Is RogerLovesTaco$24 a Strong Password?

roger-knowbe4 · 2024-05-02T11:04:12.659Z

Quick answer: No!

It’s strong, but it’s not strong enough.

Everyone has a ton of passwords. They should be strong and unique for every site and service you use. Everyone knows this.

Note: The information and recommendations in this post are supported in detail by the KnowBe4 ebook, What Your Password Policy Should Be (What Your Password Policy Should Be E-Book | KnowBe4).

What Is a Strong Password?

But what does having a strong password really mean?

Well, it means resistance to most/every password-guessing and password hash-cracking attack. There are many different types of attacks against passwords, but the only ones where the strength of your password matters are guessing and cracking attacks. If I can socially engineer you out of your password, which is what happens in 79% of credential theft instances (https://www.infosecurity-magazine.com/news/94-firms-hit-phishing-attacks-2023/), I do not care how strong it is. If I can use an unpatched vulnerability to bypass all your defenses and steal your password or password hash, I do not care about how strong your password is. But for password guessing and cracking attacks, hackers very much care about how strong it is.

What is a strong password?

Password Strength Over Time

It has changed over time, especially as password attacks have improved over time.

Back when I started in computer security in 1987, it meant having a password at least six characters long. To be honest, we would just get excited if you used a password at all or had one that was not just 3 or 4 characters long or was not ‘password’.

My third book, in November 2004…a monthly serial ebook on password attacks and defenses for Windows & IT Pro magazine, called Keeping Your Business Safe From Attack: Passwords and Permissions, also discussed recommended password strength. It called for eight-character passwords with some complexity (e.g., uppercase characters, numbers, symbols, etc.) for most users. I also said that if you used a 15-character or longer password, it disabled LANManager (LM) password hash storage, which was a great thing to do, especially for administrative accounts.

Much of early password recommendation strength was based on early National Institute for Standards & Technology (NIST) password strength recommendations, which Microsoft and other vendors followed as well.

Over time, because of the increasing speed of hacker password guessing and cracking technology, the minimum recommended length became 10 characters and then 12 characters. Today, most entities implementing a 12-character, complex password would pass most password audits.

But 12 characters long with some complexity is not enough for today’s password hackers. Today, password hackers with sufficient technology or funding can guess passwords as fast as the underlying platform allows and guess at stolen password hashes in excess of ten trillion times a second.

Would your password withstand being guessed at over ten trillion times a second? Probably not.

Strong Passwords Today

In order to defeat password guessers and password hash cracking, what constitutes a strong password today is one of three things:

Use multifactor authentication (MFA) instead. If you have to use a password, create and use:

A 12-character or longer PERFECTLY RANDOM password, like r#3Yv&ZCAojrX, or

A 20-character or longer password with some complexity if created by a human

It is believed that a 12-character, truly random password defeats all known password guessing and cracking attacks. There could be a nation-state that could defeat a password of that strength, but it is not publicly known…and let’s just be realistic…if a nation-state is after you, they are going to get you one way or another. We are just trying to stop non-nation-state hackers.

Long, Complex Passwords Can Be Surprising Simple To Crack

This part of my post may be a bit of a shocker, but I am familiar with several password penetration testing teams who routinely break 18-character complex passwords. Passphrases like RogerLovesTaco$24 are routinely guessed and cracked. That may be shocking to some.

It is 17 characters long and contains complexity. And, yes, passwords like that are guessed successfully all the time by non-nation-state hackers.

To be fair, it is usually the password hash that is being successfully guessed. The longest real-world hacker, password guess I am aware of…using just application-based password guessing, is 10 characters. That attack is here: Home - World Today News. It required that the defender to have such poor security that the attacker could guess over 100,000 times a day for over a year. Although I think this type of attack would be possible for the majority of companies around the world (i.e., the victim company was not an outlier).

The longer and more complex passwords I am aware of that have been “guessed” were successful cracks against stolen/obtained password hashes. Password hashes can be stolen lots of ways, and many times, it does not take local administrative access. I covered that here: Pay Attention and Be Prepared: Yet Another Remote Windows Hashing Attack.

As previously covered above, attackers can now routinely guess password hashes over ten trillion guesses a second. It has been this way for years. I can never re-read this fact and not get blown away each and every time. Using this speed, very long and supposedly complex passwords, like RogerLovesTaco$24, can be successfully guessed in a short amount of time.

Now let me state that if you use a long and complex password, say 12 characters or longer, I am in general, pretty happy that you do that. But if you want a strong password that is truly resilient against known password guessing and cracking attacks, it has to be either truly random or not be so easily guessable and crackable. I would prefer you use a truly random password. Those are best and most resilient to guessing and cracking. Everything else is a hedge made for convenience or a policy that makes you less secure.

