Security for a New Year Part II: Security Questions

Posted on by .
Security Questions
Image courtesy of © Tatiana53 | Dreamstime Stock Photos & Stock Free Images

This is Part II of the Security for a New Year series.

Security for a New Year Part I: Strong Passwords – Part 1

Security for a New Year Part I: Strong Passwords – Part 2

Security for a New Year Part I: Strong Passwords – Part 3

I figured the best way to relaunch the website was to resume the ‘Security for a New Year’ series. Albeit a new year entirely, security is still one my passions and will always be primarily the focus of most things that I do. So without further ado, Part II of Security for a New Year: Security Questions.

This topic was originally requested by a reader at work, his question was simply, “what are your thoughts on security questions?” Well, considering that the topic for part one of this series was passwords, it seemed appropriate to make this part two. Security questions are a very sticky subject when it comes to security. Security questions are used to ‘verify’ your identity by using something typically more ‘complex’ than your password. There are generally two instances when you encounter security questions: the first, and most common, is to reset your password if it has been forgotten, and the second is in the form of additional identity verification such as for a banking login.

Server Side Considerations:

The first issues regarding security questions arise on the server side, and this comes in the form of their storage in the database. If there are already bad practices in place for passwords (e.g. storing them in plain text) then it is extremely likely that these same practices will carry over into what is often considered a less important aspect of account security. If the database is ever compromised on the server, and passwords are stored in plain text, then it doesn’t matter how strong your password is, the attacker already has it. Even if your password is 64 characters long and is completely randomly generated (e.g. using KeePass) it doesn’t matter if the attacker can simply copy and paste it. Before I digress any farther, lets get back to security questions. Since as I mentioned earlier, security questions are often used for password resets, it is also important for the answers to be hashed as well. If you have a good strong password, it is hashed in the database, but the answers to the security questions are not, then the password security has failed. For example if the database is compromised, then the attacker does not need to crack the hash of the password, he can simply use the security question and answer to reset the password and gain access to the account. Now the best practice for this function of security questions would be to send an email with a link that allows the user to reset their password; however, this is not always the case. So the first consideration for security questions is the same for passwords, hope (or if the account is important enough, verify through the company’s IT department) that their passwords and answers to security questions are hashed, preferably with something stronger than MD5.

The second issue on the server side for security questions is of the questions offered. Most websites offer a standard list of security questions such as these:

  • What is the name of the High School you graduated from?
  • What is your pet’s name?
  • What is your mother’s maiden name?
  • What is your father’s middle name?
  • What is your favorite team?
  • What is the name of your hometown?
  • In what city were you born?

For a more detailed list of security questions there is an extensive list here: http://goodsecurityquestions.com/examples.htm

Now the first issue with these questions is that they are easily answered with a bit of research. With the advent of social media, these questions are almost completely obsolete. The second issue is with the storage of the questions chosen. Unlike the answers which can be encrypted using a unidirectional hash, the questions need to be able to be read, and as a result should be stored using a bidirectional encryption. This way the website can reverse the encryption, and display the question, but the data is not easily attained from the database directly. The third issue is with the ability for a user to make their own questions up. This is the best solution as the user can use something that may be unrelated to them, but still memorable. For example, something you will likely never find anywhere might be the security question of “What is the Hamburglar’s middle name?” To which I might respond with “Bacon” as the answer. The answer cannot be found on the internet, because to the best of my knowledge if the Hamburglar had a middle name, it probably isn’t bacon. However, anyone that knows me might guess that I would say Bacon to that question, but I will cover answering these questions later in this article. If you encounter an issue with very simple security questions for an important service it would probably be best to contact their IT department to ensure their other security practices are up to par. So in conclusion of the second server side issue, the considerations are the difficulty of the security questions to research, their storage method on the server, and whether or not the user has the ability to create their own questions.

Before I go into the second portion of this article, I want to share some of my favorite ‘made up’ questions I found while doing my research. Humor is definitely encouraged in the creation of security questions.

Courtesy of: http://usablyauthentical.blogspot.com/2010/08/truly-secure-security-questions.html

  • What color was your first grade teacher’s house?
  • When will global warming end?
  • Why did your girlfriend say that about your mother?
  • How much wood could a woodchuck chuck?
  • What happens when an irresistible force meets an immovable object?
  • Why didn’t you live up to your parent’s expectations?
  • Why is a raven like a writing desk?
  • Why don’t Americans use the metric system?
  • Mrs. Robinson, are you trying to seduce me?
  • To be, or not to be?
  • What is your favorite security question?
  • Bueller? Bueller? Anyone? Bueller?
  • What are you looking at?
  • Do these pants make me look fat?

Choosing Security Questions Considerations:

Now that the server side considerations are out of the way, lets say all is good with their security and you have a list of questions to choose from. If you intend to answer these questions with some reasonable level of sincerity, then it is best to choose questions that the answers cannot be easily found on the internet or by knowing you. The “what is your mother’s maiden name” question should almost always be avoided if you intend to answer truthfully. Questions that only you, or perhaps only a select few people would know the answer to are best in these circumstances. Unless it has been revealed online, a question such as this one, “In what city or town did your mother and father meet?” this one, “What is the name of a college you applied to but didn’t attend?” or this one, “Where were you when you first heard about 9/11?” would be great choices. Ultimately, if you can make up your own questions, this is the way best option. You can be as creative as you want, with your questions and answers. Often times these can also be easily remembered.

Answering Security Questions Considerations:

Now if you know me, or know you have learned enough about my thoughts on security from the other articles, you can imagine this is where my enthusiasm lies. I prefer to answer security questions, regardless of the question with something either randomly generated (using KeePass), or by banging my hands on the keyboard like an enraged drunken monkey. The primary reason I choose to use randomly generated answers is the same reason I choose to use randomly generated passwords. I do not believe that something that is used as an additional layer of security should undermine the previous layer of security.

The truth of the matter is this, if it is something that you will always remember (e.g. your mothers maiden name or your favorite sports team) then it is also something that can typically be discovered with very little research. Social media has made identity theft extremely easy because people are always sharing so many different things about themselves that they often do not realize that they are undermining the security of many of their services. As a result answering security questions (sometimes even the self created ones) truthfully, drastically weakens the security of the service you are using.

This is where the core problem with security questions rests, they are a tool that is meant to be easily remembered in case you forget your stronger and harder to guess password or to supplement that password. If you use my approach to answering these questions with more random gibberish, you end up negating one of the primary purposes of security questions. If you do not use KeePass or a similar password vault for your passwords and security questions, then it is best to answer the question with something you will remember, but not the actual answer to the question.

For example, if you choose the “what is your mother’s maiden name” question, consider answering with something your mother used to always say to you instead of her name. If you choose the question “what is your favorite team” answer with something relating to a specific memory from watching them, such as “Three touchdowns in the first quarter!” or something like that. In short, use your imagination, and when you read the question try to focus more on the memories the question brings to mind, rather then the answer it wants. This technique will help you strengthen your security questions, while still making the answers easy to remember, but hard to guess or research.

Live Free; Surf Secure

~Mike

Site Re-Launch

Posted on by .

Well I still have not had too much time to make a theme for the site yet, however I have found a nice clean responsive theme to use for now. I have several topics in mind for future posts, and I intend to be more active this year on the website. I am currently finishing up some other projects, but my intention is to do at least one new post per week.

Theme Change

Posted on by .

Ok, so things have been only getting busier. I still intend to continue writing the rest of the articles, but it may have to wait a while. In other news, the previous theme appeared to be getting rather buggy, and since I have not had time to create my own yet, I have switched back to the previous theme for the time being. Hopefully new content will be coming soon to Open Intel.

~Mike

Still Alive

Posted on by .

Well, since it has been a while since I have posted anything, I figured I would show up here long enough to let everyone know that I am still alive. Life has been extremely busy lately, but in the next couple months things will be slowing down enough for me to become active again. There are still several sections left for Security for a New Year. There is also plans for an advanced security series, including full disclosure penetration testing. I have also been doing some additional field research on a later section of Security for a New Year, and there will be a post coming soon on that.

Until then, Live Free; Surf Secure.

~Mike

Security for a New Year Part I: Strong Passwords – Part 3

Posted on by .

This is part 3 of Strong Passwords of the Security for a New Year series.

Security for a New Year Part I: Strong Passwords – Part 1

Security for a New Year Part I: Strong Passwords – Part 2

In part 1 of strong passwords I covered the use of entropy and character space to create strong passwords and how the length of the password is the best defense against a brute force attack. In part 2 of strong passwords I covered methods for creating a high entropy password that is resilient to almost any dictionary attack. In both parts I mentioned that the second problem that comes with passwords is remembering them.

The memory problem leads to typically two very bad password practices. The first of which is writing the passwords down in a convenient place. While there are many arguments for both sides of this, but for security purposes (thus the reasoning for passwords in the first place), you should never write passwords down, at least not in any place that is easily accessible. The primary places where people keep their passwords are in one of the following locations:

  • On a post it note on the computer desk or monitor
  • On a piece of paper on the desk
  • On a piece of paper under the keyboard
  • In a notebook on their computer desk

The pattern that emerges from this is the consistent location. You should only have a password written down if it is safely away from the computer when you are not there. If you must write your password down, you should keep it on your person at all times, and only take it out when absolutely necessary. An ideal location to keep it would be your wallet or purse. In addition, this piece of paper should ONLY contain the passwords themselves. It should not contain your usernames or the websites they are for.

Before I go further into managing a list of strong passwords, there is one more important item I must discuss about password documentation. While the purpose of passwords is to keep others out of our accounts, there is one thing we have to keep in mind, and though morbid to think about, that is our own mortality. There are some accounts, such as bank accounts and possibly even our social media accounts, that we should keep our passwords documented for. In the event of our untimely demise, we would need our family and loved ones to be able to access those accounts. It is for this reason that we should maintain a document listing these accounts, their usernames, and passwords. Since this document violates everything else I have discussed about passwords thus far, it is critical that this document be kept in an extremely safe place. There are only two places that I would recommend: the first and best choice would be a safety deposit box, alternatively would be a safe in your home. Again, though this single document opens access to our entire online identity, it is still a very important step in maintaining strong passwords. While we must do everything in our power to secure our accounts and identity, we must also ensure that we do not leave our loved ones with any more burdens or hurdles to go through after our passing.

The second bad habit that comes from having a strong password, and perhaps even worse than having your password on a sticky note attached to your monitor, is password reuse.

Before I go into further detail on this, I have received some criticism from friends for not including an XKCD comic in my password blog posts, so without further ado:

(For those of you not aware of the XKCD web comics, I highly recommend them. The artist covers many technical issues as well as a myriad of other topics. You can view them all for free at XKCD’s website.)

While the comic is entertaining it covers the majority of the issue with password reuse. And while there are many legitimate sites out there, I can assure you there are twice as many illegitimate sites out there probably using this exact tactic. Furthermore, even if the sites are legitimate, there is always a chance they could be hacked. If their site is hacked and their database containing user information is downloaded (which it typically is in a website attack) then the only defense for your password is the security measures the site owners had in place on their server. Unfortunately, as attacks such as the one on Sony has shown us (Troy Hunt “A brief Sony password analysis”), there are a lot of big companies out there with very poor practices for storing customer data. The thing that astonished me from this article was this:

Sony stored over 1,000,000 passwords of its customers in plaintext

In the web security world this is probably the first and foremost cardinal sin with customer data. There are many steps that can be taken to secure customer data, but at the very least, passwords should be one way hashed with a random salt. In the future I will write an article on server side security, but it will not be part of the Security for a New Year series as it is beyond the scope of the articles. For more information on the Sony hack this article from Computer World may be helpful.

