//
you're reading...
Security

Passwords: helping yourself to stay secure?

Everywhere you go looking at online security you’ll see discussion on passwords.
What should a password be?

  • How long?
  • Allow any obvious information derivatives?
  • Forced complexity?
  • Allow real words?
  • Force expiry?

Password:

Essentially all a password is is a key to a lock. Like all locks, secured computer systems can be broken into. What a good, private password does is make that process more difficult. This article is looking at what the end user can do to protect themselves, not the service provider.
You need to protect your passwords:

  • Don’t write them down
  • Don’t reveal them, even to the service provider
  • Don’t reuse passwords
  • Don’t base them on simple information about yourself

Now these rules make remembering the password a little tricky, so think of a way to store your passwords. I use mSecure, a Password Safe. There are several other options along those lines. I’d also advise against using an online system. Although extremely convenient, you have again placed all your eggs in one basket.
So, just like a key it has to be complex enough not to be guessed and easy enough to use that you don’t find yourself locked out.

Identifying YOU:

The first thing people need when trying to access a system is YOU. By this I mean how you identify yourself on a system, your username. Almost all systems now use your email address as your username. This makes a simple, direct relationship to something you have. It also makes processes like “Forgotten Passwords” significantly simpler.
Unless like me you use a near infinite number of email addresses on many domains. I’ll admit though that is the exception, most people stick to one email address, possibly two including work. But it is worth considering, as this can make guessing your login on other systems impossible, if done well. Though now you need to keep a record of your logins as well as your password!
As ever, true security has a cost.
So the hacker (as well call him/her) needs that identifier. It is highly likely that you use the same identifier for all your usernames, or extremely similar. That makes this first step of the hacker almost automatic. Know target name – know login/username.
You shouldn’t worry, though, as they still need your password. Right?
Of course, you have a nice complex long password. Right?

Complexity:

How complex does a password need to be. First question is, of course, how important is the information that can be accessed with that key. Mid it really doesn’t matter you may have a fairly simple password. Financial, email, social networking systems which directly affect your everyday life and represent you though should be protected by something more.
Some people use complex strings, gobbledygook. Like “hJT88?0j7f;T” for example.
But this is nigh on impossible o type quickly, let alone remember. Think about trying to remember 5, 10 or more passwords like this?
The security of these is, on the face of it, pretty good. How many combinations are there?

[a-z]x12       =                                 95,000,000,000,000,000
[a-z0-9]x12    =                              4,730,000,000,000,000,000
[a-zA-Z]x12    =                            390,000,000,000,000,000,000
[a-zA-Z0-9]x12 =                          3,220,000,000,000,000,000,000
[a-zA-Z0-9-:;()&@.,?!#%^*+=$><~| ]x12 = 142,000,000,000,000,000,000,000


So there are 142×1021 combinations to that lock/key.
That is a lot but there is next to zero chance of most people remembering that.

Recommendation:

Here’s a simple fix, but it comes at a slight price.
Try using complex nonsense phrases.
String four or more real words together that are about as random as you can think of and you can create an awesome password.
For example:
glowingelectrolytecoiledhappily
Four conjoined words. Meaningless and random. If you include technical phases and song there are over 650,000 words in the English language.

650,0004 = 178,000,000,000,000,000,000,000


178×1021 plus you’re way more likely to remember it.
If you just try to guess the letters, thirty one lowercase characters:

[a-z]x31       =  73,000,000,000,000,000,000,000,000,000,000,000,000,000,000

Flaws:

Well, random it may seem but we all know that the majority of words a unlikely to appear in such a phrase. Plus they aren’t entirely random, unless you start ignoring sentence construction. Doing so, though, makes the phrase much harder to remember.
Also there is a humanistic element about the ‘randomness‘. If anyone knew me well, they’d know I was an analytical chemist and that I studied Electronics. The others are adjectives and standard stuff, so the password options with that information are dramatically reduced.
But I have to say, still pretty damn good…

Super Complex Phrases:

Simply add some random uppercase characters, punctuation and the like and a phase like this reaches stupid proportions. If truly random…

[a-zA-Z0-9-:;()&@.,?!#%^*+=$><~| ]x31       =  
73,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000

Even the most powerful computers on the planet struggle to attempt 100,000,000,000 per seconds. So as the Universe is 13 billion years old so we’d need more than 1×1032 times longer than that!

Advertisements

About harlekwinblog

"Thoughts of an idle mind." Information Security professional.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

RSS This Blog…

  • An error has occurred; the feed is probably down. Try again later.

Share me…

Bookmark and Share

Twitter Updates

%d bloggers like this: