I recently conducted an informal poll via Facebook asking my friends what kinds of information security topics they'd like to hear about. That population has a pretty good spread of information security professionals and normal people and a subject I heard frequently from both groups was: What can we do with passwords that is reasonably safe and reasonably usable?
This is a great question and I'm going to do my be to answer it here. Let's see how close I get.
First off, let's ask a pretty basic question: Why do we even have passwords? The short answer is that we have passwords to make sure that you are who you claim to be. This process is called Authentication, which is sometimes shortened to AuthN. We can authenticate users by securely sharing at least one of the following items with a service provider prior to using their service:
- Something you know
- Something you have
- Something you are
Passwords are something you know. You share that password with the service provider and combine it with your user ID. When you provide the correct user ID and password combination you authenticate yourself and can access the data and services you have been authorized.
That makes passwords pretty important. You need a good one, so how do you do it? Conventional wisdom says that a good password meets the following complexity requirements:
- At least 8 characters long
- Upper case letters
- Lower case letters
- Special characters
Too easy, right? You've been doing that since you were surfing CompuServe and Prodigy back in the 80s. Well, back in the 80s, an 8-character password was good enough, but not in this day and age. All the character variation is still good to have, but the 8 character length just doesn't cut it. Things have escalated.
Password complexity is a defense against brute force attacks. A brute force attack is trying every possible password in a character space, i.e. every permutation of each available character in the password. That gives us 1,127,875,251,287,708 possible passwords when we use 8 characters for a password. The typical desktop or laptop can brute force that character space in about 274 days if the password is hashed with the NT MD4 algorithm, which is what you'll find in most business environments. Specialized hardware or Cloud-based systems can accelerate that considerably requiring 10 days or less to crack the password space. Check out Foundstone's Brute Force Calculator to see how long your password will last against a brute force attack. Make your password long enough and use the right algorithm and the bad guys will simply run out of enough time and hardware to crack your password.
The problem is that hackers have other tricks up their sleeve, like password guessing. They'll correctly guess that many people in the Columbus, OH area will have some variation of 'GoBucks2015!' as their password. Our friends in New England probably see a similar frequency of 'GoPats2015!'. Fans of the team up north probably have a high frequency of 'GoBlue2015!'. We tend to be predictable. Hackers work that angle with surprising success rates.
And, once a hacker has one of his victim's passwords, he probably has all that victim's passwords. That is because we tend to use the same passwords for many sites. This isn't necessarily a bad thing if the passwords are used for web sites like your local newspaper or for posting cute cat pictures to Pintrest. It is a problem if you use the same password for your bank account, work account, and email account.
For sensitive accounts like your online bank account or email account I recommend using long passwords of about 20 characters. Use upper case, lower case, numbers, special characters, and spaces. It can be easier to remember if you use a pass phrase instead of a password. A pass phrase is just like a password but in sentence form. A pass phrase might be something like "The 2015 Ohio State Buckeye football team is clearly superior to the one fielded by those yay-hoos up North!" See? It's easy to remember and it's its length means it will take a long time to crack even with a lot of computing power.
But let's say the hackers still guess your password or obtain it through some other means. What else can you do to keep the riff-raff out of your data? The answer is to use multi-factor authentication where you can. Apple, Google, Facebook, and Twitter all have an option of sending a random PIN to your phone when logging on from a new system. You enter that PIN as a second password to get to your data. I highly recommend you use these services when they are available. It's a little extra hassle but it makes it much more difficult for the bad guys to impersonate you through password theft.
- Use a pass phrase instead of a password to make it easier to remember
- Use pass phrases with a big character space (in the 20 character range)
- Don't be predictable in selecting your pass phrase (No matter how much you love the Buckeyes.)
- Don't reuse pass phrases for important services like banks and email
- Use multi-factor authentication when you can
There are other considerations for password authentication as well such as the use of password vaults and biometrics. Those deserve their own posts. Let me know if you have interest and I can pull together my thoughts on those technologies as well.