Before I digress further, let us recap over the password reuse issue. If you use the same password across multiple sites and one of those sites is hacked and they had poor server side security practices, then all of your accounts have essentially been compromised as well. However, this brings about another issue with password memory. While one strong password can be memorized after a short amount of time, a dozen strong passwords proves to be far more difficult. This typically leads back to the first memory issue of writing passwords down in convenient locations, and thus the cycle seems endless. For online accounts there would seem a very simple solution, most modern web browsers offer to remember your passwords for you. While this seems like a viable solution, it is actually no better than writing your passwords down and leaving them on your computer desk. Typically, these passwords are simply hidden (appear as ‘*****’) in your browser but not actually encrypted or hashed. This means that all someone needs to do to view your passwords is to open your browser options and show the passwords.

So aside from writing the passwords down, what other options are there? This is where password vaults or password safes come into play. These programs typically have a master password to open the safe, and then it allows you access to all of the rest of your passwords. These programs usually offer a strong encryption algorithm to protect the rest of your passwords, and this leaves you with only one really strong password to remember. Furthermore, most of these programs offer options for generating long high-entropy passwords so you do not have to come up with them on your own. While there are many options out there, my personal favorite is KeePassX. You can download it for free from KeePassX’s website. There are several factors that make it my favorite among the password safes, but one of the greatest advantages is the cross platform support. This means if you use a Mac, a Windows PC, and a Linux PC the software is compatible with all three. There is also an app for Android phones. The safe that it creates can easily be stored in a cloud based service such as Dropbox or Google Drive or it can be saved to your computer or a flash drive. Next I will cover the basics for setting up KeePassX once you have downloaded it and extracted the archive.

(If you are unfamiliar with archives they are a way of “zipping” files together into a single file. A very nice open source program for using archives is 7zip. You can download it for free from 7zip’s website.)

KeePassX Usage

Open the KeePassX.exe

keepassx01

Click on File and choose New Database

keepassx02

Enter in a STRONG password and then click OK. Repeat the password in the next box and then click OK again. You will now see the normal view.

keepassx03

The first thing we need to do is strengthen the cryptographic security of the database. Click on file and then choose Database Settings

keepassx04

Click on the clock icon to get a random count from the CPU and significantly increase the number of rounds then click OK. This greatly increases the security of the password database, and is a step that should not be skipped.

The second thing we need to do, and this is most important, is to save the database so we do not lose the passwords we create. Click on File and then choose Save Database.

keepassx13

This will prompt you with a standard save box. You can then choose a place to save your database. The best option would be to not store the file on your PC at all but rather save it to a flash drive. Also be sure to make a copy of the database to a disc or second flash drive and store it in a safe and keep the backup up-to-date as much as possible. If you must store the file on your computer it becomes all the more important that you have an extremely strong password protecting the database.

Now that the database is saved we can continue to add passwords to our database. Click on a group and then click the Add New Entry icon.

keepassx05

After you click the icon, the Add New Entry window will open.

keepassx06

Enter in the title of the password, such as the account it is for. Then continue to enter in your username, URL, and any comments about the password. You can also set an expiration date for the password if you choose.

Next, lets use the built in password generator to generate a new password for this entry. Click on the Gen button.

keepassx07

Select all of the character groups you wish to use. It is important to ensure that all of the groups you choose are supported by the site you are creating the password for. Next select the length of the password you want to use. It is also important to ensure that you do not exceed the password length supported by the site you are creating the password for. Additionally I always recommend checking the ‘Enable entropy collection’ option. This provides you with a box in which you simply move your mouse around in to generate randomness. Then click Generate.

keepassx08

After this box if full click the OK button.

keepassx09

You will then go back to the generator window. You can view the password it generated by clicking the eye icon. As you can see, this is ridiculous password. Simply click OK and it will take you back to the add new entry window.

keepassx10

You will notice that it has also already duplicated the password into the Repeat field. Click OK again to go back to the main window and add this entry.

keepassx11

As you can see it also masks the username and password by default so that others who might be looking over your shoulder will never see your actual password when you enter it. Be sure to click the save icon to make sure you do not lose the entry. To use the password simply right click on the entry and choose Copy Password to Clipboard.

keepassx12

You now can now paste it into the password field on the website you created it for. Keep in mind you need to make sure you change the password first. Additionally from the time you copy the password it only stays on the clipboard for 20 seconds by default. This is to ensure no one can come up and paste your password into a text editor if you happen to leave your computer unattended. Additionally, by not typing in your password this also defeats most key logger programs.

