Diary and notebook of whatever tech problems are irritating me at the moment.

20090209

Practical password security

A recent security breach at phpbb.com resulted in an intruder obtaining and publishing thousands of member names and passwords. A design flaw, a.k.a. bug, in a mailing list application was responsible. An analysis of the passwords revealed some interesting facts about the types of passwords people use when creating accounts at web sites. The most popular ones were "123456" and "password". A similar pattern was found in passwords exposed by a fake MySpace site in 2006. While intrusions at non-critical sites like these aren't likely to ruin your life it's a lot more serious if they manage to get access to your account at your bank or credit union web site. Lets look at the types of password problems I've seen and what you can do make yours safer without a lot of hassle.

First, security is like a chain - it's only as strong as the weakest link. Even with a secure computer that is connecting to a secure web site using a secure network connection a weak password pretty much defeats the security. There are three ways intruders can get your password without your direct assistance. By "direct assistance" I mean you telling them (in other words, lying still works) or by writing it on a sticky note and pasting it on your computer where everyone in the room or those looking through a window can see it. The remote methods include installing spyware on your computer or the web server your are connecting to, guessing your password based on what they know about you (pet names, phone numbers, favorite foods, favorite cars, etc.), or using another computer to try every possible password (called a brute force attack). The last one is often used with a method known as a dictionary attack which uses dictionaries of known words to check against. This works faster because most passwords are words instead of random characters since they are easier to remember. There are dictionaries for every language. There are also dictionaries for special categories like scientific fields, entertainment, or industries. For example, a biology dictionary may contain scientific names of plants, animals, and fungi. An attacker could include it if they knew you were a biologist in case you used the name of a bacteria for part of your password.

The security strength of a password is directly related to its unpredictability (from the attackers point of view). If the password is a word in the English language then it's more predictable than random characters. If it's a word relating to you then the more the attacker knows about you makes it more predictable. A long password is usually less predictable than a short one. A password made up of several related words like "big red truck" is weaker than a password made up of several unrelated words like "plastic quickly artichoke". A password using more types of characters (lower case and upper case letters, numbers, and symbols) is stronger than one that only uses lower case letters. Intentional spelling errors can make a password stronger but common errors or alternate spellings (including English dialects, Engrish, and Leetspeak) are more predictable and probably in password dictionaries.

Another problem I find with most users is that they use the same password with every account on every site. If you do this and someone figures out the password for one of your accounts then they have access to all of your accounts.

Another password weak point is the password recovery functions at most web sites. These allow you to reset your password if you forget it. They usually require you to enter your account user name or email address and then send a reset web page link to the email account that is registered with the account. You then click the link and are then given either a temporary password or allowed to enter a new one. If your email account has a weak password and an intruder gets in then the password reset functions at every site you have an account on can be used by the intruder to set new passwords and get access.

Obviously the best security is to use different big random passwords at each site but these are very difficult to remember. The solution is to use a password manager. This is a program that keeps track of passwords. You could store all of your passwords in a text file or word processor document but if an intruder gets access to your computer they could easily open and read them. Password managers store passwords in an encrypted file that is itself protected by a master password. Encryption is a process of scrambling something so that it is unreadable without the correct key. When you try to open the file with the password manager it asks you for the master password (i.e. the encryption key) and attempts to unscramble the file. If the file is unreadable then it knows you didn't enter the correct key. If an attacker gets the file but doesn't have the key all they will find is scrambled gibberish. There are many encryption methods with varying levels of speed and complexity but they still rely on you to create a strong master password (encryption key) to secure the contents. With the password manager you only need to remember the master password for the password file - the rest are available once it is decrypted and opened. You can then copy the passwords for your other accounts from the password manager and paste them into your web browser or other programs as needed. While there are many different password managers available for all kinds of computers the one I recommend is KeePassX. It's free and available for Windows, Mac OS X, and Linux (Ubuntu, Mandriva, etc.). I normally install it on any computer I set up.

A password manager isn't a perfect solution. If you use it on a computer that has already been infiltrated and has spyware on it, the intruder can get your password manager's master password by reading what you type when you enter it. But outside of that, it's rather secure with a good strong password. In fact, with a strong master password, you can make the encrypted password file publicly available and not worry about anyone being able to read it because only you have the key. You can put the file on a public Internet site or, if you have a web-based email account like Google or Yahoo!, you can email it to yourself so it's stored in your email inbox. That way you can get at your passwords from any computer on the Internet with the password manager program installed - just make sure they are secure first before entering your master password or even logging into your email account to get the file. Of course, make backups of your password file by emailing it to yourself or saving copies of it to a USB flash drive.

For creating secure account passwords most password managers have a password generator. It can create random passwords of varying lengths using numbers, letters, and symbols. The more variety the better. For example, if you have a password that consists of a single lower-case letter, there are 26 possible passwords that an attacker will have to try to break in. They may get lucky on the first try and find it's an "a" or they may have to try them all and find it's a "z". With two characters there are 26x26 or 676 possibilities. Add another character and it's 26x26x26 or 17,576. If you include upper-case letters you now have 52, 2,704, and 140,608 possibilities for one, two, and three character passwords. Add numbers and you get 62, 3,844, and 238,328 possibilities. Using every printable character on the keyboard (including a space) you end up with 74, 5,476, and 405,224. Way to many to try by hand but remember that most attackers on the Internet are using a computer to try each combination and can make millions of attempts every second. To be relatively safe you should have at least 12 characters. This makes it unlikely for an attacker to determine your password in any reasonable amount of time (many years) even if they are using thousands of computers simultaneously. The more complicated your password is the more likely they are going to give up before breaking it and move on to another target. In general, both the length and number of different characters affect the strength of the password so if you use fewer character types then use a longer password to make up for it.

