Pages

Tuesday, January 22, 2013

SOLVING THE PASSWORD PROBLEM


New Picture 117
Solving the Password Problem
By Rachel Z. Arndt,
Popular Mechanics, 21 January 2013.

What makes a good password, how do you keep track of all the different ones you're supposed to have, and is there hope for a future free of passwords?

Getting hacked is becoming an Internet rite of passage. Consider 2012 alone: First Zappos was hacked, its customers' passwords and other personal information exposed. Then LinkedIn announced that its users' passwords had been compromised. Then eHarmony. Then Yahoo. More than 30 million users' passwords were stolen. The growing, painful password problem is twofold: Hackers have gotten very good at what they do, with more capable tools than ever, and those tools can work so well because we are still really bad at choosing - and remembering - passwords.

Coming up with a password is a compromise between security and convenience. Very complex passwords are highly secure but difficult to remember. To make them work, users end up in a constant loop of resetting forgotten passwords or relying on writing them down on sticky notes. Simpler passwords are easier for us to remember but all too easy for others to discern. Even if you think your pet's name is rare and choose SenorFluffypants as a password, that information would be easy for an adversary to find on, say, Facebook. Because passwords are annoying and tedious to keep track of, most of us resist changing our obvious passwords, many of which can be found in leaked databases. The top passwords of 2012 remain what they have been for years: password, 123456, and 12345678.

New Picture 118

Passwords like those are especially easy to crack, says Peter Theobald of KLG Computer Forensics. "Anyone with a password that can be found in the dictionary, even if it's a minor variation followed by a number, gets found quickly," he says.

It's possible that one or more of your passwords has already been stolen (you can check PwnedList, an online database with more than 966 million compromised passwords on file), but even if it hasn't, relying on weak passwords is a fool's game. Once hackers get into an account, they immediately start searching for any linked or related accounts. Before long, a complete stranger could be wreaking havoc on your social reputation, credit rating, and finances. If you suspect that one of your online accounts has been hacked, immediately change the passwords on any other important account you have; hackers have programs designed to try the cracked password at other sites. Even if you've been smart enough to maintain separate passwords for different accounts, hackers will leverage access to your email to reset passwords for other sites. ("Forgot your password? Have a new one sent to your email account.") But when you do reset passwords, don't repeat mistakes of the past. There are ways to make passwords both secure and memorable.

The Bad Guys

Before we examine what good passwords look like, it helps to know your adversary. Using a PC with inexpensive multicore graphics processing units (GPUs), a hacker can try about 8 billion password combinations in a second - thousands of times faster than just a few years ago, when the processing depended on just the CPU. Because they're designed for parallel computing, GPUs are much better at the large-scale mathematical operations needed for cracking passwords. Powerful password-cracking software is available for free, and hackers also have access to growing shared lists of millions of actual user passwords.

By analyzing these lists, professional password crackers know that when forced to pick a password with a mix of upper- and lowercase letters, a number, and a special character, users tend to choose a familiar word or a dictionary word, capitalize the first letter, and add the number and special character at the end (such as Fido1*). The geekiest among us may replace vowels with numbers (leetspeak), such as F1d01, or shift our hands on the keyboard to mask the actual password. But hackers know this, and a simple algorithm is all they need to get past it.

Even passwords that combine more than one strategy are vulnerable. Take, for example, the password MyS3cr3t!. It meets typical security guidelines, and online password-strength meters would call it strong. With faster processing, and programming rules that add characters and punctuation to a word list, a hacker could crack that password in just 12 hours.

Don't Be an Idiot: Make a Bad Password Good

It's not all that hard to turn a mediocre password into a great one. All it takes is the addition of some strategically placed numbers and symbols - and a good base word or phrase in the first place (which means saying goodbye to pet names and favourite sayings). Below, we chart a password's journey from weak to strong, showing how long it would take for a commonly used algorithm to crack each version.

Password: Aquarius
Time to Crack: 9.08 Minutes

Password: Aquarius1
Time to Crack: 1.59 Days

Password: Aquar$ius1
Time to Crack: 19.24 Years

Password: Aqu57ar$iu3s
Time to Crack: 17,400,000 Years

Password Science

So what makes a good password? Using upper and lower cases, symbols, and numbers does matter. These tactics increase entropy (a measure of how random and guessable your passwords are), as well as the time it takes for a program to crack your password with brute force. The password ninja, for example, could be cracked by software in just 0.000124 seconds. N!nj4 is an improvement at 2.98 months for an online attack or 0.0782 seconds offline, but those times are probably an overstatement, because hackers are on to our predictable patterns. (You can check your passwords' "crackability" at security firm Gibson Research Corporation's site by clicking Password Haystacks at grc.com.)