This is a basic guide to using KeePassX. There are many more options for customization. While there is not an official documentation page for KeePassX, there is one for the project it has branched off from. While not all of the options from KeePass are available in KeePassX most of the documentation for KeePass 1.x should apply. For the KeePass documentation click here.

While there may be more options for KeePass than KeePassX, KeePass is not cross platform, and therefore is not as useful to me.

Closing

This concludes the third and final part of strong passwords. We have covered a lot of information in this sub series of Security for a New Year. Look for more articles of the series in the coming weeks. I hope this series has helped you gain a greater understanding of how passwords work, and how important they are in securing your online identity. You now have the methods and tools for creating high entropy and high character space passwords. In the process we have also covered several bits of useful open source software such as KeePassX and 7zip. As always, I look forward to any feedback.

~Mike

Security for a New Year Part I: Strong Passwords – Part 2

Posted on by .

This is part 2 of Strong Passwords of the Security for a New Year series.

Security for a New Year Part I: Strong Passwords – Part 1

In part 1 of strong passwords, I discussed the use of character sets and character spaces and how they impact the overall strength of the password. I primarily discussed how the use of a longer password is significantly harder to brute force than that of a shorter one regardless of how many character sets are used. Typically longer passwords expand beyond the use of single words, and as a result they are referred to in many places as passphrases. Personally, since they serve the exact same purpose as far as authentication is concerned, I use the term password to refer to both single and multi-word passwords. The term passphrase; however, may help you expand your view on what a password can consist of. While most people may use a single word as their password, a password can also consist of several related or unrelated words, or even a complete sentence. This can be a great way to significantly increase the length of your password.

I will be covering two primary topics in part 2 of strong passwords. The first topic is how to design a high entropy password that can withstand even the most sophisticated dictionary attacks. The second topic will be how to significantly increase the character space of your password to where a brute force attack would be impossible with the current state and direction of technology.

The thing that must be fully realized to create a high entropy password is that it cannot consist of any actual words. For most people, they use a password that consists of someone’s name, something they like, or something they think is clever. The problem with using any of these things is that they are typically easy to figure out, or they are readily available in one of millions of dictionary files available on the Internet. Before I go into any further detail I would like to provide a list of the top 25 passwords of 2012 according to What’s My Pass. These passwords were compiled based off of the many stolen and hacked accounts that occurred in 2012.

1. password (Unchanged)
2. 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja (New)
24. mustang (New)
25. password1 (New)

I simply cannot stress it enough, if your password for any account is on this list, then you should change it immediately. These passwords are almost guaranteed to be the first ones attempted for breaking into accounts. Some individuals who are multilingual may use words from a language other than English as their password. The problem with this is that while it may decrease the chances of your password being compromised, if they are real words then guaranteed there is a dictionary file on the Internet containing them. Again we arrive at the same conclusion, it cannot consist of actual words.

Many individuals may think that using something clever such as ‘to be or not to be’ (minus the quotes) as a password would be a strong enough password. While the character space of this password is significantly long, there are also dictionary files containing massive lists of popular quotations and phrases available, and this could still easily be cracked. Furthermore, the use of symbol and number substitution for letters (commonly referred to as 1337) does not provide any greater security, as there are lists available containing common uses of these as well.

This does not mean that a password cannot be based off of actual words, it just should not contain any. When choosing the words to base your password on, you should consider how easily these words could be connected to you. For example, your spouse and children’s names should never be used, as these can easily be connected to you. Additionally this excludes your favorite sports team, your religion, favorite television shows, favorite brand of clothing, pet’s name, favorite make or model of vehicle, or even your brand of coffee. The list goes on and on. Subsequently, you should not base it on anything you blatantly dislike either. For example, if you are a die-hard Chevy person, basing you password off of Ford is not a good idea either. Through the advent of social media, anything that can relate to you in anyway is not a good idea for password basis because this information is likely easily attainable. What is even worse, is that there are scripts and programs that easily enable an attacker to compile their own dictionary file of passwords you may use based on the information they obtain.

