Passwords are back in the news again thanks to Mr Edward Snowden and a certain French media outlet. Ed cautions us to assume the big bad guys can make at least 1 Trillion guesses per second and even went as far as suggesting a secure example:
As for the French…there’s a few folk suggesting the reported ISIS takedown of TV5Monde may have been helped by videos. Not just any videos. Ones broadcast by the TV channel featuring passwords on post-it notes in the background.
Unbelievably they’re not the only ones to have done that. This ITGovernance article highlights 3 other embarrassing password reveals…less said about that the better me thinks.
Then there’s the overwhelming evidence that people just make poor password choices:
In SplashData’s list of 2014’s worst passwords, number one is 123456 and in second place is…you guessed it…password (yes REALLY!). The list was put together from the millions leaked last year. Passwords that get posted on hacker sites to inform development of cracking tools.
The graphic is from Stanford’s IT Service department, giving user friendly advice on creating a passphrase. Some folk (like Snowden) will suggest including numbers, special characters and upper case letters, but that’s down to what you are setting a password for.
The same goes for businesses. They have to work out their user recall/complexity/support overhead equation – e.g. if no-one remembers them, that racks up one heck of a lot of lost productivity and helpdesk effort.
Whether you go Snowden or Stanford this represents a far better place to be (thanks to Al Berg – @alberg – and his Paranoid Prose blog for finding it).
Why does doing LOTS better make sense?
Because there’s an ever increasing amount of processing power available to crack passwords. Even complex ones (if they’re short), are vulnerable. We’re not just talking about pure brute force attacks e.g trying all available characters in every possible combination. There are shed loads of shortcuts that tools can leverage, even if you’re trying quite hard to be safe. Things like;
- Dictionary attacks – not quite as obvious as it sounds, but it is a digital list of words and other common character strings folk like to use. If in any doubt about how simple some peoples’ passwords are, do check out that SplashData list. You’d also be amazed how similarly people think when it comes to making up passwords (as this Psychology Today article shows). Unlike a pure brute force attack this focuses on the guesses most likely to get a result and will probably include stuff like:
- Common substitutions – did you think p@55w0rd was good enough? Nope. If it’s an easy substitution of a special character or number for you to remember, then it’s programmed into a cracking tool somewhere (just between you and I the wireless password for a world famous institution was a very simple substitution password, but pointing that out didn’t prove very popular).
- Progression patterns – got a favourite password you recycle by adding 1 then 2 then 3 to the end of it when you have to change it? Not recommended. if anyone harvested that password from anywhere they’re probably wise to that trick.
- Keyboard patterns – here’s an imagur video of the 20 most common keyboard patterns used as passwords. This info was harvested from 10 million that were leaked . A really simple thing for a password cracker to add to their dictionary.
- Common ways around basic complexity rules – these are fairly standard (e.g. one uppercase, one numeric, one special character). Something else cracking systems are aware of and can use to cut down effort required to work passwords out.
How long is strong enough?
As an illustration of password strength, here’s a real life twitter exchange prompted by this cartoon. It lead to some tongue in cheek password one-upmanship by a number of folk in the security trade (including moi).
[tweet https://twitter.com/Jenny_Radcliffe/status/564180882786115584 hide_thread=true align=’center’ width=’2500′] [tweet https://twitter.com/infosecmo/status/564181497314545665 hide_thread=true align=’center’ width=’2500′] [tweet https://twitter.com/Jenny_Radcliffe/status/564194405381591040 hide_thread=true align=’center’ width=’2500′] [tweet https://twitter.com/amisecured/status/564188179058941952 hide_thread=true align=’center’ width=’2500′] [tweet https://twitter.com/DanRaywood/status/564189106096594944 hide_thread=true align=’center’ width=’2500′] [tweet https://twitter.com/S_Clarke22/status/564190290932953088 hide_thread=true align=’center’ width=’2500′] [tweet https://twitter.com/S_Clarke22/status/564196514692861952 hide_thread=true align=’center’ width=’2500′] In true girl guide style (according to Ms Radcliffe), I created a table showing what a common password testing app made of the strength of all those. It goes a fair way to underlining the point at the top and may surprise you. But, how much difference does an extra character or two really make? Have a look below and maybe test a password similar to (BUT NOT THE SAME AS) yours.
Going On The Offensive – Adding a very personal tip, you can always resort to abject smut to make your password more memorable. No-one should know, so what the heck. The only pitfall is if you’re an unconscious password mumbler (check out your colleagues mouthing what they’re typing in). Worth bearing in mind if it’s something relevant to folks who could be nearby, less than complimentary, or a tad…well…physically creative.
The maths behind all this
For those in the trade, this article by Johannes Webber (@webernetz) unpicks the maths foundations of the well known xkcd password cartoon.
He convincingly recommends aiming for 80 bits of entropy (he also shows best ways to up the number without pushing password limits too far). So we just have to keep everyone updated as the entropy/easy to access processing power equation evolves.
Do chuck in a comment if you have better/more to add.
