Friday, February 26, 2016

Choosing Good Passwords - my latest thinking

Choosing Good Passwords
February 26, 2016

Disclaimer:  These blog posts are my opinions -- please consider other sources when following advise and remember that the field of technology can change rapidly.  These posts are primarily meant for friends and family as I try to write up what I think might be helpful.  I am a System Administrator, but it is always true that in IT there are those who are more expert -- their opinions are always worth seeking.

My advice in a nutshell:

  • Let go of remembering passwords. 
  •  Choose truly random passwords of sufficient length and complexity.
  • Never use a password in more than one place
  • Use a password manager like LastPass that stores and generates passwords and automatically fills out login fields for you. 
  • Change your password frequently 
  •  Use two-factor authentication technology when possible 
  •  Treat yours and your friends' sensitive information with care 
  •  You should really consider sending your kids to Bw3:M<:vc`n&a,;, high school -- they'll thank you later when they have to answer those irritating identity verification questions!


Occasionally on social media a friend will post about some new odious password complexity requirement.  Others will chime in with schemes that they use -- characters representing lines from songs, etc.  Often I find myself cringing -- either at the inadequacy of the password scheme, or at the burden that we all face because we rely on an authentication technology that tries to make up for its shortcomings through ever-increasing complexity requirements.

I can't think of any part of my profession that changes more rapidly than security and authentication.  It's always a game of leap-frog between technologies designed to protect a user and clever techniques by the malware community to defeat those technologies.

This is just my opinion, but I believe that the reliance of the IT industry on passwords is a bit unfair because they make a user disproportionately responsible for security.  But I suppose that's the same type of responsibility that comes with being given a key to something like an apartment or rental car, and being responsible for restricting access to those who have been spelled out in the rental agreement.

I also believe that passwords are an increasingly poor form of security -- over time we in IT have had to ask for stronger and longer passwords in order to achieve some standard of security, but at the expense of adding to the frustration of daily life and also of making the system more error-prone.

A lot has been written on passwords -- if it was not written recently, it's probably wrong.  If it suggests a technique for obfuscation that doesn't rely on random selection, it's definitely wrong.  Again, these are my opinions, but I'll try to update you on my own advise at this point in time.  My hope is that it aligns well with what those who are more expert in my field have to say.  I'll try to put the most important bits of advise at the very top of the list:


  • If you can "remember" a password, it is insecure.    This is the toughest thing to tell friends who are already frustrated with passwords.  And it doesn't matter what the clever scheme is for obfuscating passwords.  Something like fam1lytr33 is not a password that can withstand password cracking software that runs on GPU's capable of parsing a tremendous quantity of passwords per second.  Such passwords may be victims to "rainbow tables" where common phrases and common variants of phrases are already computed, allowing even larger quantities of passwords to be parsed per second.    There is an exception to this rule -- "dice words".  Dice words are a series of randomly chosen words (by rolling a dice so to speak).  This technique is popularized by an xkcd comic strip - https://xkcd.com/936/ .  The idea is that if a password is long enough, it doesn't have to contain the complexity that otherwise makes passwords difficult to remember.   In the xkcd comic strip, because of its length, "correcthorsebatterystaple" can be surprisingly difficult for password cracking software - at least for now...  On the other hand, I can tell you from personal experience, that 20+ character passwords are horrible to type if you have to use them often, especially on a phone or device which wants to autocorrect everything!
     
  • Never use a password in more than one place.   This is another tough one to tell people who are having to deal with more passwords than ever.  Many years ago I had my Facebook password lifted because I had used the same password at a retail store I trusted.  The retail store was hacked and millions of account passwords including mine became available to the malware community.  These passwords were then used against popular social networking sites.   Mine was then used to own my account and use it for fraud.  After securing it, I had to abandon the account and invite my Facebook friends to a new account.  Simple variations using various schemes are probably bad ideas as well, especially if they use information about the site - for example "abc.123.amazon", "abc.123.twitter", etc.
     
  • Use a password manager.  Because of the first two items on my list, password management becomes a nightmare.  I have perhaps 100 important passwords to deal with and I don't think I'm too different than anyone else.  A spreadsheet or text file is usually a bad idea because it places passwords on electronic media that can be accessed through a compromise.   In the recent hack at Sony Pictures, a file called Bonus.rar contained a folder called "password".  In the folder were files containing thousands of passwords.   A handwritten document is much safer (believe it or not) but has the disadvantage of not being very accessible when you need a password.

    I started with a smartphone app called "DataVault" which sets up an encrypted area for storing passwords.  A master password is used to access the area.   The app requires manually maintaining the passwords and sites just as if you are using a spreadsheet.

    A more automated approach is LastPass -- you pay for this cloud-based service which can automatically store passwords and password changes.   It also fills out fields on the web, automating the process of logging into most sites.   I like the automated approach but right now I only use LastPass with passwords used in web browsers.   I'm still depending on DataVault to be my "master list" which also contains passwords for devices (where filling out a form on a web page doesn't apply).  Someday I may end up using LastPass in place of DataVault -- but for now, this is my system.  It keeps passwords both accessible but securely encrypted and stored.