So to start our design for a high entropy password we need two unrelated words that cannot be connected to you in anyway. For our example we will use a sport to which, in our example, you feel completely impartial to. The sport we have chosen is tennis. Now we need something completely unrelated to tennis and not connected to you to combine this with. For this example we will use a type of animal, a camel. So currently our password consists of tenniscamel. Well aside from being two unrelated words, they are entirely lower case. So lets randomly pick a couple letters to capitalize. We now have TeNNiscAmeL. The next issue we encounter is that there are no numbers in this password. So lets pick two random numbers to which you feel completely indifferent about. For our example I am choosing 7 and 2. The typical response to adding numbers to a password is to add them at the beginning, in between words, or at the end. We want to do something out of the ordinary, so we will do this Te2NNiscA7meL.  In addition to adding numbers in this way, we did not do substitution, and we also succeeded in converting both words from actual words into nonsense. To add an additional layer of security we should add some symbols. We should add these at random and use at least two of them. Our password after this step looks like this: Te2N?NiscA(m)eL and I actually used three total symbols. Brackets can be a great way to add symbols to a password, and at the same time make it easier to remember. So now we have a password that is almost entirely guaranteed to not be in a dictionary file, especially one designed specifically for you, and we have a relatively high character space of fifteen. The only real issue with a password like this is that it may be hard to remember.

The password in the previous example that if used frequently over time could be remembered, but it would likely need to be written down some place until then. While I will go into further discussion of password documentation in part 3, there is nothing wrong with writing a password down and carrying it in your wallet or purse, or even better keep it in a safe. The important thing to note if you do this is not to have the password anywhere on your desk, or have other information such as the username or website on the same piece of paper. Remember, this was just one example, you could make it easier to remember by doing the previous methods differently. The important thing is that your password when finished meets all of the following:

  • It uses both uppercase and lowercase letters, and the uppercase letters are not solely the first letter of each word
  • It uses numbers, but not just by using them for letter substitution
  • It uses at least one symbol preferably more
  • The numbers and symbols are scattered and not just at the beginning or end of the password
  • The base word or words are not remotely close to their original form

With time and practice you will easily be able to do this to all of your passwords. Remember the primary goal of entropy in passwords is to defeat the use of dictionary attacks. You also want to make a password that if someone knew everything about you, they still would not be able to guess the password. Ultimately, you want to leave the attacker with no other choice than to use a brute force attack.

This leads us into our second topic in part 2 of strong passwords. The easiest way to create a large character space in our passwords is a method called haystacking. This method was conceived by the Gibson Research Corporation. They refer to your password as a needle hidden in a haystack, and their haystacking method consists of padding your password with a single type of character to add to its overall length. This method is very simple, and as a result I will not go very in depth over its use. For more detailed information I recommend clicking the link and reading their entire article, but keep in mind their primary focus is on brute force defense.

To use haystacking on our password we created earlier we need to choose a symbol. For this example I will use the same symbol used in Gibson’s article a period. Our password has a current character length of fifteen and if we want to increase that to twenty-four we need to add nine characters to it. Our password now looks like this: Te2N?Nis………cA(m)eL

I chose to simply add the padding in the middle, and while we have added nine identical characters to our password, it still meets all of the entropy requirements. Before I close yet another extensive blog entry on security, I would like to add that you should probably not use the period. It is highly likely that this method will start ending up in dictionary files and you should create your own system for padding passwords.

YOU should invent your own personal padding policy. You could put some padding in front, and/or interspersed through the phrase, and/or add some more to the end. You could put some characters at the beginning, padding in the middle, and more characters at the end. And also mix-up the padding characters by using simple memorable character pictures like “<->” or “[*]” or “^-^” . . . but do invent your own!

