Usable Security - Passwords

[Vekseid]

This is a copy of a post I made on my blog at http://vekseid.com/

If you want to let someone else know about this series without directing them to Elliquiy here, you can link them to the original post at
http://vekseid.com/blogs/vekseid/usable_security_-_passwords



Some time back, I came to a few not-terribly surprising conclusions.

1) Security information gets dated, fast. As attackers become aware of a given tool, they work to circumvent it. What is a secure, safe practice one year may actually be a security hazard later on. This bad advice tends to get 'stuck' on the Internet, made even worse by the fact that Google still gives immense weight to stale - but highly linked - articles.

2) Security advice is often completely unusable. One example of unusable security is 'use a different password for every website, alphanumeric plus symbols and mixed case, write nothing down and never use a password manager'. Security advice you are forced to ignore is horrible advice.

3) Security advice can also seem like a massive checklist, rather than a way of thinking. At best, your eyes glaze over, and you ignore pieces of it or make a mistake. At worst, you spend hours ticking off each item, and then consider yourself safe.

Security procedures need to be usable, reasonable, and practical. It needs to be something that you will not only get a definite benefit from, but also advice you are willing and able to follow. This series of blog posts will focus on providing advice that you can actually use, rather than some impossible checklist.

As the title suggests, this first article will cover passwords.



If you think of the keys you have, you probably have a few that you consider important - your car keys, your house keys, maybe the key to a safe. If you own a business, you may have the key to that place, as well, and a special key for a secure room in that building.

Most people, however, do not need a lot of keys. If you have a lot of keys, it is either related to your job, hobby, or position, and in such cases, you handle that accordingly.

Passwords work, in a large part, the same way.

Just having a single password is a bad idea, and while having a separate password for each service is infeasible (and a bit silly), you will want to consider having a number of them-

• Your e-mail password.
• Your Paypal password.
• Another unique password for something you consider important. Keep track of what sites you visit over the course of a given month, and assign the important ones a unique, strong password accordingly.
• A common throwaway password that you use for everything that is not important. You use this on many sites.

The key here is to make sure that:

• If your common password is compromised, you have not lost your financial security.
• If your common password is compromised, you have not lost your personal security.
• If an important password is compromised, you have not lost anything else important, at least not immediately.

If you are exceptionally paranoid, you can use a password keeping program like Password Safe or KeePass, for Windows, or Mac OS's keychain. You can manage a lot of passwords securely this way, but, of course - back up your password database!



When choosing how complex to make your password, you will want to consider the sorts of adversaries you will face.

The first, and most common, is the phisher and general hacker. They may try to get you to visit a website that looks like the website in question, and sometimes, the url may even look correct - but it is not, actually, the site you think you are on. Alternately, they may try to get you to simply visit a site that is capable of compromising your browser and machine, or to open a malicious file. Or your machine may be attacked directly by a botnet looking for vulnerabilities to exploit.

Ultimately, the only solution to this sort of attacker is not to fall for their ruses, and to keep your machines secure. While some of that belongs in future articles, a certain amount of common sense does apply - don't click on links from people you don't trust, and just because someone claims they are Paypal in an e-mail, does not mean they are. Always make sure you are in fact at the appropriate site in question when entering your password. Any site you consider important should allow login over ssl - that is, https://www.importantsite.com rather than http://www.importantsite.com - or better, force login over https. Check the security icon to make sure the site is who it claims to be. Obviously, adjust your paranoia to your situation. I always look at the bar when I am buying something via Paypal, for example, while just about every other site I either type in, use bookmarks, or do not particularly worry about.

The second, and still rather common, is the robot. The attacker in this case does not much care about you, personally, nor is overly interested in trying. Instead, they try to guess your password - and the password to millions of other accounts - by brute force. They typically using a list of common passwords, which can be thousands long for web services, or billions for trying to crack your password when they have the encrypted data in hand and can devote personal resources to it. At some point, however, you need to have some trust that the people who store your passwords are not idiots, and use various means to, at the very least, make brute force attempts difficult.

This, with some advice from below, tells us that the ideal password is not actually a password at all, but rather a passphrase. If my life would end if someone managed to brute force or guess it, you can bet that it is either a passphrase, or randomly generated garbage in a password keeping program encrypted with a good passphrase.

A passphrase is like it sounds - an amusing, nonsensical string, like
johnnyspilled14dropsOntothehighestfloor,$;

Don't use that one. Ideally, it should be something that amuses you enough that you can think it out regularly, and eventually memorize it.

