2016-10-24

Better, Easier, Safer Passwords

Most of our passwords are flawed and not secure.  This article describes a better way, and includes a scheme to help you remember all of your passwords.  This article was originally published on 08/2011 and revised most recently on 2023.02.




We have all been told to make passwords eight characters long, to use a mixture of upper-case and lower, as well as numbers and a special character.  This is not good enough.  With simple software, and a standard PC, brute-force attacks can now easily crack these types of passwords. 



I attended a security training class where the Linked-In database that was leaked a few years ago, was hacked, in real-time, during the class.  Using a lowly, run-of-the-mill laptop, 300,000 real-world encrypted passwords were cracked in two minutes.

The passwords were not just simple words, they had numbers, mixed case, special and replaced characters.  Given another couple of hours, our instructor could have cracked an additional 200,000 passwords, with an 80 to 90% success rate. 

The passwords had one thing in common:  Most were 8 to 10 characters long.  The ones that were not cracked (yet), were longer.


"Through 20 years of effort,
we have successfully trained everyone to use passwords that are hard for humans to remember,
but easy for computers to guess." -xkcd.com


This interesting "arsTechnica" article discusses the techniques now being used:

Article:
Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” 
Link:
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords

Be sure to glance through the comments at the end of the article.



20 Years of Password Nonsense

Straying from a brute-force attack, are there other ways to get a password?  Of course, and these are even more fun. No matter how long, no matter how complex, no password is safe if you give it away through social engineering (fake login pages).

Never, ever click a link from a vendor or bank's email that will take you to their site.  These are easily spoofed.  Instead, open your browser and go to the site yourself.

And passwords are hackable with this xkcd.com method:




This now-famous xkcd comic describes the benefit of a simpler password, using multiple words.  It has circled the Earth about a million times, and although the idea is sound, it is less-than-perfect and does not work well with the dozens of accounts we need to login to:

Click for a larger view, click right-x to return.

Having a multi-word password, with spaces or not, is better than using "password123", but it is prone to attacks using the methods discussed in the ARS article.

But still, a 16 or 20-character password (a password phrase!) will slow them down.
Your passwords should now be this length.



Password Safes and Vaults.  Horrible Idea!

Since you should use different passwords for each different account, how many phrases (correcthorsebatterystaple) can you invent, for all the places you need a password?  You need help

Password Safes store your numerous passwords in some other protected program or vault.  The trouble is, this doesn't work in real life.  Each time you need to login somewhere, you have to unlock the safe, find the account, and type the ugly password.

In practice, this is too cumbersome and you won't use it.

A pattern or scheme (see below), or two-factor are better solutions.  Both are described next.



Recommendations:

You may think your data is not that important.  I disagree.  In my case, they could adjust my house thermostat and cause my refrigerator to order more milk.  In all seriousness, with my credentials, they could get to my bank account or Amazon. All of my financial and tax records would be exposed.  I could imagine my address books and my cellular accounts are of interest.  All kinds of mayhem would ensue and the violation would take years to unwind.

With or without 2-step authentication, do these things for better password security:


1. Password length is king.

Longer passwords are better than hard-to-type passwords.

qeadzcwrsfxv -- (12 Chars) is not nearly as secure as
catschasefrogs  -- (14) two more characters really help



2.  Use a memorable password phrase (three or more words)

uSe mIxed case, where the first word is not capitalized.

catsChaseFrogs   (14 characters)







3.  Make one of the words a non-dictionary word. 

catsChaseKrogs



4.  Special characters or numbers.   Most sites require special characters and numbers in their passwords.  This does not add  much security, but since such nonsense is often required, make this part of your scheme.  


Special Characters:  I like to use a hyphen or a period because they are easy to type and are as good of a character as any.  After practicing the password a few times, make sure the keystrokes are easy to reach, and in a good pattern.  Re-arrange punctuation, as needed.

cats-Chase.Krogs-2aa  (20 characters, including 2 spaces and a period.  Yet easy to remember and type)

I am not recommending numbers and special characters because they increase the password's entropy (available characters).  The real reason is because most sites require them, so you have to use them.  Since you must, adding special characters is an easy way to increase the length. 
 





