Open Intel – Blog

This is part 2 of Strong Passwords of the Security for a New Year series.

Security for a New Year Part I: Strong Passwords – Part 1

In part 1 of strong passwords, I discussed the use of character sets and character spaces and how they impact the overall strength of the password. I primarily discussed how the use of a longer password is significantly harder to brute force than that of a shorter one regardless of how many character sets are used. Typically longer passwords expand beyond the use of single words, and as a result they are referred to in many places as passphrases. Personally, since they serve the exact same purpose as far as authentication is concerned, I use the term password to refer to both single and multi-word passwords. The term passphrase; however, may help you expand your view on what a password can consist of. While most people may use a single word as their password, a password can also consist of several related or unrelated words, or even a complete sentence. This can be a great way to significantly increase the length of your password.

I will be covering two primary topics in part 2 of strong passwords. The first topic is how to design a high entropy password that can withstand even the most sophisticated dictionary attacks. The second topic will be how to significantly increase the character space of your password to where a brute force attack would be impossible with the current state and direction of technology.

The thing that must be fully realized to create a high entropy password is that it cannot consist of any actual words. For most people, they use a password that consists of someone’s name, something they like, or something they think is clever. The problem with using any of these things is that they are typically easy to figure out, or they are readily available in one of millions of dictionary files available on the Internet. Before I go into any further detail I would like to provide a list of the top 25 passwords of 2012 according to What’s My Pass. These passwords were compiled based off of the many stolen and hacked accounts that occurred in 2012.

1. password (Unchanged)
2. 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja (New)
24. mustang (New)
25. password1 (New)

I simply cannot stress it enough, if your password for any account is on this list, then you should change it immediately. These passwords are almost guaranteed to be the first ones attempted for breaking into accounts. Some individuals who are multilingual may use words from a language other than English as their password. The problem with this is that while it may decrease the chances of your password being compromised, if they are real words then guaranteed there is a dictionary file on the Internet containing them. Again we arrive at the same conclusion, it cannot consist of actual words.

Many individuals may think that using something clever such as ‘to be or not to be’ (minus the quotes) as a password would be a strong enough password. While the character space of this password is significantly long, there are also dictionary files containing massive lists of popular quotations and phrases available, and this could still easily be cracked. Furthermore, the use of symbol and number substitution for letters (commonly referred to as 1337) does not provide any greater security, as there are lists available containing common uses of these as well.

This does not mean that a password cannot be based off of actual words, it just should not contain any. When choosing the words to base your password on, you should consider how easily these words could be connected to you. For example, your spouse and children’s names should never be used, as these can easily be connected to you. Additionally this excludes your favorite sports team, your religion, favorite television shows, favorite brand of clothing, pet’s name, favorite make or model of vehicle, or even your brand of coffee. The list goes on and on. Subsequently, you should not base it on anything you blatantly dislike either. For example, if you are a die-hard Chevy person, basing you password off of Ford is not a good idea either. Through the advent of social media, anything that can relate to you in anyway is not a good idea for password basis because this information is likely easily attainable. What is even worse, is that there are scripts and programs that easily enable an attacker to compile their own dictionary file of passwords you may use based on the information they obtain.

So to start our design for a high entropy password we need two unrelated words that cannot be connected to you in anyway. For our example we will use a sport to which, in our example, you feel completely impartial to. The sport we have chosen is tennis. Now we need something completely unrelated to tennis and not connected to you to combine this with. For this example we will use a type of animal, a camel. So currently our password consists of tenniscamel. Well aside from being two unrelated words, they are entirely lower case. So lets randomly pick a couple letters to capitalize. We now have TeNNiscAmeL. The next issue we encounter is that there are no numbers in this password. So lets pick two random numbers to which you feel completely indifferent about. For our example I am choosing 7 and 2. The typical response to adding numbers to a password is to add them at the beginning, in between words, or at the end. We want to do something out of the ordinary, so we will do this Te2NNiscA7meL.  In addition to adding numbers in this way, we did not do substitution, and we also succeeded in converting both words from actual words into nonsense. To add an additional layer of security we should add some symbols. We should add these at random and use at least two of them. Our password after this step looks like this: Te2N?NiscA(m)eL and I actually used three total symbols. Brackets can be a great way to add symbols to a password, and at the same time make it easier to remember. So now we have a password that is almost entirely guaranteed to not be in a dictionary file, especially one designed specifically for you, and we have a relatively high character space of fifteen. The only real issue with a password like this is that it may be hard to remember.

