Improve your security #9: create good passwords

I never thought that I am going to write this post after publishing the two other Improve your security articles about passwords: #8: change the default passwords and #1: complex passwords aren’t always better

But, here we are, after seeing three major websites (LinkedIn, LastFM, eHarmony) which got somehow (yes, somehow, because we still don’t know how) hacked and lost a large amount of passwords.

What have these problems in common?

Of course, excepting the obvious passwords …

Actually, we don’t know yet what else they might have in common: maybe the same hackers, maybe the same vulnerability which got exploited, maybe others.

The clear thing we know is that at least in the case of LinkedIn the hackers didn’t get the passwords in plain text, but their SHA-1 hashes. They “somehow” cracked the passwords and published them on the web.

 

What is a hash?

According to Wikipedia, a cryptographic hash function (or simply a hash)  is a hash function, that is, an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an (accidental or intentional) change to the data will (with very high probability) change the hash value. The data to be encoded is often called the “message,” and the hash value is sometimes called the message digest or simply digest.

The ideal cryptographic hash function has four main or significant properties:

  • it is easy to compute the hash value for any given message
  • it is infeasible to generate a message that has a given hash
  • it is infeasible to modify a message without changing the hash
  • it is infeasible to find two different messages with the same hash

So, if a hash has all these properties, why do we have today the trouble with the leaked passwords?

Because those passwords were pretty easy to be guessed or reverse engineered using algorithms like dictionary attack, brute force attack, Rainbow Tables and so on.

 

What can a company that stores password do to prevent cracking of passwords?

Besides the obvious “make sure that you don’t lose the passwords in the first place”, they can make the generation of the password hash more complex. “More complex” means complex to find the plain text starting from the hash. This can be quite easily done if they alter the original plain-text password before creating the hash. This process is called Password Salting and it is nothing new. Unix systems are using this procedure since ages now. Please do not confuse salting with padding.

Salting makes the process of cracking passwords much slower, but not impossible. The goal is to make the operation so expensive to the attacker that from some point on it quits doing that.

 

What can you do?

You can create more complex passwords which you still can manage. Don’t do as I mentioned already here (writing the password on a post-it and stick it on your monitor or keyboard).

Here are some tips how to create good passwords which you can remember:

- use long passwords: some websites even enforce a minimum password length of 6, 8 or even 10 symbols. I strongly advise to use at least 8 chars.

An easy way to remember a long password is to associate it with something:

  • for email passwords: I write emails on Gmail every day at 12: IweoGed@12   (replace at with @)
  • Write the name of the website in the password:
    • Gmail: My.G-Mail.Pa$$-Word1
    • LinkedIn: My-Linked.In-Pa$$
    • Last.FM: Last1FM2Pa$$3Word

- mix letters (small and capital), numbers, symbols: 1stPa$$-W0rD

An easy way to remember these combinations is to associate them:

  • change a “s” with “$”
  • split long words like “password” in two or more
  • split long words into syllabus: “computer” in to “com-pu-ter”
  • as separator use symbols like “-”  ”.”  ”#” or similar
  • use incremental numbers for separators

- In case you forget the password, make sure you update the recovery information

  • this means usually an alternate email address
  • a question that only you know to answer (No, “what is your pet name” is easy to find out)
  • Mobile phone number for two factor authentication

- Change your password regularly

 

What you should not do

- don’t use dictionary words like: Microsoft, person names, pet names, name of months or seasons, car brands, etc.

- don’t use your name and your birthday together (e.g.: John21021978)

- don’t use “defaults” like: 12345, root, qwe123, abcd etc.

- use the same password on all import websites

- just simply close the browser without signing out of your account after you use a publicly shared computer

 

How about other methods to manage passwords?

There are other methods to store passwords, but I don’t recommend them.

These methods are:

- Password management software

Basically, there is a software running on your computer which holds the passwords securely to be always at your hand.

The problem with such software is that sometimes they store the passwords in plain text (like Mozilla), sometimes with a puny MD5 on it and almost always unencrypted in memory (at least temporarily). Using such a software is just moving the target for the hacker one step ahead. It doesn’t actually solve the problem for good.

But, the biggest problem with such software is the most non obvious: availability.

What do you do if you’re not near your computer where your password management software runs? Do you call your wife/neighbor/colleague do open your computer and give you the password? I hope not.

- Pen and paper

The “Pen and Paper” method means to write the passwords down… that’s basically no security since anyone is able to get that piece of paper at some point. One can argue that there are safes, lockers, etc. which can improve the security, but you basically don’t do anything else than storing the treasure (your password) behind a closed door. If that door gets open, you lost everything.

Also, this method suffers from the same problem as the software: it is not always available.

 

- Password management in the cloud

I didn’t want to write initially about this method  because it might bring some of you to the idea that this makes sense. It doesn’t… just forget about it because it means too much trouble on long term.

And yes, this would solve partially the availability problem, but not completely, because there are systems out there which are not connected to the internet.

 

As a conclusion, learn your passwords using some of the tricks I mentioned above.

 

 

Sorin Mustaca

Data Security Expert