Here is the trick - A Scheme:


5. Use a different password for each site -- but use a scheme to remember. 

The reason:  If one password is compromised, you won't loose everything. But all these different passwords are impossible to remember.  Consider this trick: Use the same base password on each site/program, but add a prefix or suffix, making it unique.

For example:
If your normal password were "aK9doggly.barks"

use "aK9doggly.barks-hm" for your hot mail account.
use "aK9doggly.barks-go" for your google account
use "aK9doggly.barks-ba" for your ba-banking account, wf WellsFargo

or better
"hK9doggly.barksm"  where "h-m" is hot mail (first two words)

or
"gK9doggly.barkso"   where "g-o" (oh) is google (when one word, use first two letters)

"uK9doggly.barksb"    where "u-b is "us Bank"

Devise your own scheme, then use it everywhere; make it predictable for you.

If one password were compromised, say through a vendor breach, the hacker's automated programs would attempt that same password on every other website they can think of, and it would fail because each  of your passwords are different.  A human might see through this, but humans don't look at these things -- they are automated -- and the programs won't know the scheme. 


6.  When available, use 2-step authentication.  Especially on the important accounts.  Make sure your phone is password-protected.  See below.








Dumb sites

For dumb sites, where you could care-less if it were hacked, such as registration sites, forums, etc, use a simpler password and by all means use the same password in all unimportant sites.  I call this an expendable or junk password.  Do not bother using a password scheme.

For example: DumKats.2aa



Two-Factor Authentication

Longer passwords slow down hackers - so much so, they give up - they are after low-hanging fruit.  But if your vendor's database escapes in a hack, your passwords is at risk.  It helps if each site is different (see the "scheme," above).  

An even better way to protect a leaked password is to add another layer of security. 

Consider "two-factor authentication."

I have been using Google's 2-step authentication (2-factor, two factor authentication) for a dozen years on  my GMail account.  Each time I login, Google sends a text message to my phone (or now with a nifty app).  Then, in a secondary login screen, I type the transmitted random numeric code (or approve on the phone-app).  Only then does my login succeed.  The code changes every minute and is unique to my account.  The crooks would need my user-id, password, and my phone to break in.


Even if they have my account and password, they can't login without my phone. 

Two factor authentication is supported by most of your important (think money) sites.  Amazon, your bank, Google, etc. 

If 2factor (2FA, also known as "MultiFactor authentication") is available, use it.

What if you lose your cell phone?  It is painful.  Without going into details, Google has a moderately secure, alternate method for logging in. See this article for full details on the 2-step authentication. See also this keyliner article:  Using Google Authenticator


Things that don't work:

Curse sites that require password changes every 90 days.

This goes against convention.  If you have to periodically change passwords, you will invariably pick a shorter password with stupid numeric suffix.  Sites with longer passwords that do not expire (say 12 or more characters) are safer than sites with 8-character rotating passwords.

Some forward-thinking companies are changing their stance here.  Quit making people change passwords so often, but require longer passwords.  Length is king.


Condemn passwords that are too hard to remember

For example, I have an account with this password (that I am not allowed to change).
"1SanFran$1sc0D91" (16 characters).

Every time I need this stupid password, I have to look it up.  This means I wrote it down.  I am tempted to print.  I hate this password.

Imagine this replacement, at 35 characters:  "sanFrancisco isa wonderful.city 9a"

- this is a much more secure password - just because of its length.  Clearly better than the first.  The complexities in the other password are nonsense.


Conclusions:

Passwords need complexity, but don't go nuts. Your best protection is a long password phrase with two-factor authentication.  In lieu of that, a scheme, such as the one described above, goes a long way to make this manageable.  


Related Articles:
Gmail Protection Steps
SMS Text Message: Your Gmail account has been hacked
Using Google Authenticator - a Google App
Google Documentation - 2 Step Authentication


No comments:

Post a Comment

Comments are moderated and published upon review. (As an aside, not a single spam has been allowed through; why bother?)