    Others have recommended 1Password and KeePass (the later is an open-source project).  Password managers are not a lot different from each other, and almost any of them will work.  The best ones fill in web fields for you, meaning that you only have to remember a master password (such as for LastPass).   Ideally, let the password manager generate long complex passwords for you -- if these passwords are being automatically entered in web fields, there's no longer any need to allocate brain cells to memorizing them.

    In general, I don't recommend using browsers as their own password managers.  I'm also not a big fan of "key chains" such as used by MacOS.  They are often a source of their own problems, and risk disclosing passwords by exploiting bugs in the browser or in the operating system.

    Finally, never use an Excel, Word, or other "office" application to store passwords.  Even though Excel and Word have encryption features, they tend to be weak and tools readily exist that can break their encryption schemes.  I would also not store passwords "in the cloud" (such as on Google Drive) unless you are using a cloud-based application like LastPass that is specifically designed to store passwords securely.
     
  • Make passwords long and complex.    By "long" that is a number of characters that grows over time -- right now that tends to be somewhere around 14 characters.  By "complex" I mean something that uses characters from 4 different character types -- Upper-case, lower-case, symbols, and numerals.  For example:  AXD$503^dfd.71 .  This is where you'll run into irritating password rules imposed by various sites.  For example, I know of a financial institution which will not allow symbols.  Others may restrict the length (sometimes to something that's too short by today's standards).   DataVault has a built-in password generator that can let you set the rules it uses when it generates a random password.

    If a password is very long, it doesn't have to be as complex.  This is where dice words come into play -- "correcthorsebatterystaple" is long enough you don't need symbols, numerals or even upper-case characters.  5 word passwords are even better.  (But don't use "correcthorsebatterystaple" or any of my password examples).

    One important note about dice words -- pay attention to the "dice" concept.  These concatenated words must be completely randomly chosen.  A phrase of any kind, even if you think is random, is probably a far weaker password than anything that is truly chosen randomly.
     
  • Use a password generator.  I've touched on this above, but the human brain is very poor at coming up with non-guessable passwords.  We may dress differently, adopt different political views, and otherwise "march to a different drummer", but we human beings tend to think alike.   So whatever password scheme we come up with is almost certainly one that's in use by someone else among the millions of people who use computers.  Password generators alleviate the "mental tax" involved with trying to think of a good password and then having to change it later.  Use your password manager if it has a password generator contained within it.  There are generators for dice words as well -- for example http://correcthorsebatterystaple.net/ .  If you do use an on-line generator, add your own variation (maybe an extra word to the beginning of your dice word) on the off chance that a hacking program is aware of the on-line generator.
     
  • Change your password frequently.   Did you know that you are in the midst of a race?  Okay,  maybe it's not as heart-pounding with excitement as Daytona, but from the moment you choose a password, there is a risk that it may be exposed.  Your "start time" is the moment you choose a password, and the hacker's "start time" is the moment the password is grabbed from a compromised server.  You have an advantage in having started sooner.  Plus the security of the server may be a boost for you.  The hacker has the advantage of powerful computing resources including graphics processing chips (GPUs), botnets of other compromised computers, and sophisticated algorithms such as rainbow tables that can try huge magnitudes of possibilities until it comes up with the password you chose.   Any password can be cracked given sufficient time.  Your goal in the race is to choose a password that is so difficult to crack that the time it takes to crack it will be greater than the time it takes until you change it.

    As technology progresses, the hacker can work faster.  So you have two options:  1) choose better passwords that are more difficult to crack or 2) lessen the amount of time before the next password change.

    Right now, it is my opinion that 6 months is a good amount of time to win the race for most reasonably complex passwords.

    More for a relative comparison than an absolute, I like Steve Gibson's password haystack utility at https://www.grc.com/haystack.htm -- you can enter a password and get a feel for how much time you have before that password is cracked.   If you use the utility or any on-line password checker, don't use any actual passwords.  But with sample passwords, you can take them out for a spin -- see if a similar password is worthy enough to help you win the race.
     
  • About writing down passwords.    This completely depends on your environment.  A password on a sticky note is generally low risk because it isn't discoverable electronically.  Be careful, though -- I heard one story where a password was written with marker on a whiteboard and was discovered because a webcam was pointed at the whiteboard during a Skype interview.  It's best to keep passwords hidden and locked away if possible, perhaps in a file cabinet or desk drawer.
     
  • What about biometrics?  Scanning a thumbprint for authentication involves turning the ridges of your thumb tip into a digital "signature".    That signature is no different than a complex password.  It's disadvantages over a text-based password is that it can never be changed (well, there is that somewhat squirm-inducing scene in the movie Minority Report... :-) ), and once captured by malware or otherwise cracked, it can never be used again.  They are no more secure than passwords and are often less secure than passwords unless they are part of a two-factor system (see below).
     
  • What is two-factor authentication?   Two factor authentication today is considered to be far more secure and far more difficult to break than simple passwords.  If you are dealing with financial data or sensitive information of any kind and have two-factor authentication as an option, you should take it.   "Factors" are these:

    1. What you know (e.g., a remembered password)
    2. What you are (e.g., an iris scan, facial recognition, or thumb print)
    3. What you have (e.g., a smart phone, a password token device).

