Password Security
There are four ways of cracking a password.
- Guess the password
- Brute Force the password
- Go around the password authentication
- Trick the password from the owner
If your password is easy to guess, then it is a weak password. Examples of weak passwords are: password, 1234, YOUR_NAME, BIRTHDAYS. Many things use a four digit PIN. When guessing them, the best place to start is the set of numbers between 1950 and 2005, followed by 1930-1949, and 2006-2024. Years of importance to you.
Brute force is when you try all possible passwords. Back in the days of the TRS-80, there was a password on some part of the operating system. I wrote a simple brute force cracker for it.
Once it was running, my host and I got ready to go to dinner. Before we got out the door, the program stopped.
I assumed the program failed. Turned out that the password was so weak, three or four characters long, that it only took a few minutes to try all the passwords to that point.
Going around a password is sometimes easier than it should be. People don’t bother to log out. When I was visiting my father, I sat down at his computer. It was unlocked. I was able to “be” him if I had wished. I didn’t have to bother with a password.
There is an entire industry devoted to tricking people into handing over their passwords. It is so bad that it has its name, “phishing”.
And anybody can get caught in the net. I was caught just once. My wife’s school was phished, hard. The entire school got an email that looked legitimate from an administrator for the district. Her account then automatically sent it to me because I was in her address book.
I opened because it was from my wife. It had a good subject line. It looked legit.
It didn’t do anything to me because I run Linux, but it caused a great deal of damage to the school district.
Besides phishing, there is looking for the passwords that people have written down.
Again, using my father, the password for my mother’s computer was written on a PostIt note stuck to the inside of her laptop.
There is no need to guess, force or phish when the password is just given to you.
The Balancing Act
It is rather oxymoronic that the harder it is to remember a password, the harder it is to crack the password. If your password is “happyfaces” it might be easy to remember, but it is also easy to guess.
On the other hand, “wynt>Otchib5” is difficult to remember and difficult to guess. The password generator I used gave that to me as “wynt-GREATER_THAN-Otch-ib-FIVE” as how I might pronounce it and remember it. Still, it isn’t going to work
When passwords get too difficult to remember, people need to write them down. You would be amazed at the number of personal, and business, computers which have a file named “passwords”. People write them down.
The other thing that happens is that people remember one “good” password, then use it over and over again. If they ever lose that password, they lose access to everything, or the bad hat gets access to everything.
Many people think they will be tricky and use character substitution. Instead of “password” they write, “p@55w0rd”, and think they are clever. They aren’t.
There is a scene in Schindler’s List where they have just cleared the ghetto. Now they are searching for hidden Jews. The German’s come in, and they know where to look. They are experts at finding people. They’ve done this before. They know all the hiding places.
If you think you have found something clever that will make your password “unguessable”, you are mistaken.
Long Passwords Are Better(?)
Let’s assume that you are going to use a password that can’t be guessed easily. This leaves the brute force method.
This is a matter of mathematics. The larger the symbol set, the better. Longer passwords are better.
Consider a four digit pin, there are 10,000 possible PINs. As a password, that sucks.
But if we increase the symbol set to digits and letters, we get a slightly better result: 36^4 = 1,679,616. Still not strong.
But let’s say you go all out and have a symbol set of all ASCII printable tokens. There are 128 ASCII tokens, of which 94 are printable. This gives us 81,450,625 different passwords. Which still sucks, but it is getting better.
Now, let’s just make the password longer, call it 8 characters, at that point our results would be: 6,634,204,312,890,625. This is a strong password. Unfortunately, it is likely to be nearly impossible to remember.
My default is 12 characters.
Creating Strong Passwords You Can Remember
When we go back to that original statement, “The larger the symbol set, the better.” What if I told you that there is a symbol set of approximately 100,000 symbols, that you already know?
That symbol set is the set of all common English words.
What we would like to see is a number near 6 Quadrillion. With a symbol set of 100,000 words, 3 words give you 1 Quadrillion and four words give you 118,495,929,354,657,605,136.
This doesn’t consider word separators or case. Here is one such random password, “farm particularly wild refer”. If you modify the spaces to be different characters, or capitalize some letters, even if it only the first letter, you get even better results.
So what’s the problem? The issue is that it doesn’t look like a strong password. Many password checkers will see that long password and reject it because it doesn’t have special characters.
For me, a programmer, I can put together a simple program, take the string above, feed it into sha256sum to get 256 bits of pseudo noise. Extracting the printable characters, I get “dLuxo8x’H54MBd”
Now I have a good password I can remember, which can be used to generate a password which the rest of the world will accept as strong.
Password Managers
Password managers are supposed to fix much of this. They exist to store your passwords in a “secure” form, which you can then extract when needed. In addition, they will generate strong passwords for you to use.
