Security – Passwords

Security and data privacy are becoming increasingly important issues for everyone. Regrettably, one of the biggest security holes is the easiest to fix: poor passwords. We all have multiple applications needing passwords, and the use of passwords looks to be the most common authentication method for the foreseeable future. What can you do to be more secure?

Passwords not to use

First, do not use weak passwords. Users with weak passwords continue to be the single biggest security issue. Users simply rely too often on default passwords or choose to use passwords that are too
predictable.

Things to avoid

  • Do not reuse passwords, passwords should be unique for each
    App and web site.
  • Do not share your passwords with anyone
  • Do not write your passwords down

Security application and service provider SplashData once again
released its annual list of the 25 most common passwords found on the Internet. This list was compiled from more than 3.3 million passwords stolen during 2014, then publicly posted. Based on their study, many people are still using weak and easily guessable passwords. The worst passwords of 2014 are:

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. qwerty
  6. 123456789
  7. 1234
  8. baseball
  9. dragon
  10. football
  11. 1234567
  12. monkey
  13. letmein
  14. abc123
  15. 111111
  16. mustang
  17. access
  18. shadow
  19. master
  20. michael
  21. superman
  22. 696969
  23. 123123
  24. batman
  25. trustno1

Those are not the only common passwords that SplashData found. Common names such as “michael,” “jennifer,” “thomas,” “jordan,” “hunter,” “michelle,” “charlie,” “andrew,” and “daniel” are all in the top 50. Also in the top 100 are swear words and phrases, hobbies, famous athletes, car brands, and film names.

Strong passwords

Unbreakable passwords may seem to be beyond reach, but they are
easily possible. Regardless, all security experts agree that ‘strong’ passwords should always be used. So what is a ‘strong’ password?

A strong password is one that contains enough separate information
to form a barrier to any hacker or the software they are using to break into your account. A ‘strong’ password will:

  • be at least eight characters in length, 12 or more is
    preferable
  • at least one uppercase character
  • at least one lowercase character
  • at least one digit
  • at least one one symbol (if allowed, such as !@#$%)
  • avoid dictionary words, even with substitutions, i.e. speed =
    5p33d
  • avoid repeated characters
  • no keyboard patterns or swipes

Brute force password cracking programs can use standard dictionaries to try and find a password, even with character substitutions. These programs simply take a list of common passwords and try them one by one until they find the one that works. When that fails, they go fall back to systematically creating every possible password and trying it. The more possible passwords there are, the longer the brute force attack will take to find the password. The best passwords are those made up of random characters, and the longer the better.

So how does that ‘strong’ password make a difference? Lets say you need a 6 character password.

  • If you only use the digits 0-9, then there are only 1×106
    possible combinations.
  • If you add the lower case letters, then that changes to
    36x36x36x36x36 = 366 = 2.17 x 10possible combinations.
  • Using digits, lowercase and uppercase that changes to 62= 5.68 x 1010
  • Adding symbols (20 to 30 are possible), then that goes to 82= 3.04 x 1011  at the low end

Now see what happens it you increase the entropy (see Password
Strength
) of the password by increasing the length (using only uppercase, lowercase and digit characters)

  • extended to 8 characters then the number of possible
    combinations goes to 628 = 2.18 x 1014
  • extended to 12 characters then the number of possible
    combinations goes to 6212 = 3.22 x 1021
  • extended to 16 characters then the number of possible
    combinations goes to 6216 = 4.76 x 1028

To give those numbers some perspective

  • The human body is estimated to have 34 Trillion cells 34 x 1012 [1]
  • The average hacker can brute force a 10 character password in a week, a 15 character password will take 1.49 centuries [2]

Generating strong passwords

If you are trying to set up a strong password that you are going to try and remember, then one option is using a ‘pass phrase’. You would want to pick a phrase you know you will not forget (or which you can easily look up if you do). Such a phrase might be the first line of a song or poem that you know by heart.

For instance you could use the first line of the Star Spangled Banner – “Oh, say can you see by the dawn’s early light”. From this you can pull the first letter of each word – oscysbtdel – to give yourself 10 characters. To add entropy, made a few characters uppercase, and substitute some digits – oscySbtd3l. This isn’t as good as a truly random password, but it is much, much better than using the name of your significant other or favorite pet.

Most password managers (see below) have a provision for generating strong passwords for you. If you are using Safari on your Mac with Keychain enabled, you will be given the option to let Keychain generate a strong password for you and store it when you are setting up a web account.

There are also many different strong password generators available
on the web. One I have used is the password generator page available from Web hosting provider Hostgator. Passwords from 8 to 40 characters in length can be generated, with or without special
characters.

Password managers

The problem with most passwords is not with technology, but with the limitations of human learning and memory. Unfortunately, most people are simply lazy and ease of use is inversely related to security. Even with the security of their data or computer at risk, most people seem to take the simple way out choosing simple passwords and/or using the same password for all of their logins. An easy way to make using strong passwords easier is with a password manager.

In simple terms, a password manager is an application that stores the user’s encrypted passwords. Some password managers store the data locally, while others use cloud storage. Passwords can be copied from the application and pasted as needed into other applications or web sites. Some password managers have browser plugins that allow them to work closely with the browser to auto-fill login screens with passwords and IDs. Some password managers also have sister Apps that work on iOS, Android or Windows systems allowing all of your passwords to be available on every platform you use.

Some of the most common password managers are:

Keep in mind that not all password managers equally protect their
data. The paper “The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers” presented at the 23rd USENIX Security Symposium in August of 2014 reviewed five popular password managers and found some level of fault with all.

I find that Keychain meets my needs because all of my devices are Apple. If I had an Android phone or tablet, I would want to choose one of the other password managers. like KeePass or LastPass listed above.

References

  1. http://phenomena.nationalgeographic.com/2013/10/23/how-many-cells-are-in-your-body/
  2. http://www.makeuseof.com/tag/create-safe-password-can-actually-remember/

    See my other Cyber Security and Mac OS X articles


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.