Monday, February 18, 2013

Choosing Good Passwords in 2013


Now that we are living in the Cyber War Era, you are a combatant too. Yet while you are armed only with a pitchfork or a sharp stake (your lowly password), there are a number of things you can do to increase your combat-readiness.

Let me say this right off: Stop using short, complex passwords, which no longer work, and switch to much longer ones (at least 10-12 characters) that are more like ungrammatical phrases with misspellings, and start varying your userid's.

Here's what's going on. Crooks, hactivists, and spies (foreign and domestic) are continually trying to break into websites you've signed up to, and are regularly succeeding, because all software has bugs, which can sometimes be exploited, plus website owners often misconfigure their settings, allowing break-ins to occur.

Once inside, the first thing they steal is the password file, which they can either keep secret or else publicly post on the Internet for anyone to download. Worst case this will be unencrypted, allowing anyone to immediately login as you; or it may be one-way hashed, affording some privacy; or best case it is salted (by adding some variable known characters to make it longer) and then one-way hashed.

However, even with salt, a dump of one-way password hashes seems to act like a magnet, drawing hackers to try and break them, which they do by taking the relevant hashing function and inserting all possible passwords till they find one that hashes to the same value as yours. Bingo, they now have your password. And if you've been using the same userid and password on multiple sites, presto, they can sign-in as you on those other sites as well.

This is bad, but what can you do? Learn how password cracking works and defend yourself by making your passwords harder to break.

If some crook has your userid and the hash of your password, there are 3 main things they can try. First is simply look up the hash in a giant pre-computed "rainbow table" of all possible hashes. This has already been done for all Windows® passwords up to 8 characters, including random ones. Thus a random 8-character password is now worthless, since a crook can just look it up in a few seconds.

Second, if there's no table, they can try to break it. The random 8-letter password that former CIA Chief David Petraeus shared with his mistress, which she used on multiple websites, including one that was hacked, was broken in about 16 hours, once someone got the idea to target it. [A head slapping breach of national security.] However by making it longer, say 10, 12, 14, 16 characters, it starts taking months or years rather than hours.

Third, they can try all other known passwords that have ever been disclosed as being passwords, including from massive cleartext dumps of previously stolen passwords. Thus if you see a password somewhere, DON'T use it, since someone may have already copied it into his or her dictionary of known passwords to try.

Because they are just stuffing all possible combinations into a hash function, the attackers do not see ANY of your password until they enter ALL of it exactly. Hence, a long goofy password is much better than a short random one. The longer passwords we recommend need not be painfully random, only hard to guess and never before seen.

The latest innovation for 2013 is grammar-aware password cracking. Knowing that people are now using multi-word phrases, crooks and "security researchers" have developed tools that try to build long passwords to test by combining words into phrases, such as "thelazydog." Thus if you combine some words in a way that follows normal grammar, they'll find that too.

So here's what I suggest, which should work for another 1-2 years:
  • Use a different password for each account, especially important ones.
  • Make all passwords at least 10 characters long, and 12-14 for high value accounts.
  • Don't reuse a password you've seen anywhere before, let alone a dictionary word.
  • Add in some capital letters and numbers, and maybe a special character.
  • Avoid using a grammatical phrase. 
  • Learn the basics of Leet Speak and start doing number-letter substitutions, such as zero for O.
  • Don't use the same userid on all sites; devise a range of userid's.
  • Keep a note of when each password was last changed, and change it at least annually.
Some websites are still stuck in the past, and some of their pointless restrictions include:
  • Max of 8 characters (some reject over 8, others silently take only the first 8!)
  • No numbers or special characters
  • Must include capitals, numbers, AND special -- overly hard to type, and unnecessary
If you hit any of these, send a message to the website owner telling them to get up to speed in the Cyber War Era, and start allowing longer, free-form passwords up to 20 characters ASAP!

So how does all this work together? Let's say your name is John F. Jones. Create multiple user names such as jfj0nes, jjon3s, jjone5, jf-jones, jayeffjay,, and so on. In some cases, like if security is turned off by mistake, or if certain other security holes occur, an attacker can login with your userid alone.

When asked to create a new a password, grab a pen and paper and write it down first, before typing it in, so you don't forget it.

Select some unrelated or only vaguely related words, capitalize them, and put some numbers between them, to get up to 10-12 letters, such as Port27Wine [10 do not use], ZoneX357Date [12 do not use], or G!!earth.bread [14 do not use]. Or consider a fractured phrase like Two0ldHou5es [12 do not use].

These are long, never before seen, and ungrammatical, yet not overly hard to remember or type. Don't copy my formats above (which I must now change), inviting crooks to target them. Design your own unique formats for combining multiple words and numbers. One source of memorable non-dictionary words is clever license plates; just be sure to add more characters to them.

If you live alone, there's little risk in keeping a paper list of logins, of which you may have 100s, as long as the data file is not accessible by electronic means. Keep your master file under PGP encryption on a separate machine that rarely accesses the Internet. Then if you're hacked, the file is encrypted, and if you lose the data, you still have the paper, and can scan or retype them, rather than being locked out. Keep the paper in a safe place. For high value logins, never enter or save them into any electronic file; write them on 3x5 cards and stash them. I do not recommend password safes, because local malware could sniff your safe's password when you enter it, and then steal ALL your passwords.

If someone might steal your paper list, protect it by creating a secret PIN, which you do not write down anywhere, such as 1502, and secretly add it to every password, or maybe prefix them all with !2, so the paper list won't work unless the thief also guesses your additional PIN.

Your resulting password file, which has an unrelated file name, and stays encrypted when you're not editing or printing it, looks like this:
  • Name of website or URL
  • Email address you used to register with them
  • Userid, for this site, if not your email address
  • Password (per above guidelines, minus any secret PIN)
  • Month and year password was created or last changed
And don't shred your marked-up paper document until you're sure the new file is saved properly, or you'll spend weeks trying to guess or reset all the new passwords you just lost.

You're still at the mercy of individual website owners, who may scrimp on security and leave your password in the clear or unsalted, as well as malware infecting your PC that can steal your password while you're typing it, but otherwise, if you follow the above guidelines, hopefully your password hash will be one of the ones "left over," that the attackers were unable to crack.

And if you hear that some website you use was compromised, don't wait to be notified to change your password. Hop on and change it right away, to shorten the crooks' potential window of time to use or crack your password.

Happy and Safe Web Surfing!

Frank W. Sudia has worked in information security since 1993, once formed an information security company, has 14 issued patents relating to online security, and has recently done cybersecurity consulting for a major NY bank.


Post a Comment

<< Home