The password in the previous example that if used frequently over time could be remembered, but it would likely need to be written down some place until then. While I will go into further discussion of password documentation in part 3, there is nothing wrong with writing a password down and carrying it in your wallet or purse, or even better keep it in a safe. The important thing to note if you do this is not to have the password anywhere on your desk, or have other information such as the username or website on the same piece of paper. Remember, this was just one example, you could make it easier to remember by doing the previous methods differently. The important thing is that your password when finished meets all of the following:

• It uses both uppercase and lowercase letters, and the uppercase letters are not solely the first letter of each word
• It uses numbers, but not just by using them for letter substitution
• It uses at least one symbol preferably more
• The numbers and symbols are scattered and not just at the beginning or end of the password
• The base word or words are not remotely close to their original form

With time and practice you will easily be able to do this to all of your passwords. Remember the primary goal of entropy in passwords is to defeat the use of dictionary attacks. You also want to make a password that if someone knew everything about you, they still would not be able to guess the password. Ultimately, you want to leave the attacker with no other choice than to use a brute force attack.

This leads us into our second topic in part 2 of strong passwords. The easiest way to create a large character space in our passwords is a method called haystacking. This method was conceived by the Gibson Research Corporation. They refer to your password as a needle hidden in a haystack, and their haystacking method consists of padding your password with a single type of character to add to its overall length. This method is very simple, and as a result I will not go very in depth over its use. For more detailed information I recommend clicking the link and reading their entire article, but keep in mind their primary focus is on brute force defense.

To use haystacking on our password we created earlier we need to choose a symbol. For this example I will use the same symbol used in Gibson’s article a period. Our password has a current character length of fifteen and if we want to increase that to twenty-four we need to add nine characters to it. Our password now looks like this: Te2N?Nis………cA(m)eL

I chose to simply add the padding in the middle, and while we have added nine identical characters to our password, it still meets all of the entropy requirements. Before I close yet another extensive blog entry on security, I would like to add that you should probably not use the period. It is highly likely that this method will start ending up in dictionary files and you should create your own system for padding passwords.

YOU should invent your own personal padding policy. You could put some padding in front, and/or interspersed through the phrase, and/or add some more to the end. You could put some characters at the beginning, padding in the middle, and more characters at the end. And also mix-up the padding characters by using simple memorable character pictures like “<->” or “[*]” or “^-^” . . . but do invent your own!

– Gibson Research Corporation

In part 3 of strong passwords I will go into detail about documenting your passwords, using password generation software, and maintaining a list of high entropy and high character space passwords.

Closing
In closing, I hope that the methods described here help you create passwords that are both long and seemingly random. The goal is to protect your accounts, and hopefully I have provided you with a means to do just that. Again, I look forward to any comments regarding this.

~Spike

With the new year starting, I felt that my first actual content-filled post should be on security. This will be the first part of a several post series on good security practices. Today’s topic: strong passwords.

In today’s society we are connected in almost every way. From social networking to online banking and email to online stock exchange, we have several accounts across several different websites. With each of these accounts ranging in varying degrees of importance, and with the only layer of security we have being passwords, the strength of each password becomes paramount.

The whole subject of passwords introduces several initial problems. While an entire book could be written on the matter itself, lets simply cover the basics of the problems that come with passwords, and some viable solutions.

The first problem that passwords introduce is the strength issue. A strong password is defined as one that is both hard for a person to guess and at the same time hard for a computer to crack. There are two primary aspects of a password that contribute to its strength. The first aspect is entropy or randomness of the characters used. The types of characters used are typically broken down into character sets. There are generally at least three character sets that apply to all passwords. They are uppercase letters, lowercase letters, and numbers. Generally this system is simply referred to as case-sensitive alphanumeric, but I feel that it simply does not go into enough detail as to explain how much of a difference this makes regarding the strength of the password.

The reason multiple character sets are used is because they greatly increase the number of possible outcomes. This is primarily directed at slowing down the process in which a computer can crack the password. One primary method for password cracking, and the one this article focuses on explaining is brute-force password cracking, or trying every possible combination of characters until the outcome produced matches the password. The best way to explain how entropy makes a difference is by running some scenarios. Lets say that you have a password that is 8 characters long. If you only used numeric characters that gives you ten (0-9) possible characters for each position in the password. That means there are a maximum of 100,000,000 possible combinations. While that may seem like a lot, if we take varying aspects out of the equation such as the hashing algorithm used for the password and other security measures such as lockouts, a decent system built for cracking can usually attempt about 500 million password guesses per second. That means in roughly .2 seconds that system would have went through every possible combination of numbers and is guaranteed to have guessed the password.