— Gibson Research Corporation

In part 3 of strong passwords I will go into detail about documenting your passwords, using password generation software, and maintaining a list of high entropy and high character space passwords.

Closing
In closing, I hope that the methods described here help you create passwords that are both long and seemingly random. The goal is to protect your accounts, and hopefully I have provided you with a means to do just that. Again, I look forward to any comments regarding this.

~Mike

Adobe CS2 Available for Free

Posted on by .

While this does not count as Open Source Software, I am still tagging it in that category due to it being free. Adobe is now offering their full CS2 Suite for free, including the serials, from their website. For details about the release check here: Tech Support Alert

To download the full suite and start using it today go here: Adobe’s Official Website

Enjoy! I’m still working on the security series, but illness, bad luck and UEFI have caused extensive delays.

~Mike

Security for a New Year Part I: Strong Passwords – Part 1

Posted on by .

With the new year starting, I felt that my first actual content-filled post should be on security. This will be the first part of a several post series on good security practices. Today’s topic: strong passwords.

In today’s society we are connected in almost every way. From social networking to online banking and email to online stock exchange, we have several accounts across several different websites. With each of these accounts ranging in varying degrees of importance, and with the only layer of security we have being passwords, the strength of each password becomes paramount.

The whole subject of passwords introduces several initial problems. While an entire book could be written on the matter itself, lets simply cover the basics of the problems that come with passwords, and some viable solutions.

The first problem that passwords introduce is the strength issue. A strong password is defined as one that is both hard for a person to guess and at the same time hard for a computer to crack. There are two primary aspects of a password that contribute to its strength. The first aspect is entropy or randomness of the characters used. The types of characters used are typically broken down into character sets. There are generally at least three character sets that apply to all passwords. They are uppercase letters, lowercase letters, and numbers. Generally this system is simply referred to as case-sensitive alphanumeric, but I feel that it simply does not go into enough detail as to explain how much of a difference this makes regarding the strength of the password.

The reason multiple character sets are used is because they greatly increase the number of possible outcomes. This is primarily directed at slowing down the process in which a computer can crack the password. One primary method for password cracking, and the one this article focuses on explaining is brute-force password cracking, or trying every possible combination of characters until the outcome produced matches the password. The best way to explain how entropy makes a difference is by running some scenarios. Lets say that you have a password that is 8 characters long. If you only used numeric characters that gives you ten (0-9) possible characters for each position in the password. That means there are a maximum of 100,000,000 possible combinations. While that may seem like a lot, if we take varying aspects out of the equation such as the hashing algorithm used for the password and other security measures such as lockouts, a decent system built for cracking can usually attempt about 500 million password guesses per second. That means in roughly .2 seconds that system would have went through every possible combination of numbers and is guaranteed to have guessed the password.

Now if we add lowercase letters to the password that adds another twenty-six (a-z) possible characters for each position in the password. Using our current 8 character password and including the numeric character set this makes 36 possible characters for each position. This brings us to a grand total of 2,821,109,907,456 possible combinations. You can see how this greatly increases the strength of the password. However, using our password eating system at 500 million guesses per second, this would take approximately 94 minutes to cycle through every possible combination and inevitably guess the password.

Now if we add uppercase letters, that adds another twenty-six possible characters to each position of our password. This brings a total of 62 possible characters for each position. Using permutations this provides a maximum total of 218,340,105,584,896 possible combinations. While the number of possible combinations is very high, it would still only take our password eating system at 500 million password guesses per second around 121 hours to cycle through every possible combination and guess the password. In other words, in less than a week (roughly 5 days) the system could break the password.

Considering how easily a system can break passwords using the three primary character sets it poses the question of how to overcome this. Some passwords allow symbols, and while that character set adds another 32 (33 if you include a space) possible characters to each position it still doesn’t make it unreasonable to try cracking the password. For the math lovers, that is a total of 6,634,204,312,890,625 possible combinations and would take roughly 154 days for the system to guess every possible combination. Along with symbols comes another issue. Not all passwords can use symbols, and even if they did we still cannot make it infeasible to try cracking the password.

