We have all been told to make passwords 8 or 10 characters long, to use a mixture of upper-case and lower, as well as numbers and a special character. This is not good enough. With simple software, and a standard PC, brute-force attacks can now easily crack these types of passwords.
I attended a security training class where the Linked-In user database was leaked a few years ago. It was cracked, in real-time, during the class. Using a lowly, run-of-the-mill laptop, 300,000 real-world encrypted passwords were cracked in two minutes.
The passwords were not just simple words, they had numbers, mixed case, special, and replaced characters. Given another couple of hours, our instructor could have cracked an additional 200,000 passwords, with an 80 to 90% success rate.
The passwords had one thing in common: Most were 8 to 10 characters long. The ones that were not cracked (yet), were longer.
"Through 20 years of effort,
we have successfully trained everyone to use passwords that are hard for humans to remember,
but easy for computers to guess." -xkcd.com
we have successfully trained everyone to use passwords that are hard for humans to remember,
but easy for computers to guess." -xkcd.com
This interesting "arsTechnica" article discusses the techniques now being used:
Article:
Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” Link:
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords
Be sure to glance through the comments at the end of the article.
20 Years of Password Nonsense
Straying from a brute-force attack, are there other ways to get a password? Of course, and these are fun. No matter how long, no matter how complex, no password is safe if you give it away through social engineering (fake login pages).
And passwords are hackable with this xkcd.com method:
More complex passwords:
This now-famous xkcd comic describes the benefit of a simpler password, using multiple words. It has circled the Earth a million times, and although the idea is sound, it is less-than-perfect and does not work with the dozens of accounts we need to login to:
Click for a larger view, click right-x to return.
Having a multi-word password, with spaces or not, is better than using "password123", but it is prone to attacks using the methods discussed in the ARS article.
But still, a 16 or 20-character password (a password phrase!) will slow them down.
Your passwords should now be this length.
Your passwords should now be this length.
Password Safes and Vaults. Horrible Idea!
Since you should use different passwords for each different account, how many phrases (correcthorsebatterystaple) can you invent, for all the places you need a password? You need help.
Password Safes store your passwords in some other protected program or vault. The trouble is this doesn't work in real life. Each time you need to login somewhere, you have to unlock the safe, find the account, and type the ugly password.
In practice, this is too cumbersome and you won't use it.
A pattern or scheme (see below), and two-factor are better solutions. Both are described next.
Recommendations:
You may think your data is not that important. I disagree. In my case, they could adjust my house thermostat and cause my refrigerator to order more milk. In all seriousness, with my credentials, they could get to my bank account or Amazon. All of my financial and tax records would be exposed. I could imagine my address books and my cellular accounts are of interest. All kinds of mayhem would ensue and the violation would take years to unwind.
With or without 2-step authentication, do these things for better password security:
1. Password length is king.
Longer passwords are better than hard-to-type passwords.
qeadzcwrsfxv -- (12 Chars) is not nearly as secure as
catschasefrogs -- (14) two more characters really help
uSe mIxed case, where the first word is not capitalized.
catsChaseFrogs (14 characters)
Why not capitalize the first word? Everyone capitalizes that word. Dare to be different.
3. Make one of the words a non-dictionary word.
catsChaseKrogs
Not that it is likely, but this stops dictionary assembly attacks. In any case, you have to agree this is easy to remember, even with the mis-spelling.
4. Special characters or numbers.
Everyone requires some stupid special character and number in their passwords. This does not add much security, but since such nonsense is often required, make this part of your scheme.
Special Characters: I like to use a hyphen or a period because they are easy to type and are as good of a character as any. Most people use an exclamation point! or pound#sign -- a good reason to use something else.
After practicing the password a few times, make sure the keystrokes are easy to reach, and in a good pattern. Re-arrange punctuation, as needed, to make it typeable.
catsChase.Krogs-2aa (19 characters, including special characters, numbers, and a nonsense "aa" at the end, just for the length. You have to admit this is easy to remember and easy to type)
I am not recommending numbers and special characters because they increase the password's entropy (complexity). The real reason is because they are always required by their password rules -- so you have to use them. Since you must, adding special characters is an easy way to increase the length.
Here is the trick - A Scheme:
5. Use a different password for each site -- but use a scheme to remember.
The reason: If one password is compromised, you won't lose everything. But all these different passwords are impossible to remember.
Consider this trick: Use the same base password on each site/program -- catsChase.Krogs-2aa -- but add a prefix or suffix, making it unique.
