Secure Better, Not Harder – Part Two – Secure Passwords

[Updated on September 21, 2015 – Editor]

macsecurity

When you keep your software up to date, back your data up regularly, and maintain constant vigilance, the next big security challenge is passwords. There are two distinct problems to be solved: how to create good passwords, and how to store them. I’m going to tackle these two problems separately, one per article, starting with the thorny question of what makes a good password.

There are a-million-and-one possible schemes and strategies for generating passwords, and everyone has their favourites. My aim isn’t to tell you what you should do, but to arm you with the knowledge to be able to tell the difference between a good strategy and a bad one. Only then will I suggest one possible approach you might consider trying.

We need to start by defining what we mean by a good password. Well, I hear you say, a good password is a strong password. Okay, then what does strong mean? What matters is how hard your password is to guess. If attackers starts with no knowledge, how long is it likely to take them to guess your password?

Steve Gibson suggests a very good analogy: think of your password as being a needle in a hay stack; how hard your password is to find depends on the size of the hay stack.

In the real-world, measuring the size of your haystack is actually very complex, so we’re going to start with a naive assumption. Attackers guess passwords by trying every possible combination of characters, starting with all 1-character combinations, then all two-character combinations and so on. This is an example of a so-called Brute Force attack.

In this simplified scenario, the size of the hay stack is determined by two things: the character-set your password is built from (does it contain lower case letters, upper case letters, digits, and/or symbols), and how long it is. The bigger the hay stack your password is hidden in, the better.

When it comes to guessing passwords, the size of the hay stack is determined by two things: the character-set your password is built from (does it use lower case letters, upper case letters, digits, and/or symbols), and how long it is. The bigger the hay stack your password is hidden in, the better.

We can measure the size of our haystack by working out the number of combinations an attacker would have to try to be guaranteed to guess the password. This is known as the number of permutations for a given character set and length.

If your password contains only lowercase letters, then the character set is 26 characters in size. If your password is one character long, then the number of permutations is 26. If an attacker tries every lower-case letter, they are guaranteed to find your password. If you keep the character set the same, and make your password two characters long, then the number of permutations is 26 times 26, or 678. If you make it three long, it’s 26 times 26 times 26, or 17,576. You calculate the number of permutations by raising the size of the character set to the power of  the password length.

If you try inserting a few numbers into that equation you’ll soon see that the number of permutations in even a relatively weak password is massive. The permutations literally grow exponentially as you increase the length of your password. For this reason, computer scientists prefer to use a different scale to measure password strength: bits of entropy.

A password’s entropy is defined as the log to base 2 of the permutations. The logarithm smooths out the exponential growth, and gives you a nice human-friendly scale for measuring password strength.

In our simplified scenario, password strength is determined by two factors: the breadth of your character set, and the length of your password. Are these two factors of equal importance? Or does one have a bigger impact on your security than the other?

The following is a randomly generated 12 character password containing letters of both cases, digits, and symbols:

=gaqFd2zq5#A

It’s very hard to remember, but it looks like it should be very secure. When you crunch the numbers, you get an entropy of 78 bits.

Now, lets look at another password, this one contains only letters of both cases, but is 20 characters long (the character set is much smaller, and the length just a little bigger):

uncleCLOSEfruitNEVER

It’s much more human friendly than the 12 characters of gibberish above, but is it more or less secure? Well, it has an entropy of 114 bits, which is significantly more!

However – remember that the above maths all hinges on an assumption – that attackers attack password by trying all combinations of characters. In the real world, that assumption does not hold up. The above password strengths are in effect an upper-limit on the password’s real strength. If you assume an attacker knows you constructed the password from four common words, then they would not guess one character at a time, but one word at a time, and the estimated entropy would only be about 60 bits in that case.

Real-world attackers will only resort to a brute force attack when all else fails.

There are so many data breaches these days, that it’s easy to build up a list of commonly used passwords, so those are likely to be tried.

Humans are terrible at being random. If I ask you to pick four words at random, and use them as your password, your choices will be a lot more predictable than you’d like to think, and predictability is the enemy of security when it comes to passwords.

Our so-called random choices are heavily influenced by our unconscious, and thanks to social media it’s very easy to build up a profile of what is on humanity’s collective mind.

By data-mining social media, and popular texts, attackers can fine-tune their guesses to favour commonly used words and phrases. This is why things like book titles, film titles, famous quotations, bible verses, etc. make passwords that look strong, but are actually weak.

Simple tricks like replacing the character e with the digit 3 won’t help. Attackers incorporate common tricks like that into their password crackers.

Putting it all together, you need passwords that are long, relatively complex (more than just letters at any rate), and generated in as random a way as possible.

Length is the most important factor. The longer you make your passwords, the less any of the other factors matter. My catch-phrase is ‘defence in length’.

There are lots of options out there for generating passwords, resulting in passwords in all sorts of different styles.

In the reminder of this article I’m going to describe just one password generator you could consider using – mine 🙂

I’ve spent a lot of time thinking about passwords over the last few years. I wanted a password generator designed to create passwords that are:

1) long

2) have a big character set

3) are easy to read and type

4) are easy to communicate over the phone

5) are properly random.

Taking my inspiration from Steve Gibson’s Password Haystacks, and the famous Correct Horse Battery Staple XKCD web comic, I came up with a technique that works like this:

1) start by choosing some words at random from a large dictionary

2) optionally transform the letter-case in some way

3) randomly choose a few digits and add them as pseudo-words to the front and/or back of the list of words

4) randomly choose a symbol, and insert a copy between each of the words

5) randomly choose another symbol, and pad the front and/or back of the password with a specific quantity of copies of this symbol.

You can visualise the process like this:

judge peace nation

judge PEACE NATION

71 judge PEACE NATION 47

71:judge:PEACE:NATION:47

–71:judge:PEACE:NATION:47–

One of the joys of being a programmer is that you can scratch your own itch. Rather than waiting for someone else to create software to do what I wanted, I created my own, and you can find it here.

For those of you who enjoy using the Terminal, or programming in Perl, the code driving the www.xkpasswd.net website is open source, and comes in the form of a Perl module with accompanying Terminal command. The project is managed via GitHub, and available through CPAN, the home of all things Perl.

Whatever method you choose to create your passwords, make them long, and generate them in a truly random way.

One thought on “Secure Better, Not Harder – Part Two – Secure Passwords

  1. Do you remember the principle of what helped the Allies to crack the German Enigma machine, i.e. that the Enigma could not produce an ‘a’ when the operator typed ‘a’? The Enigma (or one version anyway) was programmed to not output the same character that was typed. That was a fatal weakness. A possible fatal weakness in passwords today (warning: not intuitive) is when your host requires you to used mixed alpha or to include non-alpha characters in every password. Why? Because it’s not random. Give that some thought. If you are good at randomizing passwords, with or without mixed case and non-alpha, then your passwords may be secure. But if you’re required to mix case and include non-alpha, that’s the beginning of trouble. Remember: it’s not intuitive.

Leave a Reply