Password Infomania

Password Infomania - Part Two
By Benjamin Rich

Protecting Yourself - How to Choose Secure Passwords

In Part One of Password Infomania, Benjamin Rich discussed ways crackers figure out passwords. In today's installation, he covers hints on selecting good passwords that are difficult to guess or crack.

Length: Unlike baboons but similar to elephants, length is crucial. A 4-character password, no matter how clever, only has about 81 million possibilities, a pathetically small search-space for a Pentium-level processor to move through. Even with every possible practical ASCII combination, covered in no particular order, a 4-character password can be cracked by a brute force program on our aforementioned 1,000,000 password/sec machine in just over a minute twenty. Most machines aren't capable of this kind of speed, but even at a thousandth of the speed, this can be accomplished in just under 24 hours.

Complexity: Sometimes called entropy. Making your password as free of plausible patterns as possible can indeed bring it closer to 'uncrackable'. Obviously, a 16-letter password, fridge explosion can be quickly sorted out with a dictionary attack. Even fr1dge expl0sion, as explained, can also be accounted for in most dictionary attacks. Therefore, a password that increases the theoretical search-space to the largest possible, with the fewest recognizable patterns, is best. 5-character passwords are fairly easily cracked, although Q+f@~ is still infinitely better than h4ppy (not that you should use a 5-character password, but your see what I mean).

Apathy: Don't choose a password close to your heart - remember, any cracker, or worse, someone who wants to do you real harm and has real surveillance expertise and equipment, is going to find it much easier to crack your password if they don't even have to use a program to do it. If it's 11 characters long, but also happens to be your girlfriend's or boyfriend's name, it will be on the list of first choices for anyone seriously wanting to get into any of your systems.

We've already gone through the pitfalls of using real words or names, or even 'non' words like those from the popular vernacular, or from l33t-sp34k substitution, but add to this list: your birthday; your partner's birthday; your car's number plate; foreign words; famous phrases; pet-names; Social Security number; etc.

Remember - as typified by numerous security breaches in supposed 'impervious' systems, the weakest link is always the human one. It means nothing if the main projects repository server of your company is secure to thousands of outside attacks if it has a 5-letter root password which is the name of the CEO's dog, whom he or she tells their niece in the advertising department 'in case of emergency'. Likewise, it means nothing if your password is easily accessible, guessable, or findable (as in written down somewhere) even if it happens to be long and have reasonable entropy.

Uniqueness:A highly common pitfall is to use the same password for many things: your email, your Linux root, your eBay account, etc. For the love of christ, don't do this: a clever password it may be, and 36 characters long, plus alphanumeric and memorized, but if you're using it for your Joe-Blow JavaScript-R-Us online email account, and it's stored in plaintext in a MySQL database with no password prompt hidden on the site under the directory 'secret'... and you also used it as your Linux root... you're in an extremely dangerous position indeed. Your password may be a secure one, but the different agencies protecting it may not all be secure. Using one password for everything means that a) you're done for - repetition is the sort of thing an immoral cracker will try first upon cracking your online email and finding your use-all password, email-address and geographical location in plain text, and b) you've wasted a good password because you'll have to change it to n different other passwords on all your systems - and this is assuming you figure out someone has your password before said password has been used to break into and gain control of all your protected systems.

Memorability: If you can't remember it, you'll have to write it down, and that's inefficient and means it can be found by immoral others. Mind you, good password practices really should be the cornerstone of computer usage, not necessarily called into question for their practicality - as a Linux user for example, it's unlikely anyone will even attempt to crack your system because most immoral people use Windows (I'm not joking on this one) - and at that, broadband users are more at risk than dialup users, since broadband is a valuable commodity and is more 'prominent' as it were, on the network due to a permanent or long-standing IP1.

Sure, sure, you're just a PC owner - unobtrusive, and you don't have the same 3-letter password for your email as your root access - so, theoretically, having a password less than 19 characters, or writing it on the inside of your sleeve cuff just in case, or even telling it to a trusted friend, aren't necessarily security-compromising activities which will see your credit card stolen and your family dead within the week. Nonetheless, it helps if your password is a good one, a long one, and also something you don't have to record anywhere except your memory - just as you take precautions in other areas of your life regardless of the likelihood of extreme misfortune.

Generating a Good Password
Inconvenient as it is, a good password must be long; have a good combination of upper and lowercase letters, symbols, and numbers; and use as many twists and turns as possible. An example of a highly secure password might be:

C#e%4/*W1

9 letters long, utilizing letters, numbers and symbols, and being more or less uncrackable with dictionary means. Resist the temptation also of 'disguising' words with obfuscation - as stated, an English word, even made entirely out of symbols and numbers, can still possibly be guessed by an advanced dictionary attacker.

A good way to choose and remember a complex password is to generate the password using a random exercise, and then type it many times to remember it. Remember, then, the position of the keys you type; the pattern of your fingers moving across the keyboard - not a particular word or phrase, which is easily remembered but also easily cracked.

Generating a good password can be as simple as finding a list of ASCII characters, and then rolling a pair of dice several times to pick out the ones you want - a good example for this sort of thing can be found at http://world.std.com/~reinhold/diceware.html; another way, and a much more trodden path, is using a password generation program. Password generating programs are mostly found for *nix environments, but there are some for Windows, and I've included a list of useful links below - remember to use a program that generates random ASCII gibberish, not combinations of words or English elements. Always be on the lookout for password generating programs that only have fixed character sets (only letters and numbers, which alone doesn't generate enough entropy for a password) or only English-like generations (if it can be generated, it can be second-guessed by a dictionary attacker program).

Good Security Practices
Finally, and this is perhaps hardest of all, remember to change your passwords fairly regularly. With highly complex passwords like the one above, stored on a secure system, there is little need for the average unobtrusive user to change their password very regularly - but as a necessary habit for maintaining a secure system, it should be noted, and particularly by those who do work in high-risk areas.

If anything can be said for good security practices, it's the reminder that what really makes a system secure is diligence, vigilance, and knowledge - a strong human factor. All the high-priced software in the world will not save your company server from attack if it's system administrator is inexperienced, unobservant, and lax in practice; the best system is still not impenetrable if it has an obvious password - no matter how cosseted away that password is.

Good Random Password Generators:
Windows
>> Password Generator v1.1.2
Linux
>> Keymaker v1.0
Online
>> LoTekk Password Generator

Footnotes

Dialup providers change their users' IP addresses each time the user logs on - but cable providers usually give their users permanent IPs, or IPs which have 'leases' of several months. This means that, since your address is unchanging and constantly present on the internet for months at a time, or forever, an attacker could theoretically track you, suss you out, and come back later at any time to collect.

Benjamin Rich is the Web master of CSD.