For example:
If your normal password were "aK9doggly.barks"
use "aK9doggly.barks-hm" for your Hot Mail account.
use "aK9doggly.barks-go" for your GOogle account
use "aK9doggly.barks-wf" for WellsFargo
or better, less-obviously predictable
"haK9doggly.barksm"
where "h-M" is hot mail (first two words on a two-word company name)
Notice how the base password was "a Canine doggly.barks" -- with the letter 'a', where I kept the 'a' because it was in the base-password. The "h" for hotmail was lower-cased because all my passwords start with a lower-case letter. Why? This is just the rule I made-up for my own personal scheme.
or
"gaK9doggly.barkso"
where "g-o" (oh, not zero) is google (when a one-word company name, I use first two letters)
"aaK9doggly.barksm"
for "Amazon" -- another one-word company name. Here I have two "a"'s -- "a Canine" was in the original base-password -- with the second "a" being for Amazon. All fitting within the scheme.
"uK9doggly.barksb"
where "u-b is "us Bank"
* Devise your own scheme, then use it everywhere; make it predictable for you.
If one company's password were compromised, say through a vendor breach, the hacker's automated programs would attempt that same password on every other website they can think of, and it would fail because each of your passwords are different!
A human might see through this, but humans don't look at these things -- they are automated -- and the programs won't know the scheme.
6. When available, use 2-step authentication.
Especially on the important accounts (bank accounts, Amazon). Make sure your phone is password-protected. See below.
Dumb sites
For dumb sites, where you could care-less if it were hacked, such as registration sites, forums, etc, use a simpler password, and by all means use the same password in all unimportant sites. I call this an expendable or junk password. Do not bother using a password scheme.
For example: dumKats.2aa
I use this password in all of my junky sites. If it doesn't work, then I try my password scheme -- between the two, this works 99% of the time.
With the scheme and the dumb password, I seldom need to look at a password vault.
Two-Factor / Multi-Factor Authentication
Longer passwords slow down hackers - so much so, they give up trying to brute-force the password - they are after low-hanging fruit. But if your vendor's database escapes in a hack -- and it has, and it will, your passwords are at risk no matter how carefully you built your account. Because of this, you must make each site's password different (see the "scheme," above).
An even better way to protect a leaked password is to add another layer of security.
Consider "two-factor authentication."
For over a dozen years, I have been using Google's 2-step authentication (also called 2-factor, two factor authentication, MFA, Multi-factor) for my GMail. Each time I login, Google sends a text message to my phone (or now with a nifty app). Then, in a secondary login screen, I type the transmitted random numeric code (or approve on the phone-app). Only then does my login succeed. The code changes every minute and is unique to my account. The crooks would need my user-id, password, and my phone to break in.
Even if they have my account and password, they can't login without my phone.
Two factor authentication is supported by all of the important sites (think money sites). Amazon, your bank, Google, etc.
If MFA (Multi-factor authentication) is offered, use it.
What if you lose your cell phone? It is painful. Without going into details, Google has a moderately secure, alternate method for logging in. See this article for full details on the 2-step authentication. See also this keyliner article: Using Google Authenticator
Things that don't work:
Curse sites that require password changes every 90 days.
This goes against convention. If you have to periodically change passwords, you will invariably pick a shorter password with stupid numeric suffix. Sites with longer passwords that do not expire (say 12 or more characters) are safer than sites with 8-character rotating passwords. If the site uses longer passwords, they should not require rotation -- but many do.
Some forward-thinking companies are changing their stance. Quit making people change passwords so often, but require longer passwords. Length is king.
If your password was leaked in a breach and the vendor forced a password change, it will break your scheme. You will probably have to write this one down, or better, build a second scheme -- one that you use when the first scheme fails.
Forced, non-changeable passwords.
For example, I have an account with this password (that I am not allowed to change).
"1SanFran$1sc0D91" (16 characters).
Every time I need this stupid password, I have to look it up. I hate this password.
Imagine this replacement, at 35 characters: "sanFrancisco isa wonderful.city 9a"
- this is a much more secure password - just because of its length. Clearly better than the first. The complexities in the other password are nonsense.
Special Characters Not Allowed:
Curse ATT -- the phone company -- who does not allow some special characters -- breaking my scheme. Despite repeated requests to change their password policy, they continue to be stupid. I had to write this password down.
Curse sites like BCBSA -- which do not allow passwords longer than 12 characters. They are idiots in this respect. I have to write their password down too. But these are rare events.
Conclusions:
Passwords need complexity, but don't go nuts. Your best protection is a long password phrase with two-factor authentication. In lieu of that, a scheme, such as the one described above, goes a long way to make this manageable.
Related Articles:
Gmail Protection Steps
SMS Text Message: Your Gmail account has been hacked
Using Google Authenticator - a Google App
Google Documentation - 2 Step Authentication
No comments:
Post a Comment
Comments are moderated and published upon review. (As an aside, not a single spam has been allowed through; why bother?)