Passwords a Plenty

lock-iconIt is a trend in life, you live in the modern era you will have a presence online, it seems a inevitable as the rising of the sun every morning there will be data, out there with information about you.

So in this growing online world the amount of information that exists grows as well.  We start finding it easier and easier to share photos and updates to family and friends.  Once we would send a yearly letter, with a current photo, now, log on to Twitter or Facebook and it is there, what we did this weekend, last weekend, and the hundreds of weekends before.  This is good and it is also bad.

But this post isn’t about the benefits of social media nor is it about the pitfalls of having a presence online.  It is about trying to make sure you data, remains as safe as possible and the first line of defence is the password. 

There has been plenty of information about there about what the most common passwords are, but what I will do in this post is show ways to help manage the plethora or passwords that are out there without having one universal password, how you might be able to have the most complex passwords out there but there is only a need to really remember one of them, and if there is only one, then that one can be more complex.

Hackers use a couple of different techniques when hacking the main is a brute force attack.  This is trying any account information they might be able to glean and trying all types of passwords.  Now a crude brute force attack, uses a combination method.  There are far more sophisticated versions available that use many different algorithms and heuristics to try and get passwords for accounts.

I want to show some examples of the amount of time it can take for a crude brute force attack.  To put it simply when using just characters, upper and lower case and numbers (this is a minimum for most passwords), this gives, 62 different characters.

Password Length

Combinations

a-z, A-Z, 0-9

Combinations

a-z, A-Z, 0-9, &, #, !, *, $, @

Difference

1

62

68

6

2

3,844

4,624

780

3

238,328

314,432

76,104

4

14,776,336

21,381,376

6,605,040

5

916,132,832

1,453,933,568

537,800,736

6

56,800,235,584

98,867,482,624

42,067,247,040

7

3,521,614,606,208

6,722,988,818,432

3,201,374,212,224

8

218,340,105,584,896

457,163,239,653,376

238,823,134,068,480

This simple table shows how the length affects how many possible combinations available.  Now looking at the Oxford dictionary there are about 228,132 words.  A brute force attack would and could cycle through a word in the dictionary very quickly.  To see the inclusion of the additional characters at only 8 character passwords offers 238 trillion more possible passwords.

The amount of time it takes for a PC to try and iterate through 457.163 trillion passwords is:

NOTE:
This is a single threaded calculation, using multiple threads across multiple cores could increase this speed, same would be using the cores on a GPU, my home PC has 1000+ CUDA cores all could be used to calculate passwords.  Though is more difficult than using a traditional processor.

So a quick explanation on how secure a password can or can’t be shows that the more characters one includes means that there are than many possibly combinations to check.

So, knowing that, what is one to do;

  1. Having multiple simple passwords across all the sites
    This is the most common approach people use passwords are easy to remember but are also easy to crack.
  2. Having a Single Complex password across all sites
    This is good, it makes cracking a password more difficult, but once they have it, they have it for potentially all sites.  Especially since people use the same email address too.
  3. Use complex passwords that are connected to what is being used
    This adds further complexity to the passwords but also makes it a little easier to remember them since you are at the site the password is being used.
  4. Multiple complex passwords mixing it is good
    And difficult to remember, we are creatures of habit, when we enter our password many times we will remember it, if we don’t then we will for get it.  Then you are going to have to go through a number of forgot password steps to get or reset the password until next time you forget the password
  5. Use a password vault.
    This is the best solution, as many password vaults enable very complex passwords, store ALL your passwords in an encrypted file and it also means you only need to enter one main password to open the fault.

Above is ordered, in my opinion, from worst option 1, to best option 5.  So why is it this way?  Why should I consider having any of these options.

Forget the single words

This is plan and simple, forget the days of having “password”, “welcome” or anything else that is a single word, why.  Simply because these words are in a dictionary and are the first ones used.  That coupled with numbers, “password1”, “welcome1” and so one.  These are nice and easy to remember, but a cinch to guess in a snap.

A password can be more than one word

A password can be made up of multiple words, it can be a sentence.  Single words are more simple to hack, but multiples in a sentence can add more complexity to hacking this password than even using a mixture of letters and symbols.

This also make the password more simply for the user to remember.  “LetsGoBroncos” is an example, “ImNeverGonnaGiveYouUp” these simple phrases suddenly make things more difficult.  Words exists and common heuristics can be used to help work out patterns but once again these take time to process and the longer it takes to hack it then the less likely it is to be hacked.

If it takes them 50 days to crack 1 account or 1 day to crack 50 accounts, they will opt for the 50 accounts in 1 day, every time.