Now if we add lowercase letters to the password that adds another twenty-six (a-z) possible characters for each position in the password. Using our current 8 character password and including the numeric character set this makes 36 possible characters for each position. This brings us to a grand total of 2,821,109,907,456 possible combinations. You can see how this greatly increases the strength of the password. However, using our password eating system at 500 million guesses per second, this would take approximately 94 minutes to cycle through every possible combination and inevitably guess the password.

Now if we add uppercase letters, that adds another twenty-six possible characters to each position of our password. This brings a total of 62 possible characters for each position. Using permutations this provides a maximum total of 218,340,105,584,896 possible combinations. While the number of possible combinations is very high, it would still only take our password eating system at 500 million password guesses per second around 121 hours to cycle through every possible combination and guess the password. In other words, in less than a week (roughly 5 days) the system could break the password.

Considering how easily a system can break passwords using the three primary character sets it poses the question of how to overcome this. Some passwords allow symbols, and while that character set adds another 32 (33 if you include a space) possible characters to each position it still doesn’t make it unreasonable to try cracking the password. For the math lovers, that is a total of 6,634,204,312,890,625 possible combinations and would take roughly 154 days for the system to guess every possible combination. Along with symbols comes another issue. Not all passwords can use symbols, and even if they did we still cannot make it infeasible to try cracking the password.

So how do we resolve this issue? This is where the other aspect of password strength comes into play. I refer to this aspect as character space some other places may refer to it in other manners, but the basis is still the same, it is the length of the password. With the strength through entropy, it only adds an additional number of character possibilities for each position in the password. Character space exponentially strengthens the password as it adds another position with all character sets used for possibilities in that space. To explain this in more layman’s terms we will go back to our examples. Using case-sensitive alphanumeric (uppercase letters, lowercase letters, and numbers) on a password with a character space of 8 we had a total number of possible outcomes of 218,340,105,584,896 which as we determined could be cracked in under a week. If we use the same three character sets, and set the character space to 10 we end up with a total number of 839,299,365,868,340,224 possible outcomes. Which using our password eating system at 500 million password guesses per second sets it at roughly 53 years to go through every possible combination and guess the password. So by simply adding two more characters to our password length we added years of time to cycle through every possible combination instead of simply days. With keeping the same number of characters and adding a whole other character set we only gained 149 days.

So what is a recommended password length? I typically use passwords that are significantly longer than required, but a good number to stick with is 16. Most passwords support at least 16 characters and some support a much higher number. To show how much of a difference this makes, using the three primary character sets and a character space of 16 we end up with a whopping 47,672,401,706,823,533,450,263,330,816 possible combinations. Using our password eating system at 500 million password guesses per second that means it would take roughly 30,233,638,830 centuries to cycle through every possible combination and guess the password.

Now I have used a lot of math in these examples and I would like to explain how these equations can be easily understood. I use permutations (character space^number of characters in character set)to determine the number of possible combinations. Next I divide by 60 seconds, 60 minutes, 24 hours, 365 days, and 100 years as necessary. Now the chances of your password being the last guess is highly unlikely. So usually it is a good idea to divide the final number by two to determine the time taken to actually crack the password. For example in our initial case sensitive alphanumeric password with a character space of 8 it is more likely to be cracked in 2-3 days instead of taking the full 5 days. There are also other factors that come into play and may limit the system to 1,000 password guesses per second instead of 500 million. Still, there are other systems that can exceed 500 billion password guesses per second. Either way, a 16 character password stands a much greater chance than an 8 character password.

While this may seem like a perfect solution to resolve all your password concerns, we must go back to the entropy aspect. For starters, brute-forcing is not the only method for cracking passwords, in fact it is typically the last resort. While many of the methods rely on the security measures put in place on the side of the program or site you use the passwords on, there are still dictionary attacks or when a system uses a dictionary file of words to attempt to crack the password. Even a 16 character password may not stand a chance against a dictionary attack if it does not have enough entropy. In part 2 of strong passwords I will go into detail about how you can create high entropy passwords that also maintain a high character space.

The second problem that comes with passwords is trying to remember them. In part 3 of strong passwords I will go into further detail about how to maintain several high entropy and high character space passwords.

Closing
In closing I hope this helps all of you gain a higher understanding of how the strength of a password can be measured and look forward to any comments regarding this.

~Spike