But password guessers know that most people’s passwords, even if complexity is required, often follow some basic rules. Not all passwords. Not all password creators. But most. And those rules entail that they will likely include one or more words from their default language. If required to use a capital letter in their password, they will usually put it as the first character, and that first character will typically not be a vowel. If they have multiple words in their password, if a capital letter is used in each word, it will usually be the first letter of the word. That capital letter will almost always be followed by a lowercase character, and usually, it will be a vowel (although not always).

If they use a number in their password, it will likely be one, two or three, and appear at the end. If they use multiple numbers, it will usually be a two- or four-digit date, and often it is the current year or the year of the person’s birth. People like to put sequential numbers in their password, such as 123, 123456, and 123456789.

If they use a symbol, it will usually be one of the following, !@#$&, and be toward or at the end of the password. Even if all users are allowed to use all possible characters on a keyboard for their password (i.e., 89 to 101 characters are usually available), most people will use the same 19 characters. Many letters (e.g., Q and Z) will be underused. Many letters will be more likely to be used (e.g., A, E, T, N, S, etc.). Basically, you can use Scrabble game scoring to figure out common letter frequency. When a passphrase is used, people like to mimic grammatically correct phrasing and sentence structure.

People love to include names, places, dates and sports (and sports teams) in their passwords. Users like to put the word password in their password. qwerty, Iloveyou, and abc123, are not uncommon. The same most common passwords used by people this year are nearly the exact same most common passwords used 20 years ago. They do not really change that much.

Much of the reason why a supposedly complex password (or passphrase) like RogerLovesTaco$24 gets successfully guessed is that it follows many of the most common rules for user-created passwords. It starts with an uppercase consonant. It is then followed by a lowercase vowel. It follows English grammar rules. It ends with a commonly used symbol and digits of the current year. In summary, it is fairly predictable when guessing trillions of times a second.

If you use a regular 8- to 12-character human-created password like most people do, that will stop the crooks that really don’t know how to attack passwords. Do you really want a password that is kinda strong, but really not?

Want a stronger password?

Use a randomly generated password or one that does not follow the expected rules. I could simply put the numbers or the uppercase characters in the middle of the password and create a significantly harder to crack password. I could start with a lowercase vowel followed by an uppercase consonant and make it a lot harder to guess.

RogerLovesTaco$24, and other passwords like it, are not weak. They are not bad passwords. They are stronger than most. But if you want a truly strong and resilient password, break some of the rules.

WarKraft · 2024-05-02T12:48:41.868Z

As always great post

somedude2 · 2024-05-02T13:33:54.823Z

My name is Rodger, I love Taco’s, I buy $24 worth of them daily, and I brag about it on T/w/i/t/t/e/r/ X all the time…

Great post, I think social engineering is way underestimated in password breaching. People like to think of themselves as special and unique, but the reality is we are far more predictable than we like to admit.

joebridgeman · 2024-05-02T13:52:52.906Z

I’ve always wanted to set up a demonstration in a company meeting - ask employees to submit a password in advance that they don’t currently use but might pick if asked to think of a password. Then crack them real-time, in-person, using dictionary attacks. I think the visual spectacle of that would really stick with people when used in conjunction with pushing for the use of a company password manager + the random passwords it generates. Never have had the free time or computing hardware to set that up…

dengelhardt · 2024-05-02T14:07:47.851Z

Not any longer since you published it.

Stay_Dandy · 2024-05-02T15:32:03.509Z

Great article with good info! Social engineering and non-technical means to bypass technical measures never cease to amaze me. Mr. Robot was big on portraying Facebook stalking or twitter/X browsing to find info for nefarious means. People who overshare make it too easy for attackers.

Happy World Password Day.

moorebeers · 2024-05-02T15:46:41.469Z

Love your posts and agree with everything, but here, as the term goes, you’re preaching to the choir…for the most part. There are some Admins that do need this reminder, but there are far more users and C level staff that let this breeze through without a care. I find that the hardest part with this is to translate all that your telling us into their language that they will accept and understand. I’ve worked in multiple places and can help many to understand why password strength is necessary, but even that can take months or years for some to or for some it’s , but I digress.

I’ve been seeing a growing trend that several companies do not want a subscription model, but also want all the bells that come with that model forever. Although I can’t fault them for their dislike of money flowing for subscriptions, it gets more difficult when there are others that utilize “free” options that will allow for weak passwords for their password lockbox. Even explaining that the Password Managers in the browsers can be quickly downloaded and cracked without needing Admin Privileges is tough to translate in all the various corporate languages. Now we have to add the training to make better passwords and/or using a Password Manager properly adds an even bigger task to the IT Staff whom are usually 1 person or 3 at most companies.