Replace and Increase

There are letters and even words that can be replaced with one symbol.  “ILoveMoney”, “ILove$”, “ILove$$$$$” are all realtively easy to remember, but the last one, is a little more difficult to crack that the first 2.  Including these symbols means the number of possible combinations to try go up.  The more combinations the more difficult it is.  Other are using &, @ () for letter or word replacements, I will not give a list here, some are common some aren’t but it is best for you to use what you understand than me, some might use # for H but, I would use # for hash or sharp.

Forget the right way, use your way

What I mean by this is, the right spelling might not be the best.  Many ways to spell different words, or the use of homonyms, words that sound the same but have a different meaning. Butt and But, Poor, Paw, Pour and Pore.  Each of these can be used in your phrase;

MyCatHaasBigPores – so, Hass, and Pores changes the context of the word when looking at it and again makes it more difficult to guess.

Where I am can help me remember

I use the Blingles site and when I create my password I use “ILoveMyBlingles”.  But don’t use this across the board.  “ILoveMonstersHigh”, “ILoveMoshiMonsters” and so on.  Since guess the patter and you have all of them.  But, “
”MonstersHighRocks”, “MyMoshiMonstersAreCool” provide some examples of this.

A place a password can call home

We have now, so many passwords all complex and all long enough to take your account out of the mix of any quick brute force attack.  But I can’t remember them, well, I can now say don’t.  Use a password vault.

A password vault is a secure place for you to store all of your account and password details.  But there are so many, some online, some offline, some mobile, some not.  The thing to remember is look at something that you want to use and which is the best approach for these.

The simple ones is just an encrypted repository for all your passwords.  This is all it needs to be.  Others have better features like auto typing or storing additional information or grouping of the data.  Some features a nice others I feel are required.  Below is a list of things you want any password vault system to have no matter where or how it is stored.

  1. Strong Encryption – You want to have the best encryption possible, but also you want this to change if the best encryption gets better.
  2. Encryption is only as good as its encryption key.  This is like the password used AES uses up to 256bits for a password key.  Below is an example;
    6ZPIAFHPwPyqjkMIyRTRkC4Hd4MZPjUhkM4fgKF8T8M= MyEncryptedPassword but is encrypted with a 256bit key, the maximum size for AES.
    AuR4SL2Bt1BfPxdoB/X87bAQ6b+lsepCkoFrsQQ46+I= is the same word encrypted as before, but it used a 128bit key.  So, as you can see when something is encrypted with a longer key it will create better encryption.
  3. Generating passwords is a good one since coming up with passwords that are complex enough for use in systems and keeping them safe is not as easy as it sounds.  Once could simply put in jshdfjksdhfjksdfhjdsh  but without knowing I have created a pattern in the password, patterns are one element of trying to hack and crack encryption as patterns in passwords and keys could also setup patterns in the data they are encrypting.  Keep away from this.
  4. Key or a Password, why not both.  The better vaults have the ability to use more than one method to secure the vault.  Passwords are good, simply remembering a single password makes things easy, but a key, is far more complex than any password.   If the software can use both, it will further lock down the vault and prevent people hacking that, since this is going to contains the keys to your entire digital life, might as well make it as secure as possible.
  5. Password hashing – The vault should store your password within the file as a hash.  If it doesn’t hash it, then it isn’t as secure as one that does.
  6. Is NOT a cloud based solution.

With these in mind we need to look at a couple of elements I stated that need further explanation.

The Keys to the House

I used words like AES and 256bit, 128bit, Keys, Hashing.  So what are these and how does this affect me looking at password vault software.

AES

This is Advanced Encryption Standard it is one of the newer and possible more secure of the the encryption algorithms.  Though no encryption algorithm is completely unbreakable, the time to break 192bit and 256bit AES is obviously increasing high.  It is the current standard used by the US government.  Though with all of the goings on about the NSA and them hacking and requesting data, it is best to keep things as secure as possible.

256bit, 128bit

These are the key lengths used to encrypt the data.  The minimum of AES is 128bit and the max is 256bit.  I know what you might say, if increasing the key length also increases the strength of the encryption as I showed above why not use a longer key.  The Algorithm is fix to take keys at a maximum size.  But there is a trade off, the longer the key the longer it will take to encrypt and decrypt the data.

Keys

Keys are a file or a single of characters up to a certain size that are used to add to the security when encrypting.  With Vault software some of them might use a password and a key.  If you don’t have the key you can’t decrypt the file, ever.  Since both parts are used to decrypt the file and therefore you are missing a large portion of the key used to encrypt the data.  SSL uses this form of encryption since there is no passwords they use a combination of public keys and private keys.  Data can be encrypted using the public key but only the private key can be used to decrypt the data.