I should point out that I don't type passphrases often. I have two. One protects my Password Safe database, and the other one protects my private key for this and other servers. I type them both in when my machine boots, and in the case of Password Safe, occasionally at later points as it times out after half an hour or so. Since most of my passwords are randomly generated nonsense created by Password Safe, I don't actually remember most of my passwords - I can't, actually.

Passphrases tend to be rather cumbersome on websites, however. If you are going to avoid KeyChain/Password Safe/KeePass and such, I would suggest using made up words, with numbers and mixed caps. Before I switched to Password Safe, I had a number of password 'schemes', such as-

Made up word and digits
sponced935 - low security password for most sites. Had a few of these.

Made up word with mixed case and prefix as well as postfix
x4Nubilon529 - high security password, used for e-mail, something with a similar scheme for Paypal, etc.

Ultimately, I find using Password Safe easier. The only time I resort to something like the above is for my laptop password, which has a limited set of characters, so I make the best of it.

The third is the targeted attacker. They may scour the web for details about you and potential vulnerabilities, personally try to gather information from you, a friend, or a co-worker personally, and try to exploit any vulnerability they can - typical human vulnerabilities. They may craft complex attacks targeting you specifically, which can take any number of forms. This is the sort of situation you face when you have actually made enemies, for one reason or another.

There is something to be said for the benefits of simply not making enemies. Professional courtesy and a mutual respect for most of humanity will go a long way for this, but of course, there will always be assholes in the world, or maybe you simply have something worth taking. Again, a lot of advice belongs in future articles, but some pertinent advice:

• No password, ever, should be related to a detail of your personal life. It's simply a bad habit.
• Related to the above, 'security questions' need to be cast into the deepest pits of Hell. I always answer gibberish for them. An alternative is to make up false information for them, especially if you are consistent. Some friends of mine have a different mother for every company they deal with.
• If you are going to tie an account to a mobile phone, don't use your smartphone. Grab a cheap, not terribly smart phone from PlatinumTel or Net10, keep it up to date and just use it for emergencies and things like tying them to Google Accounts and Paypal. Ideally, it will not even be capable of browsing the web or connecting to a machine via bluetooth or a cord. It just needs to be able to send/receive calls, and text.

In a nutshell, it is important to treat your access to certain things - particularly your e-mail and financial accounts - with greater care. If you are not going to use separate passwords for each site, or a secure password storing program, you should at least use separate passwords for important sites.

[Doomsday]

I actually found a great jpg of password advice, and tips on how to create a new, complex password, and the funniest part is that it was on funnyjunk.

http://i55.tinypic.com/30aam49.jpg

[Zylvyn]

Vek,

Great advice for people and their passwords!

As something to add, a great way to have a different password for each site you visit, but still keep it easy to remember, is to have a base password and then incorporate the site name into it.  Something like __#1Nubilon__  where the underscores are the first and last two letters of the site domain.  ie:   El#1NubiloniY

All you'd need to remember is #1Nubilon and then that the first and last two letters of the site are your password.  Having the site in your password is also an awesome way of mentally remembering to check the URI to ensure you're actually on the site, if it is a secure service.

Unless you tell someone about this theme, the odds of them breaking one and using understanding to go break the others is ... slim.

That was what I used to use, before I got my new system.

The Tabula Recta is an idea I got off of Lifehacker, and ran with it.  A table of 26x26 randomly generated letters and numbers, printed out (and perhaps also kept digitally) allows you to carry your password in your wallet (Which also isn't a terrible idea, given how closely people guard their wallets) without other people being able to just find your password written on a post-it note.

A simple non-entropic pseudorandom generator placing values in tables, like the one I just uploaded to one of the websites I work on, is a great thing.  http://zemgear.ca/tabula.php  Picture that hanging up on your wall above the computer...   That's what I have at work!  Work out a system, follow it, and never tell anyone what it is.  Anyone.  Not even to brag.

ie:  My root user at work would have taken from the column R and the row U.  From there, I would count diagonally and to the left for 15 characters.  The 7th and 13th characters, if letters, change case from what is printed.  If I hit an edge, it 'bounces' back off of it diagonally.  (Or perhaps just follows the edge down to the corner, only to crawl along the other edge).  Using a randomly generated table (It's different every time you visit that link) my new root user password would be:  2Gld>}I3KuYu@0;

Who's going to guess that?  Even with the password staring them right in the face, they won't guess it.  It would be quicker to brute-force it than to try and devise your system for password generation.  http://www.lockdown.co.uk/?pg=combi is a good guideline as to how long it would take a machine (or machines) to brute force their way to a random password.  With the tabula recta, you drop straight on down to the 86 character table and take a look.  With only 8 letters, it would take a distributed or multi-computer operation a good 34 days straight to pull it off.  Each letter added on grows that value exponentially due to the number of permutations, so by the time you hit 15, it's just not going to happen.