Sensible choices and keeping passwords safe
Back to the de-geekified advice, it’s not all about choosing good passwords, I also recommend;
- Changing them – Ooooh this kicked of a debate on Twitter. A good friend of mine called out why changing them regularly, is not always (or mostly) necessary. It culminated in this post I graciously shared. Very much worth reading (tis a bit techie, but then so’s Claus – the link in the embedded tweet will take you there). [tweet https://twitter.com/S_Clarke22/status/589346251705081856 hide_thread=true width=’900′]
- Maybe Changing them – If your password is older, shorter and/or dumber than your kids…CHANGE IT! Stumped for a good long random passphrase? XKCD has a great passphrase generator (plump for as long a one as you can remember, or really go for it if you’ve got a password safe to remember it for you). Then change it again if you ever see news of a breach at a company you use, anything suspicious happens with your accounts, or (if like me you think it’s better to be super-safe than sorry) do it every now and then anyway.
- Using different ones for different sites/applications and remembering them – Try a password safe. One BIG password to protect all the others and a way to conjure up a new secure password and automatically store it when needed. Worried that puts all your eggs in one basket? Don’t be. If you follow rule 4 it’s far more safe than re-using passwords on multiple websites or never changing them. A review of the top ten with links to buy and/or download.
- Taking advantage of 2 factor authentication (2fa) where available – Good guide from Life Hacker on setting up backup logon checks e.g. via your mobile, for commonly used sites. This protects you if someone hijacks then tries to lock you out of an account by changing your password for you. Won’t work unless they’ve nicked your phone too (you’ll get an alert or verification code to check it’s you making the changes).
- Not sharing them – Bleeding obvious? I know, but you’d be amazed how often folk do. Especially, if tales I’ve heard from some techies are true, directors with their PAs. I’m not going to say don’t write them down. Just treat any written or digital mention of a password like a sex tape that could cost you your career, marriage and/or custody of your kids if it was ever shared. Nuff said?
- Try not to get scammed – Even the most savvy internet user can get caught out by a determined conman, so do educate yourself about the latest email and telephone tricks being used to get you to share your password or information. It doesn’t take long for cyber criminals to piece together enough info to quickly guess (instead of taking the more effort intensive step of stealing or cracking) your password. There’s more on that in this post ‘Phishers’ Delight“
Don’t go too crazy!
This advice is about protecting your private and confidential data, but you also need to think about accounts that can impact how you get things done. Your online and offline computer, router, Wifi (and increasingly) TV, car and central heating control accounts. Access that could, if hacked, seriously disrupt or even financially/physically harm you. Then there’s the stuff that you willingly share, but still don’t want someone else to control…
…think hijacked Twitter, Facebook, Snapchat, Instagram, Webmail, or other accounts that contain information you don’t want messed with or deleted. Unique copies of things, or things that can hurt your image, confirm your whereabouts (especially if you’ve left an empty house) and perhaps, if added up, give someone a way to convince others that they’re you.
Rule of Thumb: Imagine everything from a given place going missing or being managed by someone malicious – what’s the fallout for your reputation, your career, your finances, your home safety, your kids and anyone else you care for? If the answer is “bugger all” then easy or reused passwords are not really a problem. Make a judgement call and don’t make life unnecessarily hard. Here’s useful perspective on that from Joseph Steinberg.
But what about biometrics?
Folk are saying passwords are dying (or dead) – aren’t biometrics taking over? There’s definitely some fun stuff happening on that front. Smart phones are already out there with finger print and retinal scanners. But how about your pulse as your password? Had a chuckle thinking about that – one passionate kiss on the doorstep and the door won’t open (that’s the PG version anyway 🙂 ).
This article looks at 5 biometric alternatives to passwords that might become more or less common, including your pulse, your ear shape and even your sense of humour. But even biometric tools are far from perfect. Remember the movies where someone gets their hand chopped off to get through a door with a scanner? Well no need for such brutality when a 3D printer can produce an exact copy of a hand complete with unique finger prints. To guard against that (and severed limbs/ownerless eyeballs) folk are having to put “liveness” tests in place (find out more in this Secure ID News article).
That’s ignoring any possible security holes in systems where master copies of biometric scans are stored. That’s down to us (security, IT and our company directors) to build systems securely, test them well and if they’ve got serious holes, fix them.
Regardless of what the future holds, passwords will be around for a long time, either by themselves or together with other ways to prove you are who you say you are.
Right now it does make sense to change any old, short or reused passwords. Here”s a good calm look at Heartbleed and it’s implications for your online security. Yes, that all kicked off a whole year ago, but many firms are still vulnerable. Advice in that first article is very user friendly and will be good to remember when the next theft of passwords hits the news.
So…if you do now head off to do some updating, have another look at that advice here. It really is workable.
When you’re not ALLOWED to set a good password
That’s sorted then! Unfortunately not quite. Due to old software design habits and inherent application/operating system limitations, you might not be allowed to set a good strong password. That password choosing frustration is pretty explicitly vented here; http://weknowmemes.com/wp-content/uploads/2014/01/creating-a-password-cabbage.jpg
If somewhere has daft password rules you’re not completely powerless – call it out. Perhaps add #DaftPword to the tweet or post, or tell me and I’ll shout about it for you. The tech community hate password laxness so you won’t be alone.