Online wallets, offline cold storage, exchange login credentials, email... our list of logins to essential services seems to grow longer every few months. At the same time authentication vulnerabilities and attacks proliferate, and the growing amount of computing power and human endevour dedicated to stealing online credentials is staggering. Realistically, it's not a case of if, but when - and the hour of it unknown. Here's how you can obscure the most critical information revealed by your stolen password - the formula to all your other passwords.
[dropcap size=small]T[/dropcap]his series of articles is an attempt to collate the small body of password security research and to present some form of "best practice". In the course of researching this topic, the writer found that there is no authority in this field and that research work (both academic and private) resorts to pseudo-science in order to quantify "stronger" and "weaker" passwords. A common saying is: "A password that can be memorized is weak by implication".
Dry humor has its place, however, the fact remains that every user requires at least one password. Even when using a password manager - as this series of articles will recommend at its conclusion - there is the need for at least one passphrase to secure all the others. This "One Ring" should be as secure as possible, whilst remaining usable enough for us to repeat, quickly and easily, every time we need to use a password. The aim of the series is to facilitate readers to devise a personalized passphrase creation scheme that allows generation of a core of strong passphrases using input methods available on the most commonly used devices, namely, computer keyboard and smartphone touchscreen.
Someone Stole My Password, Your Honor
So far, we've been progressing with the assumption that we want to prevent our password from being cracked by a remote attacker. However, it is increasingly likely that an application - such as a browser or email client - leaks your password as a result of an attacker exploiting a flawed third party library. Case in point: the OpenSSL Heartbleed Bug which allowed attackers (for almost two years) to casually snoop web browser authentication traffic. So remotely watching a login to, say Gmail, allowed an attacker to view both username and password as they're transferred between personal computer and Google server. This is "industry standard" HTTP session encryption that used to mean "you're secure if you see the green padlock". An attacker would intercept the user's carefully constructed combination password, and perhaps sifting through their Gmail account, find the email that Bob sent confirming payment of 10 BTC to the user's Blockchain.info wallet. The attacker can then set to work, looking for clues in the Gmail passphrase that may help determine the user's Blockchain.info passphrase. Keyloggers, trojans and malware available via Google Play and the Apple Store present other common channels of passphrase interception.
Look At It Like a Thief
In last week's article we considered the use of Motor Memory (MotoMem) strings as a means of effortlessly adding bulk and character variation to our passphrases. By way of demonstration a weak passphrase was strengthened with the aid of a MotoMem keyboard pattern.
Evaluating the resultng passphrase, several clues are obvious from the secret [email protected]#[email protected]#[email protected]#[email protected]#[email protected]#[email protected]#[email protected]#[email protected]#[email protected]#
1. 'pass7' is padded
2. the padding is self-similar - a simple repeating pattern
3. the underlying scheme that generated this secret will most likely vary '[email protected]#' or 'pass7'
A snooping attacker can easily deduce our passphrase creation scheme if they were to discover this secret. They could manually try a few combinations, but it would be easier to pass the challenge to a botnet with the rule set
<repeat 3 symbols> + <dictionary word (start with 'pass')> + <number> + <repeat 3 symbols>
A scheme that pads passwords with a repeating MotoMem pattern may complicate or rule out brute force discovery, yet, should one of the scheme's passphrases be intercepted, the discovery would actually assist an attacker in deducing the scheme's formula. The above example serves to illustrate why MotoMems should never repeat the same keyboard keys. Secondly, the short and weak password being used offers no challenge to a snooper.
In order to cover the dual liabilities of brute force cracking and password interception we need a more robust passphrase scheme and we should transpose the MotoMem pattern across the keyboard - move it around.
It's Not Allright But it's OK
The Person-Action-Object and Picture Story schemes, discussed in last week's article, allow for the creation of memorable passwords, but they're not robust. Their weakness of being dictionary-based can be circumvented by "bulking out" the password with varied symbol strings. However, as illustrated by the example above, presenting a snooper with any dictionary word(s) reveals much about the underlying scheme (in terms of demarcating components) and also says: "look for this part in the English dictionary"!
The specification that the user create random or associative stories requires that the mind "remembers" these fanciful creations. Considering the importance of passphrases in our daily lives, it seems a wasted opportunity to use random or imagined base data. More on that in Part Four.
In next week's article we will define a passphrase scheme that obscures dictionary content by distilling language sentences and words to anagrams and then encapsulates them in motor memory strings from password cracker's hell.