We all know our default password like the back of our hands. Websites, email accounts, wallets – a mess of places and ideas – who can afford to think of a unique and secure password for each new login registration?
Note to readers: Part Two – Motor Memory Passphrases has been published.
Well, the level of vulnerability has just ticked up by two notches with the discovery of the OpenSSL Heartbleed Bug this April. A memory leak in the web’s most popular encryption protocol means that no-one can be sure that their usernames, passwords and data over the past 2 years has not been compromised, peeked at or stolen. Chats, emails, banking – anything you’ve done “securely” over the web in the past few years – even “anonymous” Tor surfing – cannot be guaranteed to have been private or secure.
Part 1 of his article takes a no-nonsense tour of the password landscape. We look at some bare facts about which passwords are most secure, as determined by ray-gun computer science. Discussion will weigh the security of a password versus brute force cracking attempts, since even the longest, strongest password can be stolen via key-logging and session snooping. In this sense no password is ultimately secure. However, we consider rational methods to ensure that your passwords meet a basic standard of security.
In Part 2, we will look at a passphrase creation scheme that takes advantage of our habitual nature, yet allows enough flexibility to ensure your chosen passwords best fit your personal way of remembering. Motor memory will be proposed as a key component.
Choosing a strong password requires that we know the characteristics of weak passwords. Here are six typical traits:
The consequences of succumbing to the above lazy-thinking habits are clear – and always negative. Passwords of such simplistic form are easy to guess and are the first an attacker will try when seeking entry to your account.
Here are three studies where passwords of the above types resulted in account hacking. The top 10 most popular passwords for each of RockYou.com, Yahoo!.com and LinkedIn.com are shown:
For whatever reason, the chart above does not include three of the common passwords in use, namely: “jesus“, “letmein” and “1111111” (that’s seven 1’s for good luck!)
Self-evident character patterns such as ‘abc123‘ and ‘qwerty‘ don’t constitute good secrets – precisely because they are obvious and, therefore, a popular choice: for users and anti-users alike!
It is also clear from the above examples that the term ‘password’ is deceptive. One word makes for a poor secret key. It can be guessed, and with the speed of modern computing the human vocabulary (or even dictionary) is a few minutes’ work. The use of a single linguistic unit as a secret, therefore, makes about as much sense as the proverbial house of straw – there is nothing there except for a false sense of security.
Variation and Length
Latter day security best practice recommends that you vary a password’s character case and include numbers and symbols. The chart below shows the effect of substituting an all-lowercase password with uppercase characters, numbers (#s) and symbols.
The time it takes a well-armed malevolent to crack a password is drastically increased as the password’s length and range of characters increases. Hence, “mypass” (6 characters) can be cracked in 10 minutes, whereas “MyP4$S” will take standard password cracking software about 18 days of non-stop effort to discover. Have a look:
Real password strength benefits start showing where an eight character length password includes numbers and symbols. To this, add just one extra symbol and your password will take 44,000 years to crack!
Great, so we know that passwords of 8 or more characters and consisting of a mixture of upper- and lowercase alphanumerics and symbols offer greater security. Where can I get one?
Creating secure passwords out of thin air sounds plausible, but in reality most people probably end up using a habitual “password formula” such as a word + a number + a symbol. Sound familiar?
Additionally, most of us tend to use the name of the service we’re logging into as the word component and some constant number for the numeric component of our password. Hence, once an attacker has one password, it is fairly easy to deduce the user’s formula or scheme for creating all their other passwords.
Two ideas have now been introduced but they’re actually just the flip sides of the same concept. A password scheme is an easy method for creating a multitude of non-similar passwords, yet a single password contains the formula of the scheme and is therefore the key to every other password created by that scheme. A weak password scheme, is therefore, not much more secure than simply reusing the same password for every login.
We need a password scheme that generates strong passwords without revealing the formula whereby they are derived.
What Computer Science Says
Research conducted by the School of Computer Science at Carnegie Mellon University compared 15 popular password creation schemes and rated each according to its security and ease-of-use. The findings will be distilled here.
The three most secure schemes all generate long passwords, but their usability varies: the Base Person-Action-Object and Base Picture schemes are considered user friendly because they require users to create memorable stories from keywords or pictures. The Random Characters scheme is considered the most secure but also the least usable because it does what it says on the tin: memorize a string of 8 random characters and symbols – for each different login. Ouch!
The common feature amongst these schemes is that the discovery of one password generated by that scheme does not reveal any formula whereby other passwords can be deduced. Knowing that someone uses random characters or has passwords like “Administrator Swims Kettle” (person, action, object) does not allow easy deduction of their other passwords. However, a dictionary attack against Person Action Object passwords would be easy, once a single password is revealed, and this invalidates it in the author’s opinion.
This leaves us with the Random Characters scheme, which is quite a disappointment because it’s hard work… or is it?
The next article in this series promises to change your view of passwords and passphrase creation forever.
Using words and common sequences of letters/numbers does not constitute a secure password. We need to extend our notion of the password security token to that of a ‘passphrase‘, meaning a string of characters that are not lexical and at least nine characters long.
We saw from the “time-to-crack” chart, as well as academic research, that the combined use of alphanumeric characters and symbols adds decades to the time needed to crack a secret phrase.
A structured method for creating passphrases can ensure that we use adequately secure and unique passphrases for different logins, but may introduce vulnerability, in that compromise of a single passphrase risks revealing the formula by which a user creates all of their passphrases. Random passphrases are therefore considered more secure, but the caveat is that they are difficult to remember.
This has been a good start and in Part 2 we will be looking at a creative scheme that allows you to vary your passphrases based on context and the hitherto untapped resource of motor-memory.