Hello and welcome,
2020 seems as year to start something new. Which is why I have decided to start writing down my thoughts on security and sharing them with the world. My motivation for doing this is simple enough: To share my thoughts on how everyone, at home or in their job, can be just a bit more secure in this evermore connected world.
Now to start off, I am not by far a “l33t h4x0r”, but I do keep updated on , as well as use many of these techniques in my day job as an IT manager. What I want to share is not Zero Day vulnerabilities or the latest reverse engineering I have done, but rather simple and easy tips for staying ahead of the common hacker.
So, in that spirit, let’s start the new year with a classic: Passwords
Passwords are, simply put, annoying in so many ways. And you can bet that a lot of sites that ask you to create an account have not really done a lot of research into what good passwords look like beyond the standard “Minimum 8 characters, a lowercase, an upper case and a number”. The problem with these sites is that they will pigeonhole most users into creating some horrible passwords like “password123” and “qwert1234”.
At the same time most people aren’t offered a good solution that balances their need to be able to login in with relative ease and their need for a secure password. This is not helped by the fact that many IT and security people tend to give slightly unhelpful answers like “At least 20 characters with 3/4 groups”. (We will get back to why length is important and what groups are)
Now before moving on, there are a few terms and definitions that may need some explaining. The first is “entropy”, which is a term for lack of predictability or amount of randomness. As an example, “123456” has a low degree of entropy because it is not very random and very predictable. (And is also the most used password in the world in 2019). In contrast, “w54H$W” has a much higher degree of entropy while still having the same amount of characters. Additionally, if we add one character to make the phrase “w54H$W” into “w54H$W%” we drastically increase the entropy.
The reason many sites say a minimum of 8 characters, is that this was enough entropy at the start of the 2000s to last for a long time. But with today’s high-performance computers this is not good enough anymore. Given 0 delay per try, an 8 character password can be guessed in 4 seconds by a computer with a modern GPU. If we increase the length to 11 then the time increases to 6 years given the same conditions. This is due to the increase in entropy that each character gives. Note however that even if the time as of now is 6 years for 11 characters, this may change as computers become even faster and efficient, in 5 years we might see 11 characters begin guessed in 4 seconds. Therefore, we want to make our passwords as long as possible while still being reasonably easy to type and remember.
Another thing we need to cover, that has already been mentioned, is the concept of “character groups”. In computing, we divide characters into 4 groups: Upper case letters, lower case letters, numbers and symbols. The reason for dividing is that, in some circumstances, the application doesn’t need to handle all four groups, and developers can therefore save memory by limiting the input to an application to one or two groups. I won’t go into detail how this works but suffice to say it is integral to making more efficient applications. In passwords however, the need for efficient use of memory is greatly outweighed by the need for more entropy, therefore using as many of the groups as possible in a password is recommended. Therefore having at least 3 out of the 4 groups in your passwords is recommended.
The ideal password
More informed readers will know that, from a strictly security perspective, a long password with as many of the character groups as possible will be more secure. However, it will often also become very difficult to remember and type in a rush. This causes many users to cheat the system, creating less secure passwords that just about meet the minimum criteria.
Some have realized a solution close to what I considered the ideal balance, like the famous xkcd.com comic shown below.
This solution, called a passphrase, will be a good fit for most users. However, it can be improved upon to make things easier to remember and to type – without losing entropy.
The even better passphrase
I usually advise people to use passphrases that come from something they remember, like a poem, a book or a movie. I will give some examples to illustrate:
WARNING: Due to the fact that I now have written these in an article about passwords, you should not use any of the actual examples as your password.
The disadvantage is that it will be more vulnerable to a dictionary attack due to the presence of a sentence structure, but this can be outweighed by the benefit for the usability of the passphrase. Some security minded people would tear their hair out at that last statement. Well… Good luck teaching a 70 year+ executive the four random word rule AND see that the person won’t choose a phrase like “one two three four”. And even if they do learn the four random word rule, they will need to remember that the third word was “pretty” and not “petty”. Additionally, creating passwords this way can actually make things a bit more fun both while creating and using the password, especially if you come up with something creative.
So, try starting your new year by changing your most critical passwords to something more secure and remember to not reuse passwords. If you struggle to keep track, use a password manager. Either an online one like LastPass or, if you are truly paranoid, an offline one like KeePass.
Have a Secure New Year!