You don't need to use something like that for -every- site or computer that you use, although it would be awesome if you did.

Any questions or comments, feel free to poke me with a sharp stick!
Despite having an awesome name, a Tabula Recta is great for allowing you to have super complex passwords for the sites that REALLY matter, without having to worry about forgetting it, someone else finding it because it's written down, or worse, it getting brute-forced.

I got this idea from a lifehacker article, and made my own Tabula recta using

[DiverseDesires]

The ministry of defence taught us something very similar...... to make up two formulas for your passwords, that always stay the same, but creates a unique password for every login. 

So for low security sites one formula - similar to Zylvyn's suggestion, and for higher level ones a more complex formula, using one word in the actual password, a made up one -  say 'zimbar' then you have another word, a longer one from which you only use certain letters, for instance if your hidden word was 'trustworthy' and the site was elliquiy, there are eight letters in elliquiy so you use the 8th letter from your word, 'R' and there are four vowels so you use 'S' Now you have RS_zimbar    then you look at two of the letters in the site name  - you choose which ones, say first and last to make it easy, and convert them to a numerical value from the alphabet, E = 5 and  Y = 25 you now have RS_zimbar_525

There were quite a few other suggestions like using the number you generated to go along one line of the qwerty keyboard left to right to add a symbol/letter/number (So number of letters in the name of the site divided by two, rounded down, top line, shift - for elliquiy that would be 4 = $) and also sums that use numerical values to create higher ones...... endless.....

The formulas can be as complex as you like, but you only have to learn two of them and then every password comes from those.  The advantage is they are always in your mind, with you, and never need to be 'managed'

[Oniya]

Where I work, I have to change my password regularly, it can't be a word in the dictionary, there has to be at least two numbers, one capital letter, and a symbol.  I will either [1) take a common English word from somewhere on my desk (and believe me, there are a lot to choose from) and reverse it,] or [2) pick a word from one of my foreign dictionaries (Welsh seems to confound the 'is it in the dictionary' subroutine),] capitalize that, count the letters, put that number at the beginning and end, and then add on whatever symbol strikes my fancy.

[DiverseDesires]

I have had those rules at work too, I hated it!  I'm terrible at remembering them and get so tensed up about it, it sounds like you have a really good memory Oniya! (In the end I kinda cheated and used a formua based on the date - shhhhh.. don't tell anyone!)  Also the security locks on the doors changed every week - GOD - it was only a number keypad and four letters and 6 digit combination but I forgot it SO many times! *blushes* Lord I remember just how dumb I felt.

[Oniya]

Well, the thing is, I can just remember the word forwards and/or in English.  Then I could figure out the rest.  To use an example that I can't actually use for work (too short) - I see the 'Chess' musical CD on my desk.  Chess -> Ssehc -> 5Ssehc5 -> 5Ssehc5#.  If I forget that string of gibberish, the CD is still sitting on my desk as a reminder.

[Tiaan]

Something I read recently suggested a way of making passwords that seemed to gel with me.

Its similar to Veks pass phrase method above but makes for less characters. Using that phrase and adding another part to the sentance

'johnny spilled 14 drops onto the higher floor, it caused a mess'

then take the first letter of each word

j s 14 d o t h f, i c a m

then capitalise the first part of the sentance gives the password as:

JS14DOTHF,icam

Maybe you could use something more personal like 'my dads birthday. its on the 15th of january' = MDB.iot15j

It gives a case sensitive password with two numbers and a symbol. Of course that just works for one password, not good for generating new ones all the time but I reckon it can be pretty secure to use for bank account or paypal or something. That's not his real birthday.

Is something like that safe to use? Would a hacker try those kind of passwords if they found stuff like your dad's d.o.b? Looks safe to me but then I am no expert.

[Cheka Man]

My passwords are mainly simple and I oinly have two or three of them.

[Damned Eternally]

Going to change my passwords on ALL of my stuff's now!

[didoanna]

Thank you for the advice.  I'm not good with computers!

[ShavenHaven]

Variations on a  theme work well for me. Take a theme, lets say ice cream. You have 2 or 3 favourite flavours, combined with an element of the site name.
HokeyPokey}{EForum
UbeIC*#*RolePlay