What are doomed passwords?

Choosing a secure and memorable password is difficult. Take the password Idspispopd1! as an example. It is on the verge to be unmemorable. But it fulfills a lot of criteria for strong passwords.

1. Should be eight or more characters
2. Should not contain common dictionary words
3. Should not contain specific words such as the service itself

In fact, it has been found that the primary characteristics of strong passwords are their length [1]. With 12 characters, the provided password is well above the recommended minimum length of 8. It is also not a common word found in dictionaries. And for the vast majority of cases, it is not part of the name of the service itself. So what seems to be the problem, officer?

Passwords are doomed

On a cold December in 1993, a video game was released. Within the first two years, it is estimated that 15-20 million people have entered the world of Doom [2]. For a good percentage of those people, the codes iddqd, idkfa, and idspispopd are well known. They enable God mode, provide all available weapons, and give the possibility to walk through walls, respectively. This knowledge is enough to make some people use the cheat codes in their passwords.

People are predictable. Most people don’t think they are. But we are creatures of habits. We have been told that passwords should contain a capital letter, a number, and a special character. We have been told that over and over and over. So to comply with this policy, we create our own rules: The first letter in the password should be capital, and the password should end with 1!. And why do we do that? Otherwise, our passwords are not memorable while still complying with the old-fashioned policy.

About 20 million played a video game around 30 years ago. Out of those players, eight have used the rules above on one of the cheat codes [3]. They thought they were clever and used the password Idspispopd1!. We know this because they have also been part of known leaked data breaches. And why is this information important?

Entering the mind of a hacker

There are 603×10^76 possible passwords of length 8-12 consisting of a-z, A-Z, 0-9, and any of the 13 special characters found on the row with numbers on a keyboard. That is the number 603 followed by 76 zeros [4]. If I were a hacker and wanted to systematically guess a password, where would I start? Should I start at aaaaaaaa, then aaaaaaab until I reach !!!!!!!!!!!!? It sounds simple enough. How long can it take? If the password is stored using one of the configurations recommended by the Open Web Application Security Project (OWASP) [5], then I can do 3.613,81 checks per second [6]. By that rate, an exhaustive search like this will take 10^57 times the age of the universe [7].

That is clearly not feasible. Instead, I will leverage the fact that people are predictable. This predictability means that people are likely to choose a password, that another person is also using. Since the breaches are known, I can grab a list of 847.223.402 unique passwords that have been part of known leaked data breaches [8]. Starting with those known passwords, it would take me at most three days to check if your password is one of them.

What if you really like the password? Couldn’t you just find a variant that hasn’t been leaked? As an example, Idspispopd!1 is not (yet) part of any known leaks. The answer to both questions is: “No”. The next step for the hacker is to use a tool that will systematically iterate through common variations of the leaked passwords [9]. The non-leaked variant will be one of the next passwords that will be checked.

What can you do as an individual?

A secure password should not be guessable in days, weeks, or a few years. Technology keeps evolving. What takes a few weeks now may take a few days soon. Choose long passwords that are not yet known to the public. Using a password manager ensures that you only have to remember one long password. The password manager will generate and securely store all other passwords. In addtion: use two-factor authentication (2FA) everywhere you can.

What can you do as an authentication provider?

Secure your application by helping your users to choose secure passwords. Do you check if your users' passwords have been part of breached corpora? If not, then check out the free, easy pluggable, and ready-to-use javascript module. It features integration to the haveibeenpwned.com password API.

References

• [1] https://pages.nist.gov/800-63-3/sp800-63b.html
• [2] https://en.m.wikipedia.org/wiki/Doom_(1993_video_game)
• [3] https://haveibeenpwned.com/Passwords
• [4] 6​.039​.322​.712​.352​.183​.338​.111​.954​.220​.828​.149​.970​.544​.379​.128​.046​.314​.605​.652​.372​.236​.409​.074​.502​.197​.620 to be exact.
• [5] https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
• [6] https://security.stackexchange.com/a/201965
• [7] https://en.wikipedia.org/wiki/Age_of_the_universe
• [8] https://www.troyhunt.com/open-source-pwned-passwords-with-fbi-feed-and-225m-new-nca-passwords-is-now-live/
• [9] https://hashcat.net/hashcat/