Early in 2009, Americans were surprised to discover that several famous Twitter accounts were compromised, including President Obama's and Britney Spears'. Even more surprising was the simple trick used to gain access to these accounts: a simple password-guessing scheme. Like so many other emerging social networking sites, Twitter failed to provide even the simplest password-protection techniques, such as locking an account and resetting the session if multiple incorrect passwords are entered.
In this article, I'll refresh your knowledge about passwords and show you how to use them better. After reading this article, you'll know at least a little more about password safety:
- What constitutes basic password protections
- The mathematics behind password-guessing schemes—so you can choose more effective passwords
- How to apply what you've learned about passwords—and avoid becoming a chump member of some unsecured website
We're still discussing passwords in 2009?! A decade ago, I thought by now we'd all be using fingerprints, digital certificates, or retinal scans of some kind. Instead, we're still primarily using passwords, a secret combination of keyboard characters that uniquely identifies the user as that specific person. (At least, that's the theory behind passwords.)
Password-guessing scripts became common years ago. These scripts would attempt to log in, using a known ID and a word from a dictionary file as a potential password; tirelessly, patiently trying one word after another. These scripts could guess any password eventually. As an initial response, people began substituting punctuation characters for letters. The word "password" became "p@$$w0rd"—because that's not a dictionary word, right? Soon, vast dictionaries of "script kiddies" passwords were available for download. As a secondary response, operating system and application vendors began increasing the length of acceptable passwords. For reasons we'll consider later, the old systems of eight uppercase characters for passwords was too limiting. Additionally, some vendors decided to implement a system that would lock the account after too many incorrect guesses, thereby rendering it useless to an attacker. Is this enough? Well, taken all together, here was the protection system:
- Longer passwords
- More complex passwords
- Account lockup after too many incorrect guesses
These controls made passwords reasonably secure. Initially.