Categories
Executive Non-Techincal

2020 – A Secure New Year

Hello and welcome,

2020 seems as year to start something new. Which is why I have decided to start writing down my thoughts on security and sharing them with the world. My motivation for doing this is simple enough: To share my thoughts on how everyone, at home or in their job, can be just a bit more secure in this evermore connected world.

Now to start off, I am not by far a “l33t h4x0r”, but I do keep updated on ,  as well as use many of these techniques in my day job as an IT manager. What I want to share is not Zero Day vulnerabilities or the latest reverse engineering I have done, but rather simple and easy tips for staying ahead of the common hacker.

So, in that spirit, let’s start the new year with a classic: Passwords 

Password Basics

Passwords are, simply put, annoying in so many ways. And you can bet that a lot of sites that ask you to create an account have not really done a lot of research into what good passwords look like beyond the standard “Minimum 8 characters, a lowercase, an upper case and a number”. The problem with these sites is that they will pigeonhole most users into creating some horrible passwords like “password123” and “qwert1234”.

At the same time most people aren’t offered a good solution that balances their need to be able to login in with relative ease and their need for a secure password. This is not helped by the fact that many IT and security people tend to give slightly unhelpful answers like “At least 20 characters with 3/4 groups”. (We will get back to why length is important and what groups are)

Entropy

Now before moving on, there are a few terms and definitions that may need some explaining. The first is “entropy”, which is a term for lack of predictability or amount of randomness. As an example, “123456” has a low degree of entropy because it is not very random and very predictable. (And is also the most used password in the world in 2019). In contrast, “w54H$W” has a much higher degree of entropy while still having the same amount of characters.  Additionally, if we add one character to make the phrase “w54H$W” into “w54H$W%” we drastically increase the entropy.

The reason many sites say a minimum of 8 characters, is that this was enough entropy at the start of the 2000s to last for a long time. But with today’s high-performance computers this is not good enough anymore. Given 0 delay per try, an 8 character password can be guessed in 4 seconds by a computer with a modern GPU. If we increase the length to 11 then the time increases to 6 years given the same conditions. This is due to the increase in entropy that each character gives.  Note however that even if the time as of now is 6 years for 11 characters, this may change as computers become even faster and efficient, in 5 years we might see 11 characters begin guessed in 4 seconds. Therefore, we want to make our passwords as long as possible while still being reasonably easy to type and remember.

Character Groups

Another thing we need to cover, that has already been mentioned, is the concept of “character groups”. In computing, we divide characters into 4 groups: Upper case letters, lower case letters, numbers and symbols. The reason for dividing is that, in some circumstances, the application doesn’t need to handle all four groups, and developers can therefore save memory by limiting the input to an application to one or two groups. I won’t go into detail how this works but suffice to say it is integral to making more efficient applications. In passwords however, the need for efficient use of memory is greatly outweighed by the need for more entropy, therefore using as many of the groups as possible in a password is recommended. Therefore having at least 3 out of the 4 groups in your passwords is recommended.

The ideal password

More informed readers will know that, from a strictly security perspective, a long password with as many of the character groups as possible will be more secure. However, it will often also become very difficult to remember and type in a rush. This causes many users to cheat the system, creating less secure passwords that just about meet the minimum criteria.

Some have realized a solution close to what I considered the ideal balance, like the famous xkcd.com comic shown below.

xkcd comic about password strength

This solution, called a passphrase, will be a good fit for most users. However, it can be improved upon to make things easier to remember and to type – without losing entropy.

The even better passphrase

I usually advise people to use passphrases that come from something they remember, like a poem, a book or a movie. I will give some examples to illustrate:

“Smoke-on-the-water…”

“Madness,I,tell,you!”

“What:do:you:think:dude?”

WARNING: Due to the fact that I now have written these in an article about passwords, you should not use any of the actual examples as your password.

The disadvantage is that it will be more vulnerable to a dictionary attack due to the presence of a sentence structure, but this can be outweighed by the benefit for the usability of the passphrase. Some security minded people would tear their hair out at that last statement. Well… Good luck teaching a 70 year+ executive the four random word rule AND see that the person won’t choose a phrase like “one two three four”. And even if they do learn the four random word rule, they will need to remember that the third word was “pretty” and not “petty”. Additionally, creating passwords this way can actually make things a bit more fun both while creating and using the password, especially if you come up with something creative.

Conclusion

So, try starting your new year by changing your most critical passwords to something more secure and remember to not reuse passwords. If you struggle to keep track, use a password manager. Either an online one like LastPass or, if you are truly paranoid, an offline one like KeePass.

Have a Secure New Year!

14 replies on “2020 – A Secure New Year”

Hey,
Happy 2020. Just saw the Reddit entry and I liked this content of your. Keep posting cool stuff, I am definitely eager to learn more from the security perspective.

Happy 2020!

Great first article. I was talking about the comic with my brother a few hours ago, it’s a great way to visually understand how great this method can be. As for constructive criticism, there are a few grammar mistakes – but nothing so distracting from the work. IE: “Due to the fact that I now written”

All in all, kudos to you for making the shift to the 1% who produces content on the internet. I aspire to do the same one day.

Well done a good luck.

I would suggest you add something about uniqueness per account. Do not use same password or sentence or what ever floats your boat across multiple sites.

You have very little control over how developers implemented storing that password so assume that the password is breached already and then think am I ok with the developers of a site knowing my password to another site?

Lastly Use a password manager to generate and store your passwords securely. Reviewing and explaining the different ones out there could all be follow up articles.

I do touch on this in the conclusion of the article and I have considered doing an article about the various password managers.

I will make a note of the interest in that particular subject, but from what I already know, the Password Manager space is infested with fan wars and scaremongering of competitors, so I will need to be as though as possible in my conclusions.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.