So how do we resolve this issue? This is where the other aspect of password strength comes into play. I refer to this aspect as character space some other places may refer to it in other manners, but the basis is still the same, it is the length of the password. With the strength through entropy, it only adds an additional number of character possibilities for each position in the password. Character space exponentially strengthens the password as it adds another position with all character sets used for possibilities in that space. To explain this in more layman’s terms we will go back to our examples. Using case-sensitive alphanumeric (uppercase letters, lowercase letters, and numbers) on a password with a character space of 8 we had a total number of possible outcomes of 218,340,105,584,896 which as we determined could be cracked in under a week. If we use the same three character sets, and set the character space to 10 we end up with a total number of 839,299,365,868,340,224 possible outcomes. Which using our password eating system at 500 million password guesses per second sets it at roughly 53 years to go through every possible combination and guess the password. So by simply adding two more characters to our password length we added years of time to cycle through every possible combination instead of simply days. With keeping the same number of characters and adding a whole other character set we only gained 149 days.

So what is a recommended password length? I typically use passwords that are significantly longer than required, but a good number to stick with is 16. Most passwords support at least 16 characters and some support a much higher number. To show how much of a difference this makes, using the three primary character sets and a character space of 16 we end up with a whopping 47,672,401,706,823,533,450,263,330,816 possible combinations. Using our password eating system at 500 million password guesses per second that means it would take roughly 30,233,638,830 centuries to cycle through every possible combination and guess the password.

Now I have used a lot of math in these examples and I would like to explain how these equations can be easily understood. I use permutations (character space^number of characters in character set)to determine the number of possible combinations. Next I divide by 60 seconds, 60 minutes, 24 hours, 365 days, and 100 years as necessary. Now the chances of your password being the last guess is highly unlikely. So usually it is a good idea to divide the final number by two to determine the time taken to actually crack the password. For example in our initial case sensitive alphanumeric password with a character space of 8 it is more likely to be cracked in 2-3 days instead of taking the full 5 days. There are also other factors that come into play and may limit the system to 1,000 password guesses per second instead of 500 million. Still, there are other systems that can exceed 500 billion password guesses per second. Either way, a 16 character password stands a much greater chance than an 8 character password.

While this may seem like a perfect solution to resolve all your password concerns, we must go back to the entropy aspect. For starters, brute-forcing is not the only method for cracking passwords, in fact it is typically the last resort. While many of the methods rely on the security measures put in place on the side of the program or site you use the passwords on, there are still dictionary attacks or when a system uses a dictionary file of words to attempt to crack the password. Even a 16 character password may not stand a chance against a dictionary attack if it does not have enough entropy. In part 2 of strong passwords I will go into detail about how you can create high entropy passwords that also maintain a high character space.

The second problem that comes with passwords is trying to remember them. In part 3 of strong passwords I will go into further detail about how to maintain several high entropy and high character space passwords.

Closing
In closing I hope this helps all of you gain a higher understanding of how the strength of a password can be measured and look forward to any comments regarding this.

~Mike

Facebook Integration

Posted on by .

Facebook integration is complete. You may now make comments and like posts on here using Facebook. In addition to this there is also a Facebook page for Open Intel, and all articles from this point forward will be also pushed to Facebook when published.

~Mike

Another Update

Posted on by .

Two updates in one day, crazy I know, but I may actually be able to start keeping this up to date. I have secured the site and have now enabled new user registrations. I will be working on compiling the first of a few writings to actually post on here going into deeper discussions. This blog will primarily focus on site updates to the main site (Site Updates category) as well as general posts such as this one category (General category). In the future when I actually have time to delve into more thought out posts, I will be covering computer security (Security category), web design and web development (Design / Development category), open source software (Open Source Software category), and miscellaneous other computer related articles (Miscellaneous category). Most of the miscellaneous articles will be related to useful or important things I have found in my journeys across the internet.

In addition to all of this, I have set up a temporary redirect from openintel.org to this blog. As a result, there will not be any ‘Site Updates’ posted until the main site goes live again.

~Mike