I have a confession to make. For over twenty years, I’ve been using the same password for most everything. And the worst part is, I thought I was being smart about it.
A long time ago (in the same galaxy but far, far away from where I am now), I was told to come up with a phrase that meant something to me, take the first letter of each word, swap a few letters for numbers, add a few special characters here and there and voila – password. It seemed almost too easy. For example:
“I went to the woods because I wished to live deliberately”
And twenty years ago, that became my password. (The phrase and the password in this blog have been changed to protect the author. I’m not about to make a billboard saying, “My name is David Ross and that’s my REAL password.” We’ve all seen how well that works out.)
Because of muscle memory, I got really good at typing that password. When I needed to change it, I would tweak it here and there so it was still easy to type from muscle memory.
ab!w2twb1w2%D … you get the idea
Pretty genius, huh? Each time I created a new account, I’d use a variation of that perfect password. My reasoning was !W2tWb1w2%D3 will take just as long as !W2tWb1w2%D2 to brute force and NONE of them are in a dictionary or even a rainbow table. How could this be a bad thing? Human nature is why it’s a bad thing.
It’s a bad thing because of an old rule in cryptography. A password is effectively a shared secret crypto key. Instead of using the key to encrypt messages, it’s used prove you are who you say you are. You know the key and the system you’re logging into knows the key. The system (hopefully) stores the key (password) as a hash. A hash is a one direction type of encryption. Hashed data cannot be unhashed and the same data will always generate the same hash. If an attacker breaks into a system, they can steal the hash but not the password (hopefully)so they need to guess what password generated the hash they have in front of them.
This is where the old crypt rule comes into play, “NEVER USE A PREDICTABLE SEQUENCE FOR YOUR KEY” or password in this case. Yes, !W2tWb1w2%D3 and !W2tWb1w2%D2 will take the same amount of time to guess separately but once I guess the first one, I can use human nature to predict what the second might be. That means the second or subsequent password permutations are orders of magnitude cheaper and faster to guess than the first one. The attacker now has a start point to begin trying permutations (The holy grail of crypto cracking).
Knowing that people tweak old passwords and the massive time savings involved, it’s well worth the attacker’s effort to pre-run permutations of previously cracked passwords into new rainbow tables.
Let’s say my old password was leaked in a breach (it was) so the attacker knows that I or someone uses !w2twb1w2%D1 as their password. That value is CERTAINLY going into his rainbow tables of guessed hashes so he can immediately crack it if he ever sees it in future stolen data.
The attacker also knows that people tweak old passwords to make new passwords. The next step is to generate rainbow tables on permutations of previously cracked passwords that people will probably do. Once they steal more hashed passwords from a new breach, they are milliseconds away from cracking any variations of that old password.
To make it worse consider this; the person’s username is of no consequence to the security of the password. A hash is a hash is a hash (unless it’s salted and the salt is protected but that’s another blog) If by chance someone is using the same password as you and theirs is stolen and cracked, you are just as vulnerable as if your own password has been stolen or cracked. If an attacker steals new data in a breach tomorrow, they are milliseconds away from knowing your password.
The advice given to me twenty years ago was good advice. I would follow it today with one addition. Never use the same origination phrase to make more than one password and only use that password at one site. Better advice is to download and start using one of the many password management tools available online. I’ve been using one for a few months now and have used the auto password generation feature to reset most all my accounts. Now, I only need to remember the password to my password management software and you can be SURE it’s not the old worn out one from twenty years ago.
Footnote: Rainbow tables are pre-computed hashes of possible passwords that you can compare against stolen hashed passwords. With the passwords pre-hashed, cracking becomes a search problem and not a (computationally expensive) hashing problem. Compute once, compare many.