To make a password more secure, add those special characters in unpredictable places and increase the length, which is the most important factor in password strength. For example, ninja!!!!!!! (12 characters, with one repeated special character) would take 5.75 hundred million centuries in an online attack and 5.75 centuries offline, despite being all lowercase and lacking numbers. So when picking a password with up to 14 characters allowed, use all 14 characters.

New Picture 119

The No. 1 password rule, though, is to use a unique password for each of your log-ins. Brandon Gregg, the senior global investigations manager at Seagate Technology, explains: "A unique password is hard to crack and hard to hack even if it's leaked by one website."

This brings us to another challenge: We use a lot of password-protected online services. It seems like a herculean task to come up with a strong and unique password for each one - and remember them all.

There are two schools of thought on this problem. You can use a password management tool, such as LastPass or KeePass, to generate a long, complex password for each site and remember every one for you, leaving you with only one (hopefully very secure) master password to recall. Or you can use a unique pass phrase for each of your log-ins, avoiding the off-chance that you completely lock yourself out of all of your accounts if you forget the master password.

Using a pass phrase of random words, such as correcthorsebatterystaple (as popularized by the xkcd Web comic) is significantly harder for a computer to guess than something like Tr0ub4dor&3 - while also being easy for a human to memorize.

For a pass phrase to be effective, though, it needs to be not only long and memorable, but also difficult to guess by others (even those who know you). That means generating random pass phrases (using a tool like Diceware or the xkcd Password Generator) or picking arbitrary words (as arbitrary as your subconscious allows). You can make a pass phrase even more secure by adding special characters, as in c0rrecthorseb@tterystaplE. To account for the need to have a unique phrase for each site, include a clue to the site name. For example, for Facebook, c0rrecthorsebatterystaplE@zuck; for Gmail, c0rrecthorsebatterystaplE@envelope.

Password managers offer some convenience, such as auto-filling forms for you and generating and managing a ton of truly random passwords. But if you don't have access to the app or can't remember the master key, you can't log in, and if the password-manager database is hacked, all of your passwords are now offered up on a plate.

Of the available password managers, KeePass offers the highest level of security, in our view. The free, open-source database works offline and offers a variety of security features such as a key file, a master password in a digital file stored on your hard drive, and protection of that password against dictionary attacks. When you use a key file in addition to a manually entered password, it adds two-factor authentication, combining something you have (the key file) with something you know (the password). It doesn't, however, sync your passwords across all your devices. For that, look to an online option such as LastPass, which offers two-factor authentication and great ease of use (with the trade-off of your passwords being stored, albeit encrypted, in the cloud).

Beyond the Basics

Beyond the password there are other things you can do to add security and protect yourself against anyone who is actively trying to steal your data. First, lie on security questions so that easy-to-find personal information about you doesn't allow a hacker to reset your password. Instead of revealing the actual street you lived on as a child, for example, misspell it in some way you'll remember but others couldn't guess, or use the street name of your childhood best friend.

Additionally, turn on two-factor authentication wherever possible, especially for bank and email accounts, your password manager, and online storage sites. Two-factor authentication requires you to enter both a user name and password and, often, a unique code. When logging in to a site with two-factor authentication, such as Gmail, you'll type in your password and then be prompted to enter a code, which is sent to a designated phone number and refreshes every 10 or so seconds. To get into your email using a mobile app, you can request the site to generate a password for you that you just need to enter once.

One day we may no longer have to jump through all these hoops to protect ourselves. Everyone seems to be interested in solving the password mess, from Google to the National Institute of Standards and Technology, which is offering $10 million in grants for developers to come up with alternatives to password authentication. Even Ford (yes, the car company) is working on it, with a Chrome extension that automatically logs you in to sites when your phone is near your computer and backs out when you leave. If all else fails, there's potential in our brains: Researchers are working on training systems that teach humans to store random 30-character passwords in their subconscious. Now that's a smart password manager.

[Source: Popular Mechanics. Edited. Some links added.]

No comments:

Post a Comment

Please adhere to proper blog etiquette when posting your comments. This blog owner will exercise his absolution discretion in allowing or rejecting any comments that are deemed seditious, defamatory, libelous, racist, vulgar, insulting, and other remarks that exhibit similar characteristics. If you insist on using anonymous comments, please write your name or other IDs at the end of your message.