    The idea is that any one of these can be compromised, but a combination of two of these becomes more difficult by magnitudes.   For example, a bank may send a text to your cell phone when you try to log into its web site.  You then enter that text back into a web field for authentication.   The cell phone is factor #1 (what you have).  But if you also have to enter a password as part of the login process you've added factor #2 (what you know).

    A hacker may have stolen the password hash table and may be busy using a network of supercomputers to ferret out the passwords.  But you're safe because the hacker doesn't have your cell phone.  Or your cell phone may be stolen, but the thief doesn't have your password.  Both are required to log into your account.
     
  • Why do I have to worry about passwords? - I have nothing to hide.    There are three types of information that I think are important to protect in the most secure way possible:

    1. Financial information
    2. Sensitive Personal Information or identifying information:
        - Social security or taxpayer ID
        - Credit card numbers, bank numbers, debit card numbers, etc.
        - Driver license number, passport number, ID card number, etc.
        - Date of birth
        - Medical information
        - Access codes and passwords
        - etc.
    3. Information on others - others may have differing requirements for privacy.

    I think it is helpful to understand too that "hacking" may have started off as simple mischief, but it is now a means used by the crime community, usually for financial gain or identity theft.  #3 comes into play as well -- phishing email may attempt to get an on-line mail password for instance for the purpose of sending email to commit fraud or steal computing resources of others.

    A note on phishing:  "Phishing" are scams in email form.  They attempt to gather sensitive personal information including passwords by enticing you to follow a web link to a form that gathers than information.  The form may look very convincing -- like a login page to JP Morgan, a purchasing form, an IRS site, etc.  My rule of thumb is to never disclose any of the information in #2 above unless you made the first contact.  And even then, know absolutely sure who you're talking to, how the information will be used, how long it will be stored, and how your right to privacy will be protected.   If you're normally a little skeptical and don't have a habit of clicking on links in email messages, you'll probably be at low risk for identity theft.  As an added protection, I recommend Google Mail or other products which aggressively filter spam so that you never see it.
     
  • Bad authentication technology #1: Credit Cards.    I like Apple Pay as a form of payment -- it is a two factor system (what you have is the iPhone and what you are is your fingerprint) and it means that the retailer never stores your credit card information in any form in which it can be used again.   It has been evaluated favorably by security experts and seems forward-looking when it comes to transferring money securely.   Credit Card numbers are risky as evidenced by the recent Target and Home Depot data breaches.   The combination of a credit card number (what you have) and signature (a type of "what you are") is only minimally better because there is no really good way to verify a signature.  Without a good way to verify, the signature can't be considered a "factor".   A magnetic strip is also horrible because it can be copied so easily.   So in the US we've recently introduced chips into credit cards.  These bits of electronics replace magnetic stripes and mitigate the risk of the card being duplicated so easily.  But they remain a single-factor authentication.  If I loose my card, it's pretty much a guarantee that anyone can use it up until I figure out that it's lost and call the Credit Card company to have it revoked.  Even worse, US credit card companies have retained the magnetic strip for those retailers who don't yet have digital chip-reading point of sale systems.

    A true two-factor authentication is known as "chip and pin" -- this is a system that has been in place in Europe and is demonstrably harder to thwart.  The PIN number is required as the first factor (what you know) and the card with the chip as the second factor (what you have).   Unfortunately the technology is only secure if no other option is allowed -- as long as we allow the simple possession of a card (single factor) to make a purchase, we will continue to have stolen credit cards and numbers and the resulting financial theft as a major risk to ourselves and to our financial institutions.

    My opinion is that ApplePay is far safer until we adopt a true chip and pin credit card transaction system in the US.
     
  • Bad authentication technology #2: Identity Questions.    Whether its your mother's maiden name or your favorite pet, identity questions are a horrible way to verify identity.   I want to shout "no!" every time I see one.   They sometimes provide the mechanism for obtaining other personal information.  Take a look at the story of a journalist whose Apple accounts were hacked for instance: http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/ .   In this story, identity questions failed to prevent a catastrophic hack and in some ways contributed to the ease of the hack.   I haven't quite come up with good advise about this, but I'd generally try to avoid using sensitive personal information of any kind for sometimes mandatory identity questions.  Maybe it's best to let your password manager generate random passwords for these questions.  The trick is how to store these identity question responses so they can be retried the next time the site asks for them.  For the record, yes, the high school I attended really was called Bw3:M<:vc`n&a,;, -- what til you hear what we named our mascot!
In general I see a lot of useless advise out there -- particularly along the lines of ineffective "clever" password schemes (first letter of each word of a nursery rhyme -- a Bible verse, etc.).  I hope that these thoughts will help those I know to manage passwords in ways that really do help them protect their information.

As the security landscape inevitably changes, be sure to research the latest thinking on identity, privacy, and password management.  I'm certain that what I've written here will eventually be as old and as obsolete as "don't use an English word" :-)   Hopefully when that time comes, I'll think to update this post!