As an example, I’m currently working at a company that is a branch of a major corporation. I’ve asked for Phishing systems like KnowBe4 , Curricula , etc. and the response was, “We had that before and it was a big flop so we canceled our subscription.” As I pressed for details it turned out the IT Staff that had it expected the software to just run its self because they didn’t have time to “deal” with it and had no plan for implementation or how to calculate RIO.

Knowing that some of us are up against this type of structure makes many in IT areas burn out quickly and get frustrated. It doesn’t mean we don’t want to fight this fight, it just means we may have to pick and choose which battle we fight until it no longer becomes a choice. I like @joebridgeman 's idea for a real time crack for submitted passwords. It would be interesting if this could be created as a VM Download that could be spun up, have a web interface for users to put in their passwords, and have a meeting or result test to show the speed the submitted could or are cracked. After the meeting the VM could be destroyed to ensure the passwords aren’t leaked to the internet or XKCD 792 could happen:

xkcd.com

Password Reuse

It'll be hilarious the first few times this happens.

thunter · 2024-05-02T16:03:15.137Z

@roger-knowbe4 What’s your take on the newer passwordless authentication options?

roger-knowbe4 · 2024-05-02T16:42:40.902Z

That’s a great idea.

roger-knowbe4 · 2024-05-02T16:43:39.021Z

Here’s my reply: How Does Your Favorite Authentication Solution Rank Security-Wise?

roger-knowbe4 · 2024-05-02T16:46:16.117Z

When I argue for security education, I lead with this…70% - 90% of all successful breaches involved social engineering…social engineering that got around every other defense that every company threw in its way. Education is easily the most bang for your buck that you can get, but it needs to be done aggressively to be done right. Once a year compliance isn’t going to work. Love the XKCD cartoon.

somedude2 · 2024-05-02T18:34:06.670Z

The problem is people are bad at judging risk, really really bad. This is why casinos make boatloads of money, people lose their shirts playing around in the stock market, and people get run over crossing the street in spite of knowing that jumping out in front of a car is going to end badly.

Bean counters are no exception, they are great with ROI, tell them you are spending 10 dollars and it will pay back 2, they are fine, when you tell them there is risk, they think, well, ok maybe we only get 1 dollar.

The concept that not investing 10 dollars, might lose 100 dollars is just not generally on the radar, and when it is, the comforting answer is usually, well, we have insurance for risk…

The counting of beans has a column for how much we spent, how much we got, and how much we almost got. There is no column for How much we didn’t get screwed.

When you buy car insurance, do you think, wow, I just made a 100,000 dollars for the claim I won’t have to pay for the person I haven’t run over yet?

This is the education cliff, risk is real, it isn’t just about assets, reputational hits and lost customers aren’t covered by insurance, and insurance policies have requirements…

roger-knowbe4 · 2024-05-02T18:54:15.212Z

Agreed…but ransomware!!! There are so many recent, relevant examples of why you should fight hard to prevent social engineering. I’m amazed anyone has to argue with any C-level about the need. Don’t they watch television and read newspapers? Or is it, like you said, they don’t think it’s going to happen to them?

merlinyoda · 2024-05-02T19:16:10.180Z

I’m going with the “it’ll never happen to us” mentality for the reason behind that one. It would go something like this: “Well, sure we’re about the same size as that company that got hit and we’re even in the same industry and market and have roughly the same profile on every other metric but our employees would surely never fall for something like that.”

jessevas · 2024-05-02T19:44:52.020Z

RogerLoves$24Tacos is probably much stronger.

somedude2 · 2024-05-02T19:47:24.660Z

our employees would surely never fall for something like that.”

Because they certainly never did in the past. People view risk with hindsight. If you have never run over someone’s dog, you don’t think about dogs running out from behind cars. Once you do, you never think about it the same way again. But it’s a dam painful way to learn about risk

roger-knowbe4 · 2024-05-02T20:21:12.349Z

Strangely…it is.

jessevas · 2024-05-02T23:36:47.386Z

You really get what you pay for.

KIGALIMTECH · 2024-05-03T11:08:13.014Z

Professional: No, “RogerLovesTaco$24” is not a strong password.

Simple: Nope, “RogerLovesTaco$24” isn’t strong enough.

Professional: While it appears to be a combination of letters, numbers, and symbols, it lacks randomness and complexity. It contains a recognizable word (“Taco”) and a predictable pattern ($24). Strong passwords typically consist of a random mix of uppercase and lowercase letters, numbers, and symbols without any identifiable words or patterns.

Simple: It’s not strong because it’s kinda like using your name (“Roger”) and something common like “Taco,” plus adding numbers at the end in a predictable way. Strong passwords need more randomness and less predictability.

roger-knowbe4 · 2024-05-03T12:00:35.391Z

Well said and apparently I wrote way too much.