While the password generator can make complicate passwords and the password manager can keep track of them, you still need a strong master password. Ideally it should be random and long but it's really hard to remember something like that. A technique I've used with employee accounts on business networks is to have them create a short secret password consisting of words and a few extra numbers and symbols that they can remember. Then add several random characters before and after it for the full password. Then write down the random portions on a piece of paper with a blank line between them signifying the secret part and store it someplace out of sight. When entering the password they use the paper for the beginning portion, followed by the secret part they didn't write down, and then the rest from the paper. This is practical because you can generally trust coworkers (or household members) more than anyone on the Internet. Even if someone finds the paper they don't have the full password while an attacker on the Internet doesn't have any of it. If you have trouble coming up with random words for a password you can try a technique called Diceware that uses dice and a word list.

One problem you will encounter is that web sites have varying rules about passwords. Some require between six and twelve characters, some allow much longer. Some only allow letters and numbers. Some only allow some symbols while others allow almost anything. Unfortunately many web sites don't specify their rules entirely so you may have to make several attempts to find one it will accept. You may find that a web site will accept a 16 character password when you set up a new account but actually only allow 14 characters and chop off the last two without telling you. When you enter a new password into a web site test for this problem by logging out of the web site and back in again with the new password. If it rejects it, delete one character from the end of the password and try logging in again. If you get down to the minimum number of characters the site will allow and you still can't log in, use the site's password reset/recovery function to get access again. If deleting some characters from the end allows you to log in make sure to note how many characters it accepted in your password manager so you don't end up fighting the site again the next time you change your password. Another problem you may encounter is a web site that accepts a new password with symbols in it but filters them out, again without telling you. If you can't log in with a new password and making it shorter doesn't seem to fix the problem, try deleting any symbols in the password leaving only the numbers and letters. Again, if you can't get access then use the site's password reset/recovery function.

Sometimes you will find a site that will accept a strong password but then does a bad job of keeping it secret. They do stupid things like confirming your password by emailing it to you unencrypted which means that at every point in the Internet that the email passed through someone could read your password. Some mailing lists also email a password reminder to you every month again exposing it to the whole world. There isn't much you can do about these bad security lapses except not use the sites and complain to the administrators.

Using complicated passwords is only part of good password security. The other is changing them regularly. If an attacker can brute force your weak password in a month and you change it every two months then you have a security problem. Changing it before they break in makes them have to start over again. While using a stronger password requires an attacker to take longer to break in, you should change your passwords regularly anyways to limit damage in case your computer or one you are connecting to has an intruder you're not aware of. How often depends on the strength of the passwords used with each account and how much damage could be caused if someone breaks into them.

While strong passwords reduce the chances of someone finding your account passwords without your help don't overlook the age-old method of social engineering (lying). Normally if you set up a new account on a web site it will email you a confirmation link to verify your email address. You will also get an email from the site if you use their password reset/recovery option. But later, if you get an email from the site requesting that you click a link to respond to a problem with your account, especially if it's a bank or store account, be very suspicious. These are often used for phishing. Scammers often send you an email like these with links to a fake web site for you to log into in order to get your passwords. These often refer to popular companies and are sent blindly to millions of email accounts which is why you sometimes find an "account security notice" in your email inbox for a bank you don't have an account with. Most financial institutions have a policy of never contacting you by email regarding security problems and will call you instead. You can also sidestep the phishing by going to the web site directly as you normally would instead of clicking a link in the email. If there is a problem then you should be alerted when you log in to the web site. Most web site operators will never ask you for your password as they usually have other methods (like their internal computers) for accessing your data.

While strong passwords can help keep intruders out of your accounts note that there is no perfect security. What security systems and passwords attempt to do is to add a limited amount of annoyance for legitimate users and multiply the annoyance factor many many times for attackers. While some security systems and software are better than others often the limiting factor is your willpower versus that of potential attackers.

5 comments:

Anonymous said...

Great blog. Keep up the great writing.

Anonymous said...

just curious...what blogger theme are you using?

jhansonxi said...

Simple II with some custom colors. I like it because the layout doesn't imply any particular page width and doesn't waste space with side panels. It should fit any width browser window without messing up the formatting.

Unknown said...

Hello from your annoying sister,I read your article. Looks good to me; most of which I already know anyway.However I'm sure there are a lot of newbies that are still clueless at how easy it is for someone with the technical knowledge to gain access to someones personal info. Identity theft anyone?

anonymous coward said...

Great Blog, one thing only: I've been advised to use shorter sentences and small scan-able blocks of text. Most readers only scan the text on your blog.

Content is great.

Thank you for your comment on my site:

www.handlewithlinux.com

About Me

Omnifarious Implementer = I do just about everything. With my usual occupations this means anything an electrical engineer does not feel like doing including PCB design, electronic troubleshooting and repair, part sourcing, inventory control, enclosure machining, label design, PC support, network administration, plant maintenance, janitorial, etc. Non-occupational includes residential plumbing, heating, electrical, farming, automotive and small engine repair. There is plenty more but you get the idea.