I, personally, use four password managers and have used a fifth.
The first, most people are aware of, is the password manager built into your browser. I use Firefox and Chrome, so those are two password managers. My Linux system has another password manager built in. Finally, I use “Keeper” and have used “Last Pass”.
I love Keeper, I pay for the version I use, but there might be a free version. For me, it is worth it. One of the reasons it is worth it to me, is that with the paid version I can share access to password folders or individual passwords.
I never liked “LastPass” but I can’t say why. I do know they were cracked within the last few years. Because of their security model, when they were cracked, the bad guys extracted all the passwords.
Keeper stores all passwords encrypted. Only you have the decryption key. Thus, if they were to lose everything, they would not expose your passwords.
The browser managers are there because I was using them before Keeper. I’m slowly phasing them out.
I’m also looking into a self-hosted version of a password manager. I have not decided on which one, if any, I will try.
Chicken and Egg
The problem with all password managers is that there is a single point of failure. That is the password to access your password manager.
Which takes us back to “Long passwords work better”. Generate a random four – word password, I used xkcd Password Generator but you can just open a physical dictionary and randomly select four words.
Memorize those four words. Then you can use that as your master password.
Make the move to a good password manager. Use one that distrusts the government.
Two Factor Authentication
I need to look at my articles to see if one already exists, if it doesn’t, I’ll write something up.
“This is a matter of mathematics. The larger the symbol set, the better. Longer passwords are better.”
Indeed. Which is why it bugs me when I see a site or policy requiring the use of special characters, upper and lower case, “to ensure security.” It winds up reducing the number of possible passwords.
Re password managers, we use 1Password, with the caveat that it’s an old version, from before AgileBits went to a subscription model and mandated use of their own servers for online storage. One of these days I really need to look at getting us onto KeePass. At this point I want a model that is flexible, scalable, and public domain.
Re 2FA, it always sounds like a great idea to me, but then it seems to run into the reality of having to deal with multiple tokens for multiple places. Parts of the work network are being switched to 2FA, and the joke is that it’s an employment guarantee for the IT folks, since it’s much more of A PITA and people get themselves locked out at a much higher rate.
I am under the impression that LastPass does not store unencrypted credentials… the credentials in unencrypted form are only on your local device.
So when they were compromised there was only encrypted information hacked.
I’ll have to go back and see what actually happened…
The fallout from the LastPass hack continues, apparently:
https://www.tomsguide.com/computing/password-managers/millions-stolen-from-lastpass-users-in-massive-hack-attack-what-you-need-to-know
One thing about using any service that aggregates many users’ critical information (e.g. passwords) in one place, is that it’s a much bigger target than an individual. Why hack Boris, for instance, to get access to one bank account, when hacking Boris’s bank gets you access to thousands if not millions of accounts? This is one reason I didn’t go to 1Password’s subscription model.
technology makes people stupid.. they give up privacy for convenience. having anything “online” makes it easier to steal. if humans “make it secure”, humans can unsecure it.. notice how we are being forced to do everything “online”?. notice how its very difficult to actually talk to a real human when trying to solve a business issue? we DO live in interesting times..
Way back in the long long ago, when I was up on this stuff, I remember saying the easiest way to guess someone’s password was to look under the keyboard. I actually demonstrated that once or twice to people that refused to believe anyone could be that stupid. I tried two/three random desks, and dammit, at least one person had the password on a sticky note under the keyboard.
I had come up with a good password scheme that I could remember several years ago. It used a similar “base” password with application specific variations built into it. For example, I could use the year and make of my car, with special characters built in specific for that website I was using. So, 74Chevy$Zon might be my password for my Amazon account. (It isn’t so do not waste time trying it.) But, for my bank, it would change to 74Chevy$Chcking.
And, after using that for a few years, I realized that all my passwords were too similar, and if someone figured it out for one site, it would not be difficult to figure it for all of them. Hack into Yahoo, and you can get into pretty much everything else I have.
Thanks for the recommendations for password managers. I was thinking of looking into them, and I now have an incentive.
I think one could make this a general principle: the best passwords have nothing at all to do with one’s self, or the site they’re used for.
Somewhere in the past few years there was an interview in the WSJ with the guy at NIST who invented the commonly used password rules. He admitted that they were basically pulled out of thin air, without any science or data behind them. And that in retrospect a lot of the rules are either not helpful or actually harmful.
On ways to break in, there’s another one that’s seen from time to time: back doors. There have been documented cases over the decades of software vendors creating products with “hidden” back doors in them. I remember a storage server product (not ours, not our company) that did this. It’s amazing people would be so stupid… I made it an absolute rule that there are no fixed passwords ever; that includes “there is no default” — software installation comes with a required step of choosing the first password.