result, there are only about 12.8 million possible passwords, not the six quadrillion expected. This calculation confirms complex passwords are often half a billion times easier to crack than previously assumed.

It must also be remembered that attackers will exploit any popular strategy by adjusting their approach. When cracking passwords, they will first search for the most common passwords (handily these are regularly published on the web). Simple dictionary words, names and other common strategies, such as substituting numbers and special characters for letters in a word e.g. P@55w0rd, are then targeted. The result is that most passwords, based on the combinations discussed, will be cracked in fractions of a second.

If you must rely on passwords, the key principle is that they should be created at random from a large number of possible combinations without the predictability described above. However, people are not good with randomness, so increasing entropy by using more characters is usually a better option than trying to create short random character strings which are unlikely to be remembered so may be written down.

One approach is to use three unconnected words. This, in theory, can give eight trillion combinations, but only if one cannot be guessed from another. Another is to use a passphrase. This gives a much longer password, so increasing the number of possibilities. Don’t assume common short words add much except making it easier to remember, but including uncommon place names and foreign words should help, as this increases the attackers search space.

An example (that now published should never be used) is “There is a farmers market in Abergavenny on Tuesdays”. I would only count the four main words here and while there is some connection between “farmers”, “market”, “Abergavenny” and “Tuesdays”, this still gives a strong password. However, because there are language dependencies between the words (i.e. it makes sense) it is difficult to calculate the entropy of a pass phrase, but there are probably at least a trillion pass phrases based on a minimum of four main words.