Sunday, March 17, 2013

So you've got a strong password do you?


Really? I've got some advice for you and your strong passwords. This is easy. Don't use them if you can get away with it. Passwords have been the bane of InfoSec professionals for decades. I've had my GMail account hacked once or twice, and my friends and family have had their various emails hacked a couple of times. A lot of it comes down to human nature. We want a password that's easy to remember. . . mostly because we have so many damned passwords to remember. We all do it. We all try to make our passwords difficult to guess by someone who doesn't know us, but easy for us to remember.

For example, a user might make their password: Dynomite78!. This type of password generally fulfills most site requirements of a "strong" password. There are lower and upper-case letters, symbol(s), and numbers.

To make it even "stronger," they might use "leet speak," or replacing letters with numbers and symbols: Dyn0m1t378!. This type of password generally fulfills all of the requirements above, and in addition, makes it so the password is not based on a dictionary word, which is usually a requirement by systems that are more strict.

The sad truth is that the above passwords are trivial to guess when the bad guy has an unlimited number of attempts and a "dictionary" of millions of password combinations. There are also programs that the bad guys can use that mimic human nature in the event that their dictionary fails them. In the previous example, we have the password "Dynomite!78." When password requirements are levied on us, it again is human nature to try to find the easiest password to remember that fulfills the requirements. A word that starts with a capital letter, followed by 2 numbers, followed by a symbol -- Easy to remember, but fulfills the requirements. So. . . hackers can use programs that allow them to customize formats to help crack passwords. It's just muscle memory for us to start a sentence or password with a capital letter, followed by some lower case letters. Add a couple of numbers, maybe your birth year or day, and a symbol, like "!" or "$." These programs that hackers use are easily customizable and can help re-create human nature and muscle memory. They can create and entire dictionary of possible passwords based on requirements using a specific format. For example, something like %U%l%l%l%l%l%l%l%n%n%s would help generate passwords that match our first example above.

The truth is most passwords are easy to crack, especially for online services that don't limit the number of login attempts. Unfortunately, most online services want to make it easy for users, so they don't limit the number of login attempts, allowing the bad guys to try as many times as they like to try to break into your account. Take a look at this site  that lists the top 500 passwords. If your password is on it, stop reading and go change it now! I'll wait...

Is there a solution to this password dilemma? Not really, but there are ways we can make it harder for the bad guys. First; stop using passwords. Start using passphrases, AKA sentences. They can be song lyrics, or lines from a book or poem, or pretty much any number of different things.

For the sake of argument, let's say I created a passphrase from a famous song. I could tell you the song was written by Bob Dylan, and it still would be nearly impossible for you to guess my password: "I heard her say over my shoulder, we'll meet again someday on the avenue." That's a pretty strong passphrase. You could even make it more difficult by removing (or adding) punctuation or spacing, and maybe even modify the phrase slightly so that it's not "easily" guessable. This particular quote is two lines. What if we added a word or two from the previous and following lines: "awayiheardhersayovermyshoulderWellmeetagainsomedayontheavenue,Tangledup" I'd say that's a passphrase that is nearly impossible to crack, but easy to remember.

So, since we're not supposed to use the same passwords/phrases for more than one website, do we need to memorize dozens of lyrics or quotes? I'd say no, unless you've got a knack for remembering things like that.

My guess is that most people have two to four accounts that they use on a daily (or greater) basis, and the rest are accounts that we log into once or twice a month (or less). For the latter, my suggestion is create a password that even you can't remember, and use the "forgotten" password reset functionality built into almost all web sites.

If I create a 40-character password from this site using punctuation, it comes out something like this:

#!#?6N%u|l?h.P"3^".|_o%/c_O"Jx7G>G]_3i$=

There is no way in hell I'm ever going to remember this password, but there's also almost no way in hell a hacker is going to be able to guess this password, especially not using a simple dictionary. You have two choices at this point: You can write this password down, or you can just accept that you're never going to be able to remember this password, and next time you need to log on to a site with this password, you just use the "forgotten" password reset feature, and create another 40-character password.

The latter approach is similar to what folks in "the biz" refer to as a one-time password. A one-time password is exactly as it sounds. It's a password that's used once, and then is no longer valid. Technically the 40-character password is stored in your online account, is valid, and your account can be accessed if the username and password are correct. However, if every time you log on to a site that you very infrequently visit, and generate a new 40-character password, you're essentially mimicking a one-time password policy, and as long as your password is sufficiently "strong," it's one of the most secure ways to control access to your data. (Pro-tip: the aforementioned site can generate passwords from 5 to 100 characters with, or without punctuation. Use as many characters as your site will allow.)

If you're too lazy to use the one-time password approach, I still suggest using the strong password generator to generate as strong of a password as your particular online account will allow. And, much to the disappointment of security professionals everywhere, if you don't feel like keeping all of your passwords in an online service such as LastPass or an offline database like KeePass, I'd say write this password down in a "secure" location, meaning your house or other living establishment -- something only you should have access to. Keep a record of your passwords in something as simple as a Rolodex for easy access.  After all, if your house is broken into, you're going to have bigger problems than trying to remember what your passwords are.

For additional security (an in case your house gets broken into and someone steals your Rolodex of passwords), it's good practice to keep a list of all of your online accounts in a safe place -- I'd recommend an actual safe or fire box if you have one. I would also recommend that you add a copy of this list to your will so that your loved ones are able to safely and effectively close out and 'delete' any of your online accounts should you come face to face with a pack of wild dogs. . . or zombies.