Hashing

This has nothing to do with potatoes.  A hash is a one way encryption of data.  In the world of the ever expanding internet when passwords are stored on the server they should be stored in a hash format.  Why?   It is impossible to workout the value that created the hash, I say impossible but in terms of reference, in computing nothing is impossible and giving the amount of time it can be calculated, infeasible means the time it takes it process, currently is not within these boundaries and therefore are not possible at this moment in time.

Given a machine that can perform 1012 operations per second, this is a lot.  The time to work out a solution 2n and given that this time is in the terms of time small, 264.  It would take 213 days give or take to calculate this.  Increase it to 2100 which is still not terribly complex that would take 40,196,936,841 years, yes, 40 billion, the universe is only 14 billion years old, give or take.  So a computational task that takes that long to complete, is considering infeasible.  213 days isn’t but I wanted to point out the difference between the complexities, might not look like much on the surface but turns out to be massive in the end.  AES complexity is 2254.2 so that would potentially take longer than the 40 billion years to work out a 2100 complexity.

OK, so you want a vault that has good encryption, enables use of keys and passwords (both would be better), can generate passwords, stores the vault password as a hashed value and is NOT a cloud based solution.

Encryption in the Clouds

Why not in the cloud?  So much stuff is moving there, it would be nice to use a system that enables me to get access to all my passwords online.  For a couple of reasons.

  1. The internet might not be always available and therefore you might need a way to use it offline.
  2. You can be assured the business who operates the site will be there tomorrow.  If it is gone, so is your complete vault of passwords.
  3. Can you trust them?  Given the plethora of statements made by Edward Snowden regarding the NSA and companies handing over private data to them what gives you any trust in someone who houses all of your account and password information.  NSA knocks on their door and requests is with a federally signed document stating they must provide it.  OR, they are in a country who’s laws aren’t as strict as other countries and therefore it isn’t in their best interest in keeping this data out of state hands.
  4. You sure it is secure?  I have entered my password and the database is showing, but is it encrypted, how can I tell, where do you keep the password, in the same database I have my data in, etc…  All of these are valid and go to show when the data isn’t in your hands you are putting a lot of trust into these businesses.

So, offline would be a recommended model but cloud solutions are good if they offer ways of backing it up offline, accessing it offline, terms of services and service level agreements, etc…  If not, and you read some of them and realise that they do not store things in one way encryption or using simple encryption algorithms.

What should I use?

Well there are two I would recommend, both are offline and one offers many more devices.  It is a preference and either would enable you to feel safe using.  KeePass is an open source software than provide all of the elements I would look for an more.  This is an offline model but it can support using file hosting services like DropBox if you wish to maintain this not just locally but enable you to synchronise the data across all systems.  There are some mobile applications that can use the KeePass database as well, but KeePass has only the software for Windows but since it is Open Source, there are many different versions available for many devices, see the Download page.

The other is Norton Identity Safe.  This is a Free product as well but is not Open Source.  But Norton release a version for Windows, iOS and Android, which can cover most of your needs.  Norton is a trusted name for the protection of your PC.  Since they released Norton Utilities, they have kept making your PCs faster and more secure.  BUT, this is the only cloud based solution I would recommend.  It is simple, easy to use and can store more data you need.  My main issue with Identify Safe is there is no use of keys, passwords for the vault that are limited to 20 characters. 

Is there an issue with using Open Source software for your passwords, no, as long as your control the file the passwords are stored in and I do.  I have my password file, available to me anywhere I want.  Store it in DropBox, OneDrive, Google Drive, iCloud, anywhere that might enable you to store any file type the ones that allow automatic integration into Windows Explorer or enable automatic synchronisation as well would mean all PCs that run the software could get access to it.

IF you WANT a cloud based solution I have included this one in here as my recommendation for it.  But I would prefer to recommend KeePass.  As it is more secure (as it is offline), can use a key and a password, the passwords aren’t restricted in size for the vault itself.

The Password to Rule Them All

So, you have decided to use a vault and you are about to create a new one.  The password, remember the lesson of the password.  It comes all undone (potentially) if you secure your vault password with password (11bits, yes a long way shy of the maximum of 256bits allowable in AES).  So if you only need to remember one password, then go to town.

0n3P@$$w0rd2Rul3Th3m@ll

It means that once you have that, then everything else is there for you and you can store anything secure in there you like.

References


Public-Key Cryptography. (2014, June 15). Retrieved from Wikipedia: http://en.wikipedia.org/wiki/Public-key_cryptography

Advanced Encryption Standard (AES). (2014, June 24). Retrieved from Wikipedia: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Advertisements

Posted on July 1, 2014, in Article, Tips and Tricks and tagged , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: